|Question||Shreedeep Rayamajhi||Microsoft||Dr.N.Sudha Bhuvaneswari||CAMEROON INTERNET GOVERNANCE ORGANISATION||China||ACNU||CTO||Mohit Saraswat||Akinremi Peter Taiwo (ACSIS)||Access Now||Naveen K Lakshman||ISOC Cybersecurity SIG||Luísa Lobato||IGF Mauritius||U.M. Mbanaso||Amali De Silva-Mitchell||Opeyemi Onifade (AfICTA)||MCI||Privacy International||GCSC||Council of Europe – Cybercrime Division||Internet Society - Chennai Chapter||Internet Society||Caribbean IGF||Internet Policy Observatory Pakistan||Association for Progressive Communications||EuroDIG|
|How does good cybersecurity contribute to the growth of and trust in ICTs and Internet Technologies, and their ability to support the Sustainable Development Goals (SDGs)?||Cyber security is the overall confidence of being safe where people know what is right and wrong. people are more responsible to the system.||Good cybersecurity practices – those implemented by vendors developing products with security in mind, those embraced by individual consumers and organizations when using technology, and those established by governments to regulate their online environment - can help manage these threats and ensure that the benefits can be retained by everyone.||"Good cyber is good business". Introduction of sensors and devices into intimate spaces has privacy and security repercussions. Good cybersecurity practices contribute to trust in telemedicine as well.||"The Government of most countries has thus realized the social, economical and political importance of the internet, and is working towards connecting more people through favorable policies. Some policy options can be really effective in creating an enabling environment for the provision and usage of internet services."||"Cyberspace is becoming a new frontier of people's work and life, a new engine for economic growth, a carrier for cultural propserity, a new platform of social governance, a new bridge for communication and ooperation and a new domain of state sovereignty."||"The Cuban civil society organizations agree that the technological resources provided by the Internet must be used in a responsible manner, respecting the rights to sovereignty, self-determination, diversity and human dignity, and in the light of the sustainable development of a society increasingly dependent on ICT. "|
" The broad and secure Internet access, centered on the person (user), considered to be the common citizen / individual: girls, boys, young people, adolescents, workers and older adults, which would allow the service of all citizens and according to their needs, communication services, access and enjoyment of all the potential of Information and Communication Technologies (ICT)."
|"effective Cybersecurity Strategy is essential for each country to engage fully in the increasingly cyber-dependant trade and commerce. Robust cybersecurity frameworks enable individuals, companies and nations to realise the full potentials of the cyberspace, without fear or reservation, promoting cross-border delivery of services and free flow of labour in a multi-lateral trading system."||* ICTs reduce transaction cost, increase transparency and speed. Sustainability dependson how well the security of the platform is being maintained.||Rapid ICT growth is a key driver of economic development. Jeopardized if security measures are absent. Emergence and growth was prioritized over security. This leads to abuse of technologies, and lack of relaibility and authenticity of information.||All Global Benefits benefit from secure and open access to the internet. ICTs must be delivered within a human rights-respecting framework. Access to technology can aid in eradicating extreme poverty, education, and access to clean energy.||Internet is an open information higway, runs on trust. Good cyber security ensures equality of stakeholders. Tech must not leak, steal, abuse and hijack contents.||ICTs changed lives radically. A way good cybesecurity can be implemented based on trust for ICTs and internet technologies, is for example by using open technologies and/or protocols. Data accessible to users who use them and can carry out some type of monitoring.||Good cybersecurity matters because they assure continuing development of ICTs, but are fundamental to supporting internet inclusion in developing countries, exercise of freedms and rights, and allowing local populations to depend on alternative models of living. Safety and resilience is as important as user-friendliness. Literacy on ICTs is a prerequisite to understanding risks.||Trust is a key issue. Good cybersecurity must be developed in a multi-stakeholder model. Good cybersecurity helps attain SDGs by contributing to growth and trust in ICTs.||Safe and secure cyberspace will bolster SDGs. Requires three tightly coupled layers: (1) individual awareness and responsibility, (2) corporate awareness and responsibility for protecting internet technologies it provides, (3) country aware of governance issues and technical, legal and institutional responsibilities||Citizens come to rely on ICTs, IoT and AI. When trust is good, they don't see a future without it. There is risk of over-reliance, and perhaps a failure of consideration for contingency plans -- in cases such as earthquakes, or government cutbacks to ICT maintenance.||"Good cyber security is a means of achieving and sustaining the credibility of the Internet as a safe environment for businesses to thrive and sustain economic value."||* "Sustainable development of all levels is directly related to the protection of all aspects of this infrastructure, including security"|
* Cyber security has an enormous impact on trust building.
|* Good cyber security policies, practices and legislation put people and their rights at the centre. |
* Simultaneously protect individuals, their data, devices and networks
* Foster trust, stability and confidence in ICTs
|GCSC raises the concept of the internet as having a "public core" which is worthy of protection. "(i) a clearly distinguishable “inner core” which consists of the core functionality underpinning the Internet (in particular the forwarding and naming functions and infrastructure of the Internet and those actors responsible for their day to day management, and (ii) a less clearly distinguishable “outer core” of potentially critical functionality, whose impact on the overall"||Cybersecurity "facilitates confidence and trust in ICTs, supports sustainable development and protection of human rights, democracy and rule of law."|
Policies such as the Budapest Convention enhance cybersecurity performance. Cybercrime convention committee in June 2017 launched drafting of additional protocol.
|* Cybersecurity is a reflection of the global security issues and measures|
* Questions around byer security should be approached with inquiry on "how secure is security? Who do we secure?" and "Can we secure trust?"
|"Access to an open, trusted Internet changes lives. It can help to alleviate poverty, fight inequality and injustice, tackle climate change and help kids get an education. The Internet Society’s approach for an enabling environment for Internet growth and development is based on building connectivity, communities, capacity, and infrastructure policies. We are committed to an Internet for everyone everywhere; "free from censorship, unhindered by over-regulation, an enabler" of progress. An Internet that can build a business from "a spark of an idea, educate the most remote communities," protect human rights and drive economic and social development. Internet access needs to be open, affordable, reliable and relevant to be meaningful and offer opportunities for a sustainable development."|
"The Internet needs a solid foundation in trust for its full potential to be realized."
|"Good cybersecurity would facilitate more growth in users and usage of internet technologies, accelerating business, growing economies and making more wealth available for distribution to support attainment of the SDGs."||Good culture of cybersecurity helps build trust in the digital environment, enables economic growth, social inclusion, innovation.|
SDG 9: avaialability and management of internet infrastructure leads to increase in agricultural and business productivity.
SDG 5: cybersecurity capacity helps build staying safe online for women and girls, boost technology adoption and empower women to achieve SDGs.
|- Technology can be an enabler of all SDGs, but must be secure. Not securing development projects leaves some of the most vulnerable people vulnerable in new ways - in particular when collecting biometrics, health data, etc.|
- Critical to implement good practices for people to trust and participate in SDG initiatives. UN Global Pulse's Privacy and Data Protection Principles for harnessing big data for development and humanitarian action provide some guidance.
|The discussions at EuroDIG 2017, including the keynote messages delivered by the President of Estonia (host country) highlighted that trust and security are the key factors for achieving sustainable development and the future digital society.|
|How does poor cybersecurity hinder the growth of and trust in ICTs and Internet Technologies, and their ability to support the Sustainable Development Goals (SDGs)?||At leadership level if there is no cyber security the countries position can be compromised with no option of process. At individual level if the there is no leadership and policy there is no direction and people follow leaders So lack of proper cyber security certainly effects the ability to support SDGs and its implementation.||Poor cybersecurity threatens growth directly (exposing organizations and individuals to attack) and indirectly (perception of insecurity can lead to diminished adoption of new technologies).||Cyber attacks are damaging - example of shamoon and ransomware, and Denial of Service Attacks.||Cyberspace faces new challenges - security and stability, infringement on privacy and intellectual property, cybe terrorism, cyber surveillance activities. Unbalanced development is more and more obvious.||* The response raises concern around the "policy of the United States' economic, commercial and financial blockade against Cuba persists and continues to undermine the full exercise of the human rights of the Cuban people, essentially those related to economic, social and cultural rights."||"Cybersecurity frameworks enhance a country’s preparedness to respond to the challenges of cyberspace. For instance measures to strengthen and protect critical information infrastructure can support economic development and attract international business. Poor cybersecurity hinders growth and trust in ICTs as it leads to lack of confidence in online systems and services, thus discouraging investment and usage A lack of cyber hygiene increases vulnerability to cyber attacks and reduces the ability to effectively respond to and recover from cyber incidents which in turn promotes a lack of trust in the digital economy."||* Security may not affect functionality of the service but does affect quality. It becomes difficult to quantify the damage in reputation due to direct association with trust.|
* Increasing complexity means adoption is directly proportional to trust.
* Risk must be assessed on Confidentiality, Integrity, Availability
* Controls must be implemented to address risk.
|Policy options should include a clear awareness of potential impacts, rules and actions to guide against such acts.||Not all connectivity is the same. Digital connectivity cannot hope to lift people out of extreme poverty if they lack dependable access. Access Now created Human Rights Principles for Connecitivity and Development. SDGs depend on secure ICTs and protection of digital rights||Internet runs on trust, 99% of Users don't understand technology.||"Cybersecurity being something that crosses any small or global area, poorly regulated, poorly implemented, poorly controlled, becomes an obstacle to growth and trust in ICTs and internet technologies and sustainable development objectives"||Poor cybersecurity impacts different actors in unique ways: market actors incur cost and lose trust; governments may be affected in a way that threatens integirty of citizen data; civil society may not be able to play a role of political opposition. Information breaches may undermine capacity of activists.||"Poor Cybersecurity hinders the growth of ICTs and Internet Technologies as it brings distrust. People will not have faith in the ICTs and Internet Technologies if they are victims of cyber criminality. This is not because of the use of ICTs and Internet Technologies but because they are not adequately protected due to poor Cybersecurity. When this happens, people will not use the ICTs and Internet Technologies, which is useful in the attainment of the Sustainable Development Goals (SDGs). In short poor Cybersecurity has an impact on the use of ICTs and Internet Technologies and ultimately on the attainment of the Sustainable Development Goals (SDGs)"||"Poor cybersecurity will undermine the growth and trust of Internet Technologies as it will unwittily discourage netizens from the use of Internet space."||"Development of the dark side of the internet, loss of public trust and accountability, development of public fear, poor service or product delivery which could also leading to lower investment in public private partnerships, ability to raise capital etc. Can result in messy, faulty IoT IoT, that can lead even to serious physical impacts on citizens e.g. defective four-way road stop leading to driver accidents etc. Low productivity, general malaise and slow progress of SDG attainment may result Extreme frustration of policy makers leading to abandonment or over simplification of of goals, with no real substance with respect to effective outcomes. It can lead to simply a play on performance measurement indicator presentations."||"Poor cybersecurity fosters the proliferation of cyber crime, cyber hacktivism, and cyber espionage. The quantum of online vulnerabilities is a good reflection of the degree of likely proliferation of criminal activities. Criminal activities undermine the achievement of the SDG."||* Poor cyber security results in hacks and data breaches, are catastrophic for privacy and undermine trust in development/digital|
* Many countries have insufficient or no legislation protecting data
* Data breaches have knock-on effect for a country's cyber security
|"The GCSC submits that the Internet is a common good for humanity.5 Parts of the Internet further conform to the notion of a “global public good”, providing essential functionality to the Internet as a whole and which underpins its normal operation. If one or more of these core functionalities are undermined or disrupted, then the security and stability of the Internet can be significantly impacted, decreasing trust and confidence in the domain amongst all stakeholders. These core functionalities are encapsulated in the concept of the “Public Core”."||Most SDGs are related to ICT. Cybersecurity aimed at enhancing confidence is directly or indirectly connected to each SDG. Promoting the rule of law is important.||"Conversely, poor cybersecurity would tend to hinder growth in the number of users of Internet technologies, retarding usage growth and limiting the impact of ICTs on economic growth and wealth creation for attainment of the SDGs."||* Thwart growth and trust in ICTs;|
* Cyber hacks and breaches break trust of businesses online, which directly impacts productivity and economic growth in developing countries where ICTs are more adopted for delivery of services.
|- Insufficient design and execution as well as intentional but harmful policies and practices put data at risk (encryption backdoors, failing to disclose known exploits and vulnerabilities, national intelligence programmes without oversight, criminalisation of technical experts and researchers, undermining standards and protocols).|
- Poor cybersecurity can result in damage to people and erodes trust.
- Norms and policies must work together, not be at cross purpose. For instance, violating cybersecurity with surveillance undermines actual cyber security. Ministries responsible for development are often different than those that deal with national security.
|Do you see particular policy options to help address CENB risks?||Great threat in how social media transforms today's world. Major impact of cyber terrorism and online safety concerns.||Recommend adding as concerns: (1) lack of cybersecurity awareness, (2) cyber resilience of cities and (3) number of women in cybersecurity. They also highlight methods of attack as something that applies across SDG goals and may require tackling of cybercrime internationally through aligning legislative initiatives. Also notes the US NIST Cybersecurity framework and national legal development as options for protecting critical infrastructure. For online abuse and gender based violence, recommends developing laws to deter online exploitation and awareness raising through government-third party partnerships. They note the importance of a Secure Development Process. Finally, they note the importance of freedom of expression as a human right protected by the rule of law. They do recommend excluding this from the cybersecurity best practice and tackle it as a separate item of work.||DDoS attacks, Mobile technologies, Technological measures to reduce potential abuse by authorities through protecting personal information. Encouraging gender diversity in cyber security. The submission also includes a case study of Sagarika Ghose and her husband, Rajdeep Sardesai, which clearly outlined the gendered nature of abuse both well known journalists see. Recommendations include disabling links to violence against women and girls, and creating awareness of internet safety. |
Companies that operate shared internet services such as DNS and IXPs must develop security policies and procedures. IXPs play a vital role in making the internet more affordable. For industrial control systems, a cyber security protection framework should exit.
The contribution makes specific mention of protecting information in voter registration databases, and in particular safeguarding its integrity. it also notes the need for secure development processes, and the impact of games such as BLUE WHALE, in combination with the greater importantce of devices in people's daily lives.
|"Free internet access in schools can greatly increase the number of internet users. Most of our schools in developing countries do not even have computers, not to talk of internet access. A good educational policy that educates the youths on how to use the internet for their benefit and also avoid the risks online can be useful. The government can proceed by equipping all schools with computers and giving them free internet access. This will enable them to discover how to use the internet to empower themselves with knowledge, at an early stage in their life, before they move to the university. These kids are those who will shape the future of the internet tomorrow."|
- Policy that encourages competition across ISPs. Regulatory authorities can help ensure ISPs offer good QoS and encourage IXP sharing. A cyber security policy is a necessity.
- Refers to WSIS+10 report of challenges to overcome, including connectivity and access for all, affordability, reliability and resilience, an enabling regulatory and legal environment, and enhanced human capacities.
|* Multi stakeholder approach, stakeholders contribute in their share based on capacity. |
* Published International Strategy of Cooperation in Cyberspace, and a Plan of Action.
|New challenge: "How do small and medium enterprises (SMEs) secure themselves from cyber attacks and also promote confidence and trust in their online services?"||* DDoS: accountability matters|
* Mobile device security: technology providers should be encouraged to make security implementation and monitoring easier. Mandate "secure by design"
* Abuse by authorities: formulate Privacy and Data Governance policy/laws
* Confidentiality and availability of sensitive information: Services need to be made available on a "need to know basis". Availability should be tracked and measured.
* Online abuse/gender based violence: should be addressed in line with the law of the land. Technology providers must provide means of monitoring and law implementation
* Critical services: contingencies must be developed
* Vulnerabilities in ICS: Patches must be installed timely, operational responsibility must be defined, technology developers held accountable
* Information collected for a purpose, repurposed for other inappropriate goals: culprits must be charged in line with governing law. Breach victims should be compensated per law.
* Lack of SDL: accountability should be defined, and implementation monitored
* Unauthorized access: should be treated similar to burglary, with victim compensated.
|"Technologies products and services should undergo through the testing stages to ensure compliance to standards and bug fixes. Also, there is a need for penetration testing at every stage of technology products and services"||* Confidentiality, Secure Development, Security of Mobile Devices: adoption of data protection rules. Convention 108 (Council of Europe). General or sectoral data protection laws should be adopted more widely.|
* Potential abuse, including surveillance, misuse of information: Freedom Online Coalition recognized inextricable links between cybersecurity and human rights. Cybersecurity laws and policies can conflict with human rights; governments are increasingly asserting control over. the internet, and stigmatizing security measures (encryption). Essential that states work together to curb trade of spyware, respecting human rights.
* IoT, DDoS, Vulnerabilities: constantly new threats appear, including malware and phishing, with real world impact. Journalists, activists and groups at risk become marginalized and vulnerable feel threats most acutely. Likelihood exists attackers will go after countries with fewest cybersecurity resources first (e.g. banking systems in LDCs).
Current frameworks lack sufficient safeguards, in law or practice, to address impact of IoT on human rights. Central elements to a solution: (1) data protection, (2) best available security practices, (3) transparent international processes on coordinated vulnerability disclosure.
|* DDoS: mitigion process must be adopted, strict laws to punish abusers.|
* Mobile device security: less secure compared to PC and laptop, users are less aware of vulnerabilities. App downloads must be from a trustworthy source. Use of HTTPS is recommended.
* Abuse by authorities: most governments have been implementing surveillance, and browsing patterns of targeted users may be collected. Abuse potential on civil society groups.
* Confidentiality of sensitive information: HIPAA provides data security in US, government stakeholders must implement their own privacy and security laws.
* Gender based violence: local governments need to contact website or social network, which takes a lengthy process. Fast-track abuser tracing and punishing. Objectionable content must be removed when requested.
* DNS/IXP security: DNSSEC should be deployed, with awareness building to support KSK rollover etc. IXP Can protect infrastructure through RPKI.
* Vulnerabilities in ICS: Identify old vulnerabilities, and ensure patches are available. Blacklist malware.
* Repurposing information collected for another purpose: security of IoT is under-researched. Transport encryption must be required. IoT can be compromised due to lack of security implementation, and requires proper uditing.
* SDL: should be developed.
* Unauthorized access and impact on daily lives: create awareness that security/privacy are fundamental rights, and abuse can be legally challenged.
* Other issues: cryptocurrency/bitcoin should be brought under cyber law, used as means for ransom, and less traceable.
|* Information collected for purpose and reused: management of information is critical. Companies must develop controls for safeguarding our information.|
* SDL: Good practices exist, but are sometimes not applied.
* Unauthorized action to devices: Manifestation of the everyday is affected by unauthorized access. We are using IoT devices in all parts of our lives and families.
|Policies needed in a partnership between public and private actors. Important that public authorities become aware of cybersecurity risks to their activities. Awareness could be reaised by developing best practices and guidelines, and sharing among entities. |
At a technical level, implement secure development processes in smart and mobile technologies.
Surveillance undermines privacy and threatens freedom of expression. Legal frameworks are an important step.
Importance of developing policies for informing people in developing countries about risks of unauthorized access.
|* DDoS: Technical community must develop tools, international conventions must punish cybercriminals.|
* Mobile device security: R&D by the Technical Community on Security Software and Mass Sensitization by the Civil Society on best practice and optimal use of apps and other mobile
* Abuse by authorities: Sanctions by the International Community to Governments making an abusive use of the effects of technologies. Intergovernmental Organisations have an important role to play
* Confidentiality of sensitive information: Civil Society as a watch-dog to ensure that
no sensitive and confidential information is disclosed
* Gender based violence: Implementation of DNSSEC and other technologies. Technical Community with the help of other stakeholders
* Vulnerabilities in ICS: To be addressed urgently by the Technical Community
* Repurposing information collected for another purpose: Enactment of appropriate laws and amendments by Governments to criminalize such activities.
* SDL: Technical Community has to be in pace to cater for such processes.
* Unauthorized access and impact on daily lives: Criminalize such access by enacting appropriate laws by Governments.
* Other issues: Virus, malware and other Ramsomware attacks to be severely criminalized by all Governments and the Civil Society has an important role to play to sensitize users of the best practice for computer safety and protection against all these threats.
|"Policy and strategy are a vital components of effective cybersecurity. It foundationally set the parameters for effective Internet governance. A well-crafted policy set sets the direction for regulation, compliance and conformance."|
Mobile devices: fastly revolutionizing, have almost all characteristics of computing device and must be secure.
* Potential abuse by authorities: authorities should support and promote open internet, safe and secure environment, and consider regulation instead of censorship.
* Confidentiality and availability of sensitive information: applications processing sensitive information must have a a secure baseline/applicable controls. Must be certified to ensure this baseline is applied.
|* DDoS: country needs designated sites for warnings to be posted, Site must be easily accessible.|
* Mobile: Good policies made available to citizens on managing their device. Low income citizens may have to be supported by the government for these private sector services.
* Potential abuse by authorities: Ethics as mandated by government policy is key to a healthy economy. There has to be government sector ICT / IoT / AI ethics education.
* Confidentiality of sensitive information: each person 's data is their own. Users must be informed when profiling takes place, and provide audit trails and algorithms + permit opt-out. Buying a user's account should require consent. Personal data is not owned by a company, but by the user. Jurisdictions in the tird world must take action to equalize fairness of these mattesr of jurisdiction, in particular when dealing with foreign companies.
* Abuse/gender-based violence; shared service (DNS/IXP); Vulnerabilities in ICS: global standards and protocols needed. A user complaint system or ombudsman should be available. FDA system for services and products?
* Information collected, reused for other purpose: This is all about ethics and there should be an ethics oversight bureau that systematically audits all companies on the globe for compliance with data repurpose without user consent. This could be onerous for the user to consent to everything but perhaps the bureau can set up a profile that users keep up to date indicating their wavers and opt outs.
* lack of SDL: Good standards and protocols, per country, per region, globally (for issues of cultural sensitivity) are mandatory including protocols for human-computer interaction.
* Unauthorized access: Each government / jurisdiction has to set policy and standards of conduct and enforce it. A complaints system for the citizen must exist.
* Other issues lack of education, whistle blower legislation and implementation, administered with excellent judgement.
|* Nations must become serious about putting in place a robust risk management system, driven by a cybersecurity strategy|
* Country-wide vulnerability management is needed.
* Policies should be in place to ensure stakeholder transparency and accountability in ISP, DNS and IXP communities.
|* Use of information for other purposes: many information systems do not implement security best practices. Communicated data for security monitoring should not only be in a unified format but also language (a log in one tool means the same as a log in another tool). Systems are deficient in reliably identifying genuine source and user of an event. Hence perpetrators cannot be tracked. All level of ISPs and Internte coordination bodies must coordinate protocols to respond to malicious activity.|
* Due to sanctions, barriers and challenges include:
(a) unavailability of security equipment
(b) Failure to receive support
(c) Inability to attend conferences
(d) Unavailability of membership in industry groups
(e) Limitation of knowledge sharing
(f) Limitation on use of safe protocols
(g) Limitation of use on licensed products
* Unauthorized acces: protecting USSD data in mobile networks is critical. In Iran a specific technology was developed but cannot be shared internationally easily due to the issues raised above.
|* Grouped challenges together, and organized some by Devices/Networks/Mobile.|
* Devices: cheap to connect, but IoT suffers security risks. Policy-makers and regulators need to address how to encourage IoT vendors to make devices more secure - without current economic incentives.
* Networks: Network security is critical as device security is lacking.
* Mobile: failure to address known vulnerabilities. There is also a lack of security information from the private sector (manufacturer who knows the device is secure, and the consumer, who does not).
* Abuse by authorities: prioritizing surveillance is weakening rather than strengthening security. Quote by European Court of Human Rights: undermines democracy under the cloak of defending it. At the same time, essential measures to strengthen cyber security will be under-resourced (identifying vulnerabilities, supporting research, education, public information campaigns)
* Confidentiality: governments are keen to develop data-intensive projects, but lack consideration for security of that data. Countries should implement legal frameworks to address data security concerns, impose security obligations for governments and companies, along with reporting requirements for incidents -- that allow subjects to take actions to protect themselves from consequences, and governments to be aware of risks and threats in their country.
* Collected nformation reused: Privacy International refers to this as "data exploitation". Devices are designed for this purpose, which must change.
|GCSC raises the concept of the internet as having a "public core" which is worthy of protection. "(i) a clearly distinguishable “inner core” which consists of the core functionality underpinning the Internet (in particular the forwarding and naming functions and infrastructure of the Internet and those actors responsible for their day to day management, and (ii) a less clearly distinguishable “outer core” of potentially critical functionality, whose impact on the overall"||* DDoS: Budapest Convention provides legal framework for investigation, prosecution and sanctioning. Offers means to criminalise and prosecute.|
* Mobile device security: computer system in Budapest Convention includes mobile devices
* Abuse by authorities: criminal law measures should be subject to law safeguards and conditions. These controls apply less to national security services - stronger supervision and accountability would be needed.
* Unauthorized access: Budapest Convention offers states the legal framework for prosecuting and dissuading.
|Valuable initiatives: MANRS, African Internet Infrastructure Security Guidelines, Global Commission on the Stability of Cyberspace, APAC Privacy Issues Paper, Latin America and Caribbean Anti-Abuse Working Group, OTA 2017 Online Trust Audit and Honor Roll, Internet Society's Anti-Spam Toolkit.||* Reliable access to internet services: technical measures to enhance resiliency and access. Technical and administrative measures to facilitate prevention, detection and mitigation of cyber attacks, and identification of perpetrators.|
* Mobile: minimum built-in security features and capabilities
* Abuse by authorities: legislative and constitutional safeguards, regulatory provisions
* Sensitive information: data protection laws and regulatory regime
* Online abuse and gender based violence: awareness building and education programmes, state and NGO support resources
* Shared resources: DNSSEC, ccTLD capacity building, IXP services and resiliency development
* Vulnerabilities in ICS: Disaster preparedness and response, business continuity planning
* IoT/Human factors and security awareness: identified as a priority but no work done yet
* Other: Education of users
|* Thwart growth and trust in ICTs;|
* Cyber hacks and breaches break trust of businesses online, which directly impacts productivity and economic growth in developing countries where ICTs are more adopted for delivery of services.
* Gender based violence: governments need to take the lead, join hands with all stakeholders. International rapid response teams should be set up to mitigate abuse.
* Shared services: protecting these resources is critical, requires a multistakeholder approach and acknowledgement of global interest.
* ICS vulnerabilities: enable a common language and sound security practices in current standards. State of cyber security of these systems in developing countries is very poor.
* Lack of SDL: SDL needs to be embedded in development processes. Key industry players should raise awareness, and sponsor national initiatives for standards.
* Unauthorized access: many countries have drafted laws. Access can result in disclosure of sensitive information affecting SDG 8, SDG 1 and SDG 5.
|- Important to support efforts to mitigate DoS and other attacks at the technology level, rather than with policy such as criminalisation. Proactive solutions to find, mitigate and disclose vulnerabilities are key to addressing reliability and access. Technical community must develop protocols to prevent their use for exploits such as DDoS.|
- In terms of policy, governments must encourage solid technology practices such as bug bounties, and not exacerbate the problem by hoarding vulnerabilities, or creating backdoors in secure communications tech. Governments must regulate private sector through data protection laws, and other consumer protection. They must pursue policies or treaty options that compel signatories to abide by international principles, norms and standards that ensure cybersecurity and national security measures that employ digital technology are necessary and proportionate. Govts should be transparent in, and protect disclosures by private sector on private sector-government partnerships.
- Private sector must use due diligence to protect human rights, and avoid adverse impact. Correctly implement protocols and best practices. They must create readable ToS for users, and proactively inform users of software updates.
- Academics and security experts should monitor best practices implementation. Policy protections must exist for researcher that seek out vulnerabilities in technology in the public interest.
- States must fully implement CEDAW at the national level to respect, protect and fulfil women's rights, and must pursue a preventive and proactive approach to gender-based violence (GBV). States should recognise GBV as a human rights violation.
- Gender-unequal access to technology and women's subordinate status in ICT must be confronted (through affirmative action, subsidies for ICT-related courses). Comprehensive capacity building shoul be undertaken. Companies should take a rights-based approach and adopt the Women's Empowerment Principeles.
- Internet governance forums should provide mechanisms to ensure women's participation in policy discussion and decision making.
- Adequate budgets and resources should be allocated by states to address GBV.
- In developing anti-abuse policies, intermediaries should consider local context and understand differences and english language bias. Intermediaries should have minimal obstacles in taking down content in relation to privacy concerns, specifically when accompanied by threats. Accountability measures should exist to complainant. Reporting mechanisms should be made to improve in terms of legitimacy, accessibility, predictability, equitability, transparency, their rights-respecting nature and in their nature as a source of continuous learning.
- Intermediaries should provide greater transparency and accountability regarding (in)action.
- Best practices in development with free and open software principles that allow for transparency of code as well as undergo third party audits can help implement secure development processes.
|What do you see as the responsibilities of each stakeholder group?||Humans thrive through adaptation. Develop a greater set of core values that will guide the system and drive people and leaders. Responsibilities determine how we accept standardization and adopt unified set of values.||Complexity is the reason why multi stakeholder efforts are important. Private sector must invest in development of technology with cybersecurity in mind, and share best practices. NGOs have a critical role in raising awareness, and promoting responsible behavior and safety online. Governments play an essential role in protecting critical infrastructure and prosecuting cybercriminals.||Multistakeholder approach with equal participation, government enacting policies and guiding scientific research along the right track.||The document promotes the following policy changes:|
* Apply public policies that promote an appropriate regulatory framework to organize institutional, organizational, functional and technical development for the diversification of connectivity services.
* Work on the implementation of the Millennium Goals and Agenda for Sustainable Development 2030, through national mechanisms for effective monitoring, to eliminate social and economic inequalities.
* Encourage that agreements of the World Summit on the Information Society that have not been complied with are ratified, especially those affecting developing countries, such as:
Internet Governance, the application of unilateral coercive measures contrary to the principles of the Charter of the United Nations, the norms of international law and human rights, the digital divide, which increases considerably each year as a result of the considerable inequalities existing between rich and poor countries, and favors domination, subversion and political and media interference.
* Promote the creation of spaces in social networks that allow to deal with issues considered as transversal: (what follows is summarized) ethics, gender, diversity, access to services; participation and inclusion in tech dev; equal access for men and woman to training; increase the number of young people with ICT skills; equal access to all levels of society; incorporate ICT in curricula (including respect for human dignity, promotion of a peace culture and non-violence, and cultural identity); encourage use of ICTs and empower girls and women through education; promote public policies for gender equality; promote ICT to contribute to education; encourage high quality technological infrastructures)
* To promote multi-sectoral international cooperation that favors the achievement of the agreements of the Summit of the Information Society, as well as the objectives and goals of the Agenda 2030 for Sustainable Development
|Collective responsibility, a culture of cybersecurity should be encouraged. In 2014, CTO developed the Commonwealth Cybergovernance model||* Complexity requires mature model of defining responsibility and accountability.|
* Unit testing and integration testing must be performed consistently and outcome dcumented
* Transparency in information flow is important, testing protocols must be followed.
* All stakeholders must integrate cybersecurity assessment and control in standard operating procedures.
|"Joint efforts to the formulation of cybersecurity policies to protect the internet technologies and ICTs would help ensure and prevent hindrance to internet development. A periodic evaluation of cybersecurity policies, issues and forum where all stakeholders on an equal footing to address and resolve any potential changes and development. Also, a careful and sensitive approach to defining requirements and measures need be; to avoid strict measures which could jeopardize the future of internet development."||Multistakeholder approach is best practice for good reason. Coordinated efforts should foster compliance with digital security norms. Current discourse often overshadows privacy, civil liberty and multistakeholder advocacy agendas. BPF can contribute by promoting strong user-centric cybersecurity practices within a human rights framework.||*All stakeholders must actively participate in ensuring Cyber Security, which needs to be addressed as a Major concern in current growing Internet Infrastructure. All stakeholders must engage with the Technical Community, standards organization like IETF, IEEE, ITU, Incident Response groups like FIRST, CERT, Network|
Operators Group and Internet Registries must participate with other stakeholders to bring a balance in framing a Cyber Security Policy.
Cyber Security used to a topic of discussion within the Technical Community, now all stakeholders must actively participate in Cyber Security related discussions this will enable the forum to bring consensus on what need to needs to addressed to reduce and resolve the Cyber Security related issues. A framework for Cyber Security must be drafted, best practices must be adopted for implementation.
|Multi-stakeholder model is key. "The private sector plays a core role in developing secure products and services, as well as in sharing knowledge and best practices with governments and non-governmental organizations. Governments play a fundamental role in developing policy and legal frameworks for a secure cyberspace, data protection, protecting critical information infrastructure and enforcing the law against cybercrime, online abuse and gender based violence. They are also important for regulating competition among market actors and, in|
my view, have two negative obligations: not to fuel competition for creating insecurity (i.e., by acquiring vulnerabilities at the expense of companies affected, for example) and not undermining users’ data protection. Non-governmental organizations activities are, thus, fundamental for pressing governments to abide to its obligations, such as respecting rights such as privacy and freedom of expression, increasing awareness over rights in the digital age, promoting responsible behavior and spreading best practices, as well as they have been important hubs for expanding access policies in developing countries, often being closer to the everyday reality and challenges faced by users than the other cited actors."
|"The responsibility of the Private Sector is to ensure that technologies are|
developed not only taking the cost factor in mind but also the security aspect
of it. The technical community should hear a lot from the Non-Governmental
Organisations and other stakeholders before designing technology. Perhaps
the IETF should broaden its membership to include all stakeholders not only
the techies. The International 0rganisations should ensure that all
Governments do adopt conventions and agreements. The Governments
should ensure that they are up to date with their laws to ensure safeguard of
critical infrastructure and punish cybercriminals and the Academia should be
ready to bring into curriculum technologies recently developed or adopted. If
each of the individual stakeholders assumes their responsibilities correctly
we are sure that Cybersecurity won’t hinder the further development of the
ICTs and Internet Technologies."
|"Collaboration, communication, inclusiveness, transparency with honest ethics conducted in a timely, fair manner. Accountability, integrity and deep cultural understanding are important. IoT and AI are going to add a complexity that is going to require some sophistication to understand the issues, but it must be discussed at an educated layman’s level to enable effective feedback from MAGs. Regular public / expert surveys can assist effective policy making e.g. found in action currently in the US, Canada, European Union etc. Examples of such work are: Pan-European dialogue on Internet governance (EuroDIG); The Pew Research Center’s Internet & American Life Project, Work of the Privacy Commissioner of Canada; United Kingdom Governments Digital Strategy work etc. The average citizen must be surveyed as well as there must be a mechanism that any citizen or person can send in feedback to an independent body."||Issues that must be addressed:|
* Cybersecurity framework must be adopted, including goals and measurement. Goals could be mapped from SDGs.
* Cybersecurity processes: critical practices identified, established and institutionalized
* Cybersecurity structure: agency of government to own accountability
* Cybersecurity culture and behavior: educational curricula should promote acceptable cyberspace behavior
* Cybersecurity intelligence and surveillance: countries should have a means of collecting information that helps make decisions -- without violating privacy and freedom
* Practicioners: deliberate policy to create job opportuntiies in cyberspace
* Innovation: development of cyber security products/services/infra/applications. Involve young people through contests.
|Enabling sharing across boundaries would be a major benefit that should be encouraged by each stakeholder group.||* Cyber security should be considered a "public good", which promotes collective responsibility for shared benefit|
* Governments sometimes frame cyber security under vague national security definitions, place initiatives under the domain of intelligence agencies - harder to scrutinize and may lead to unlawful surveillance
* Secrecy does not equal security. More transparency is needed around initatives to keep users safe.
* We would welcome discussion on classification of cyber security as national security and/or role of intelligence/security services.
|"Cybersecurity can be assured only with a multi-stakeholder approach. This is why, when developing future policies on the strengthening of the rule of law in cyberspace, the Council of Europe encourages relevant stakeholders to contribute. In this way, future policies will represent commonly accepted solutions to make the cyberspace more secure."||"All stakeholders have a positive role to play in nurturing a trusted and open Internet. We need to work to|
secure core aspects of Internet infrastructure, to protect the confidentiality and integrity of the data that
flows over it, and to ensure the right policies are in place to support the technologies, networks and actors
that make the Internet work. We do this through collective responsibility and collaboration." They denote the Principles of Collaborative Security and the Internet Society's Policy Framework for an open and trusted internet. Notes there is no one-size fits all, and that pro-internet policies can take many different shapes.
|"This both shows the strength and opportunities of ICTs and Internet Technologies, but also the potential risks. New technologies may be insufficiently secure, resulting in harms when they are deployed: conversely we may adopt security requirements or measures that prevent the development, deployment, or widespread use of technologies that would generate unforeseen benefits. Where do you think lies the responsibility of each stakeholder community in helping ensure cybersecurity does not hinder future Internet development?". Stakeholders have responsibilities to:|
In fostering open inter-stakeholder collaboration and trust relationships In infusing a culture of cybersecurity among all stakeholder groups given the irreversible and cross-cutting impact of the Internet on all aspects of economic and social life.
|"The strength and weakness of internet technology is that it’s autonomous and highly|
uncoordinated with the interplay between benefits and risks of newly deployed technologies
unseen. This makes the responsibility of each stakeholder in the community critical for the
continuous growth and development of this powerful technological revolution. Governments
and international development organizations have a very influential role to play in the progress
and growth of this technology ensuring that shared resources are secured, criminal states are
sanctioned and cyber criminals living in safe heavens persecuted and brought to justice. Civil
society, industry and academia need to play a greater role in increasing awareness about
cybersecurity. Global civil society organization involved in protecting digital rights and freedom
on the internet need to provide assistance and mentor local civil society organizations/advocacy
groups to ensure that balance between privacy and security is achieved."
|- One of the sessions at EuroDIG 2017 discussed in depth the multistakeholder model and its complexity. The conclusions highlighted that the way internet was constituted and works each party needs to take responsibility to ensure resilience and to take a collaborative security approach to foster confidence and protect opportunities. Since every stakeholder has different incentives and different economic interests and different logics (regarding security/privacy/DP), only a good multistakeholder process would bridge these differences. While it was agreed that governments usually try to take the lead in setting policy and regulatory priorities, the role of civil society is important to monitor accountability and transparency.|
- At the EuroDIG 2017, while stressing that the multi-stakeholder collaboration and role of technical community, industry and civil society is very important, more voices were raised with the suggestion that governments should take a leading role in driving national and international cybersecurity agenda and setting regulatory and policy priorities. This, however, should not undermine thecollaborative approaches and the role of tech community and industry in
identifying risks, providing security of networks and customers, and the role of
civil society in safeguarding transparency, accountability, due process and human
|Most critical cybersecurity issue||Develop better core values, in particular for a country like Nepal. Ensure representation and opportunity in the global IGF process.||Development of cybersecurity norms.||Security is an evolutionary process. Risk management methodology needs to be evolved, and we need to accept there is no 100% security. Risk management professionals should be involved in the various communities.||"The most critical cybersecurity issues is the vulnerability of critical infrastructure and internet resources. Recent development has seen attacks on infrastructures to disrupt transmission and processes, to eavesdrop, and control while gaining access to useful information. The security of infrastructure and internet resources which ranges from hardware to software must be in every stakeholders mind as these formed the base for accessing user information."||DoS/DDoS Attack, Ramsonware, BGP/IP Prefix Attacks, DNS abuse are the most Critical Cyber Security issues that needs to be solved. The Technical community being the major contributor for Cyber Security, should provide support and create awareness among all stakeholders. Implementation of Resource Public Key Infrastructure (RPKI) for preventing BGP/IP Prefix Attacks and DNSSSEC for protecting DNS Infrastructure must be priority topics to be addressed.||Cybercrime and State Conflict.||"The recent Ramsomware attacks have shown how vulnerable we are when|
we are using a common operation System. We think that this issue needs to
be tackled urgently and bring on the table all parties, the Private Sector (The
OS provider), the Technical Community (to provide alternatives), the
Government (to update laws and regulations), the InterGovernmental
Organisations (to come to a coordinated approach by all Governments), the
Academia (to update on curriculum on new technologies) and the Non-
Governmental Organisations to sensitize users on the dangers of not being
adequately protected and the measures to take to make a Cybersecurity as
|"Lack of education of the public at each age, income level, cultural grouping and educating the public on internet ethics and etiquette now commonly mentioned. Education of risks, preventative measures, safety online, derived issues, repercussions etc. must be communicated at a meaningful level for the average citizen. Just having it on-line does not mean the average person will look it up. Awareness has to be generated and an “engagement” with the public established so that citizens past the school age have access to the information. Delivery means reaching all citizens not just making it available."||"The UN and ITU need to develop a framework to foster international cooperation and legal principles for cybersecurity. Developing countries may require the support of ITU and the UN to eliminate cybersecurity blockers that are technical, organizational, or related to capacity building."||"The following issues are the most important security challenges in developing Mobile Broad Band (MBB) network:|
- Lack of public and available professional forums to addressing security threats and vulnerabilities in the Telecom core network.
- Low awareness of system administrators and managers in securing next generation networks.
- One of the biggest security challenges that threatens the future of cyber security is the expansion of the IoT. With the spread of Internet usage in personal and home appliances, there will be new threats due to the lack of security awareness for subscribers and lack of IOT standards (many works in this field is not standardized yet)"
|"Criminal justice aspects – including the securing of electronic evidence - need a stronger reflection in cybersecurity policies. Prosecuting major cybercriminals will help have a direct impact on cybersecurity and enhance confidence and trust."||"The most critical cybersecurity issue pertains to the global issue that has been persistent over|
the last 25 years, which is that of extreme threats. The threats have been so dire that the
measures taken to deal with the threats have altered the way the common man lives his life. By
the correspondingly extreme processes and measures taken to solve a 25 year old problem, the
progress made over millennia has been somewhat reversed. The stakeholders may be invited
to identify solutions that would effectively deal with this critical issue in the right measure without
altering the way we live our lives."
|IoT ecosystem, which "is hampered by a lack of commercial incentives. For IoT manufacturers and service|
providers, good security is expensive, requires particular skills which may not be readily available, and
security-by-design slows a product’s time to market, which is a major factor in this very competitive
|"Fostering the appropriate culture of cybersecurity appropriate to each stakeholder group e.g. policy makers, technical community, service providers, end users. Each stakeholder group has to be addressed."||Bit data/cognitive computing, AI supported analytical/automated systems.|
United Nations needs to provide leadership and define framework for behaviors and norms - especially when countries with greater capability can damage critical infrastructure of least-friendly nations.
|- Best practices in technology development, from design to use, is the most important issue to be addressed by the forum. This includes research and publication of practical case studies on: implementation of secure standards and protocols, free and open source software, third party code auditing, feedback loops between software implementers and standards setting bodies, strong rights-enabling cybersecurity and cybercrime policies and laws, protecting technical and security experts and researchers from criminal prosecution. |
- Technical experts need to be part of the conversation to share, including experts in software development. Due to the criminalisation of technical experts, criminal defense lawyers would be a welcome addition, too.