IGF 2018 - Day 1 - Salle XII - Global Commission on the Stability of Cyberspace

The following are the outputs of the real-time captioning taken during the Thirteenth Annual Meeting of the Internet Governance Forum (IGF) in Paris, France, from 12 to 14 November 2018. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> MARIANA KALJURAND:  Ladies and gentlemen, my name is Mariana Kaljurand.  I'm the Chair of the Global Commission Cyberspace, and I think that we are ready to start.

We were informed by the organizers that we have to finish by 2:45 in order to get to the main room to listen to President Macron.

With my colleagues, I just came from a panel that was organized by the Paris Peace Forum that was discussing the Paris call, and it was good to know that today there are 51 countries, 93 Civil Society organizations, and more than 200 Private Sector actors who have already endorsed the Paris call, and I'm really proud that our commission is among those from Civil Society and our commission was involved in the work and, once again, I would like to congratulate France on wonderful, wonderful endeavor and for having such a wide support.

For me, the first call maybe is a very important document because of that multistakeholder model, multistakeholder approach.  It is advertising, it is paying attention to, and I hope that from a political document it will soon be a working document and when we meet a year later, we can have best practices of multistakeholder model.

Having said that, you can see we have commissioners at the table, we have our advisors, our supporters in the audience, and I would like to invite my co-chair, Michael Chertoff to introduce the work of our commission and then we go to the norms that we're going to propose.

Michael, please.

>> MICHAEL CHERTOFF:   Thank you, Mariana.  I'm delighted to be here, and we're delighted to be part of the proceedings here.  I thought I would just give you a little bit of background about the commission and what we've done and what we propose to talk about today.

The commission was launched in 2017 at the Munich security conference, and the idea was to focus on the norms and policies that promote security in stability in cyberspace.  So, obviously there are a lot of issues to discuss with you, Dunette, but we felt security in cyberspace as a whole was something that required attentive necessary.

Part of the disease of the commission was to bring not discover meant, but private actors and Civil Society into the dialogue about how to preserve stability.  The idea here is that unlike the traditional notion with respect to international norms that they are largely government driven, given the nature of cyberspace, and given the fact that much of the operational activity is in private hands, there has to be a multistakeholder approach.  It has to be not just government, it has to be the Private Sector in Civil Society, as well.

In composing the commission, we try to reflect this.  The 28 commissioners who have been part of this include people with technical expertise in background, academics, former government officials, the idea being that they would bring a wide variety of perspectives to the challenges that we are addressing.  It's been sponsored initially by the Hague Center for Strategic Studies, which together with the east-west institute provided staffing for the secretariat and for organizing our activities low guys particularly.

In addition to further broaden the inputs from a wider variety of stakeholders, we set up a research group and included sponsors that could be involved in the process of doing research and helping us execute the mission of the commission.  The idea being, again, we want to have the broadest input from around the world.

We've met for approximately four times a year, and the idea has been to develop and, as we'll describe, layout proposed norms for state behavior and frankly for non-state behavior.  And, the reason that non-state behavior is important, again, is because so much of what occurs operationally is in private hands, so it's not just a question of a government monopoly on what happens in the Internet.

Our purpose here today in part is to get feedback from you to refine what we have laid out and will describe as the key principles for security in stability, and to talk about what are the things that stakeholders need to do going forward.  So, we hope this will be a constructive dialogue, we hope you will find our norms to be sensible and compelling, but we also want to hear your feedback.

So, with that, let me turn it back to Mariana.

>> MARIANA KALJURAND: Michael, thank you.

And, now we'll proceed the following way.  Today we'll introduce, we have the kind of a soft launch of non-package, we call it Singapore, because we agreed it, more or less, in Singapore we had to do some fine tuning of the Singapore, but we call it the Singapore package.  We'll come to that.  But, to start with, I would like to start with the first that we adopted almost a year ago, and which proposed was the call to protect the public core of the Internet.

And, Wolfgang, please. 

>> Wolfgang Kleinwachter:  Thank you, Mariana.

>> MARIANA KALJURAND:   I'm sorry.  I think the easiest way, too, is we introduce the norms, all of them, and then we start discussion so that we will have time to talk about all norms that are of interest to you.

Thank you, Wolfgang, please. 

>> Wolfgang Kleinwachter:  Thank you, Mariana.

When we started working the commission, we realized that there are -- it's a certain hierarchy in the norms.  There are norms which as really very general and universal value, and also norms which have more specific meaning for a specific sector.  And, in today's world, I think everything is dependent from the functioning of the p Internet.  I think our national security is today cybersecurity.  Our national economy is a digital economy, and you know, rights are online and off line more or less the same.

Insofar it was very natural to say, you know, if we want to have a stability in the cyberspace, we have to have a very secure and stable core of the Internet, because if the Internet does not function, this undermines the security of everybody.  This undermines the economy of all countries.  And, insofar to have a norm which protect the public core of the Internet is the key element for all things.

We had a long discussion, you know, how we define the public core of the Internet.  In essence, it's the naming and numbering system, it's the forward system, and you know three lines of the norm very simple which says, you know, state and non-state actors should not conduct or knowingly allow activities that intentionally and substantially damage the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace and, you know, we include there the routing domain name system, certification trust, and communication cables.  So, in other words, more or less this is the protection of the critical resources of the Internet, which are managed by ICANN.  ICANN has its own security and stability committee, but we have seen in the last couple of years ongoing attacks against the root service system, against other elements of ICANN, and this should be very clearly defined as crime, as a crime against humanity if somebody brings the public off the Internet down.  And, so far this is a very specific norm which should be universally recognized, and not only by states, but also by non-state actors, because a lot of attacks against the systems are coming from the state actors.

Thank you, Mariana.

>> MARIANA KALJURAND: Thank you, Wolfgang.  And, maybe I just add one thing, that it's a living document.  When we published it, we had the definition where we said that elements of the public core include Internet, the domain system, certificates, and trust and communication cables.

After Bill and Olaf had a very extensive presentation with the IT community, we developed that definition further so that in the handout you can see the definition of the public core as we see today.  And, again, I would like to stress all these are living documents, so we are looking for your feedback and are very happy to hear about your opinions.

Having said that, I'll pass the floor to Marietje and talk about electric systems. 

>> Mary shack:  Thank you so much, Mariana, and I add my appreciation who is here and it's also really nice to have such a huge delegation from us from the council on the podium.

I guess the best way to stand between you and Macum, but we'll let you go in time.

In my daily life I'm a member of the European parliament so the whole right to vote for people as a universal human rights voting by secret ballots and according to wishing by government electives and suffrage is an important human right, and I'm sure you noticed heated debate recently about various elements of the integrity of democracy in elections, including dis information, which is getting a lot of headlines and discussion on social media, but what we've tried to do is really look at the sort of deeper layer of electoral looking at suggesting norms that multiple stakeholders can get behind.  We come from a point in time where the risk fragmentation and conflict and dis integration of the global open Internet is very significant, but where norms, where multiple stakeholders can gravitate around are really missing, even though the rights that are at stake and the principles that are at stake are so significant.

So, in order to look at the other dimension, the more technologically driven dimension of the electoral process, we are suggesting a norm that says, and it's projected right there, state and non-state actors should not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referendum and plavacites.

This, on the one hand, builds on this universal human right to elect, on the other hand, it builds on the core principle of the UN chart I can cull 2.4, the principle of non-interference.  And, we're basically extending that to the electoral infrastructure.  So, we've really tried to anchor this norm, a we do with all norms in agreed universally adopted principles so that we're not suggesting something that is sort of out there, but that we're bringing it close to the universal declaration of oo has not rights, and in this case the UN charter.

So, I happy that is clear.  Happy to answer more questions, but I know you'll be hear a lot more from my colleague, so I'll leave it at this.  Thanks.

>> MARIANA KALJURAND: Thank you, Marietje.  I perhaps needed to say how proud we are that the norm was also reflected in the Paris scope. 

>> Marietje:  Yes, absolutely.

>> MARIANA KALJURAND:   Having said that, we are moving to the package that we're happy to introduce today.  The packages are in the room, and you can receive them from our secretariat, the Singapore Norm Package.

First, I would like to give floor to Bill to introduce the norm to avoid tampering. 

>> Bill Woodcock:  So, Scott Charney of Microsoft was the principal author of this one, and so I'm afraid I'm not as well prepared to discuss it as he would have been, but I will do my best.

So, this one is as opposed to our main norm, which is about actions against the core of the Internet, this one is looking at the indirect effects of actions taken against products.  So, when someone attacks a router in the Internet or domain name in the Internet that is a direct attack and a very visible one.  When someone compromises a router by diverting it while it's been shipped to its customer and installing wire tap gear, or they compromise the encryption protocol that is are used for management communication with that equipment, these are indirect attacks that set up later damage.  And -- sorry.

Is this better?  Sorry about that.

So, this is an indirect attack that sets up later attacks.  It's often used.  Military people will talk about it as pre-positioning an attack.

So, there are many obvious problems with people doing this.  It's a compromise, and rarely is the person who puts the compromise in place the first or the only one to abuse it.  So, that's the first big problem.

The other one is that it destroys the trust between the people who use these products to build the Internet, and the vendors that they depend upon to build the products, if they can't trust that the thing that they get from the vendor has not been tampered with, isn't compromised.

One of the foundational building blocks is gone, and in an industry where we have to continue doubling in size every ten and a half months, supply chain has to move very quickly.  It's large and it moves quickly.  When we can't trust it, there is no clear answer, no clear solution.  So, that is what this norm is really aimed at.  It's at the kinds of governmental attacks that undermine the products that we build the Internet from, both hardware and software.

Thanks.  More questions later, I guess.

>> MARIANA KALJURAND: Thank you, Bill.

From here we're moving to norm against commandeering ICT devices and all of plays. 

>> OLAF KOLKMAN:  So, the way that this norm came about was a discussion around IoT.  That is at least how it started.  We are shipping product into the homes and even if we -- they might not have been tampered with or tainted in the production chain, they might still contain bugs, which are exploitable. 

Having millions of devices in our environment or personal life or in cities or in our schools or in our homes, with those vulnerabilities and seeing those turned in to and weaponized is a concern.

So, that was sort of the inspiration for this norm.

Now, it is unrealistic, unfortunately, to say this should never be done.  Nobody should ever hack a IoT device and not use it for any nefarious purposes.  Sometimes state purposes intend to create attacks, and saying you're not allowed to do that will not get the buy in from the people that we actually want the buy in of.  States, for instance.

So, we were very careful to look for language that says, which indicates proportionality.  And, f you look at the text, more or less in the description text, we talk about amass.  And, we believe that botnets are the type of thing has we want to avoid that indicate that last feature of the attack, and the type of attack that we'll create in stability for not just the place where the attack is launched, not the individual, say, home or environment where the botnet is created, but for the larger Internet.

Commandeering is another word of art in this context.  Commandeering is using the device without the knowledge of the user and for the nefarious purposes.  So, that's what led us to create this norm as state and non-state actors should not commandeer other ICT resources, so very broad not only IoT for use as botnets, things that scale, or for similar purposes, because botnets are not the only type of attacks which are scale.  And, we wanted to keep this open-ended in that sense.

>> MARIANA KALJURAND: Thank you, Olaf.

And now we're going to two norms that will be introduced by Chris.  First the norm for states to create a vulnerability for these processes and norm to reduce and mitigate significant vulnerabilities. 

>> Christopher Painter:  Thank you, Mariana.  This norm is meant to address something where we've already seen some good activity.

The basic issue is that Governments, through a number of different means, may come into possession of unknown, un publicly known vulnerabilities.  And, those vulnerabilities can be used for a number of purposes, including for law enforcement ip tell I will gens and other purposes, but they also it might be much more important to disclose those vulnerabilities, because that would lead to greater security of the overall ecosystem, and that is a balance that as you're looking at these, I don't expect Governments do release every vulnerability they find because they need them for law enforcement and other purposes, and they would argumentative au, that that would also enhance stability when they can use them to go after online criminal groups and other, however, we thought, you know, we think that you need to go through that balance, and that balance can't just be the people or the law enforcement and intelligence people, it has to include all the different stakeholders in government, which include, among others, the people who do other aspects of Internet policy, do commercial policy, et cetera.

Now, the United States came up with a vulnerabilities equity process a couple of years ago and refined it again in the last year, which is try transparent process is never going to be transparent about the individual decision, but transparent in terms of who participates and what the procedures are, and expressly made, I think this was a huge move, but the default presumption would be disclosure.  That is what our norm does too, it says states will create frameworks to assess bh*eter and when to disclose not publicly known vulnerabilities or flaws, they are aware of information systems and technologies.  And, importantly the default presumption should be in favor of disclosure.

So, this recognize these some will be withheld, but default of disclosure for network security e and other private see and other purposes is important.  We've seen a number of other Governments begin to also look at this.  I think Canada, the UK and others around the world.  That's a good thing.  We don't expect every government to have the same vulnerabilities equity process but have it spread so this is a best practice I think helps the overall stability of the Internet in total.  So, that is the purpose of that one.

Next.  Now, this norm, the norm to reduce and mitigate significant vulnerabilities, we've had some discussion about norms of restraint for different actors, including the one that dealt with a norm of restraint essentially that actors should not do anything that would essentially affect the supply chain and the manufacturer of devices that would undercut the stability in a substantial way of the Internet.  This is almost a companion piece.  This s look, there is the affirmative putting into products, vulnerabilities, but there is also, and I think we're all recognizing this or cognizant of this, there is lots of vulnerabilities in those products now, and they're not necessarily intentionally, they're there for lots of different reasons, they're there because the code is being very complex, it is difficult to get them all out.  And, what we're trying to do, do this norm and say look, everyone has a responsibility, including the developers or products and services on which the stability of cyberspace depends to take action to prioritize security and to make sure to the maximum extent possible that those vulnerabilities are not there.  That that would, too, contribute to the overall stability of cyberspace.  So, this one reads developers and producers of products and services on which the stability of cyberspace depends should prioritize security and stability, take reasonable steps to ensure that their products or services are free from significant vulnerabilities, and take measures to timely mitigate vulnerabilities that are later discovered and be transparent about their process.

Before I get to the rest of that norm, let me point out a couple of things.  One, it's an expectation they'll both take action to make sure the vulnerabilities are not there, but because we know they may be there anyway, when they discover them, they take actions to solve them and they take those reasonable steps to do that.  So, those things together are important.  And, then when they do disclose that or work with other stakeholders, they do it in a transparent way.

Then, the last part of this norm is that all actors, not just manufacturers and producers all actors have a duty to share information on vulnerabilities in order to help prevent and mitigate cyber activity more generally.

So, those coupled together I think helps create a more secure ecosystem in preventing vulnerabilities that may be out there, the vulnerabilities equity process deals with disclosing them and some other norms deal with other aspects of it.  As a package they hang together.

>> MARIANA KALJURAND: Thank you, Chris.

And, to continue, Arriette will introduce the norm on basic cyber hygiene as foundational defense.

Arriette, please. 

>> Arriette:  Thanks, Mariana.

This norm was developed or developing was led by commissioner Jane Hall, and I'll attempt to present it.  The idea is that defense is vital, and that digital security, digital safety and cyber hygiene is very important component of defense.  And, as a commission we see security as a continuous process with responsibilities distributed amongst all actors and mechanisms and we also feel that automated reporting and information sharing on digital security, digital safety and the use of it is very important.  So, essentially when this norm is, advocating for is widespread adoption of cyber hygiene or digital safety or security, whatever language you use measures at an institutional level, and also widespread capacity building to enable more safe, secure use at end user level and also at an institutional level.

It's not intended to make individuals responsible for their own security.  I think it shouldn't be read that that cybersecurity is your responsibility as an individual user, but it's saying that there is a relationship.  There is a relationship between the end user level, the institutional level, and ensuring that there are sufficient measures in place to protect users’ malicious attacks, from malware, from viruses, and from violation of the secure communications.

>> MARIANA KALJURAND: And, to conclude introductory section, I'm really happy to give floor to Frederick.  Frederick, it's so good to be in Paris again.  And, please, the Norma g*ens defense of cyber operations by non-state actors. 

>> Frederick Douzet:  Thank you very much.  I'm happy to be here, too. 

This is a norm to engage in cyber operations but also have state actors prevent in response to such activities if they occur.

Before I present the norm, I would like to thank Ogere and Jahans to obtaining the norm.

Of course, cyber operations, because of their speed and ubiquity, there often pose difficulties to the State’s judicial system and international law enforcement operations, but despite that, state Sovereignty remains the cornerstone of the international system of peace and security, and as a corollary to their Sovereignty, states have rights and they have a monopoly on the legitimate use of stores force which is bound by international law, but also duties and responsibilities and particularly the principle of due diligence, meaning that states are obliged not to knowingly allow their territories to be used for acts that are contrary to the rights of other states.

And, these two principles really guided the elaboration of these norms.  So, why do we do this norm?  Because there are some non-state actors and mainly private companies that do advocate for the right to conduct offensive cyber operations across national borders, and sometimes they claim that it's in self-defense or that states don't have the capacity to adequately protect them against cyber threats.  Sometimes they refer to the practice as active cyber defense, because they consider that they conduct them for defensive purpose, so that includes, but not limited to hack back.  And, we find also that some states are unable to control, or they just decide to ignore these practices.  And, even though in most states those practices would be unlawful, if not criminalized, there are other states that appear to be neither prohibiting them or neither explicitly authorizing them.

So, and we've also seen that a few states have proposed legislation to allow offensive operations by non-state actors in their domestic legislation.  So, we believe that these practices are likely to undermine the security and the stability of cyberspace and they can provoke serious disruption and damages.  They can also trigger very complex international legal disputes and potentially conflict escalation.

So, we think that if states were to authorize explicitly the conduct of offensive cyber operations by non-state actors it would set a dangerous precedent, and in many cases would breach international law.  So, we believe that offensive measures should be reserved solely to states, and that international law also establishes a very strict and exclude significant framework to international responses to hacks and that applies to cyber operations, as well.

Now, of course you might have states who might decide occasionally to involve non-state actors and ask them to act on their behalf, but in that case, they must be considered as their agents, and therefore they're considered an extension of the states.

And, in addition, we think that states must act both domestically and internationally to prevent offensive cyber operations by non-state actors.  So, to be clear, states should prohibit such conducts in their domestic legislation, meaning that if a state grants such possibilities to a non-state actor, then it may lead to a violation of its international obligations, particularly the principle of due diligence, and therefore in such a situation the state could be considered responsible for allowing the conduct of offensive operations by non-state actors.

And, state also have to enforce this norm to respond, and that could be, for example, to action domestic non-state actors that conduct offensive cyber operations, but they also need to cooperate internationally to investigate these events.

>> MARIANA KALJURAND: Thank you Frederick.

So, those are the eight norms that we are proposing for consideration.  Six in the Singapore, so-called Singapore core package and two from before public core of Internet and electro systems.  We're sometimes accused of being norms factory.  Maybe we can agree to some extent, but what our commission has tried to do, we have tried to see what are the real problems in real life that we have to address when we see that states at the moment are not discussing very much the questions of substance, states are discussing the resolutions and what should be the next way forward in the united nations, whether GG or open-ended working group, today we know that both, but how are they going to work?  What will be there?

I think in that situation, multi staining holders and our commission has a unique role.  We're not going to replace anybody in the first committee or in other organizations, but we can contribute to the discussion and we can keep the discussion going on and help to continue it also in other forms.

Are we going to do any additional norms?  Well, I can't say a hundred percent now, because Chris hates that, but let's be honest and open among friends, because we are discussing also artificial intelligence, so maybe one of the norms we might propose might be artificial intelligence, but that will be somewhere next year.

And, then it's nine.  Maybe we should consider 10.  It's a nice number. 

>> Audience:  (Laughter)

>> MARIANA KALJURAND: But, let's say, the majority of norm making has been done.

So, this is an outreach event, and before I open it to the public, I have already a couple of persons who have registered.

Please, catch my I so that I can give floor to others.

And, first, I would like to introduce Mr. Olivier Crep-Leblond, Chairman organization of ICANN. 

>> Olivier Crep-Leblond:  Thank you very much.  Is this working?

>> MARIANA KALJURAND:   I knew it. 

>> You have to speak very closely.

>> Olivier Crep-Leblond:  Yes, thank you very much for the floor.  I'm going to be very brief, because I would like to actually hear from all the people around the room.  I would like to hear -- I really need to speak straight into it.  Goodness.

I would like to speak to -- I would like to hear about all the people around the room who have watched the presentation of these norms.

I'm quite excited about this.  I'm quite excited for a couple of reasons.  The first one being, that if you're going to address a topic, you first have to address a norm that is sort of the standard, box standard what should be around, what the best practice is when it comes down to this topic.  Evolving a lot in ICANN, many of the times in working groups the first thing we're being told is okay, define this term, define that term, and if there is no definition for it then you don't know what you're talking about, or at least in legal terms it starts to make it a little bit difficult.

So, I'm quite happy to see that now you are addressing, I would say, various different component aspects of the Internet from the core of the Internet itself, but also down to cybersecurity to all the cyber warfare and all the topics that we keep on hearing about, but there is no real definition from them as such.

I can't see a world policeman dealing with enforcing these norms, but that being said, this is the Internet.  This is where name and shame actually work, where you can communicate anyone that doesn't actually adhere to these things, and you can evaluate and you can go further once you've got it defined.  And, the fact that you've defined it is already the first step in being able to actually say wait a minute, you are not adhering to this, you're not following this, what are you doing?  So, I'm thrilled about this.  I think it's just the beginning.  I hope that you're going to continue, perhaps not even adding more norms, but then thinking about what you're going to do next after that.  And, the very fact that we're discussing this here, the group of us here and there are so many people in the room and so on, is a good start.

And I'll just let others speak after that.  Thank you.

>> MARIANA KALJURAND: Well, thank you.

Olivier has a two finger. 

>> Yeah, the way I like to think about this is if we put down a vision, a place to end up with.  I do think that you say the Internet is a place of name and shame.  I do not know whether that is sufficient for transparencies important in this aspect.  When we want to keep people accountable, states specifically name and shame might not be the only instrument in the toolbox.

Has a commission, we have identified, I think that is fair to say that this is an issue has we need to further discussion.  What are the accountability, what are the transparency mechanisms that are available specifically to states that allow responding without further escalation?

>> MARIANA KALJURAND: Sorry, my two fingers here.

Firstly, we really do want feedback.  And, it's amazing to see all these people, the ICANN board members, people from the technical community, Civil Society, Governments.  We want you to comment.

I just want to say that the public core norm is different, I think, from the other norms, and I think you should keep that in mind when you respond.  And, the public call norm is not just about the behavior that we are trying to advocate for, it also implies an understanding of the Internet and of the core of the Internet being a public common resource that we have to have stewardship over.  And, I think therefore it's very important to think of that norm as being more than just a norm.  It's actually suggesting a way for us as an Internet Governance community to think about this core common part of the Internet.

So, just wanted to emphasize that. 

>> Thank you, Arriette.  I know everybody wants to say something, but let's go back to the audience and listen to the interventions, and after that everybody will have a chance to reflect on what has been said.  And, I'll go to the second speaker also from ICANN, Sarah Deutsch. 

>> SARAH DEUTSCH:  Thank you so much.  Can you hear me?  I'm very pleased to be able to join you today on behalf of ICANN and share a few high-level thoughts and congratulate you on a very interesting and valuable discussion thus far.  I think it's very important for the commission to hear from a wide array of different stakeholders, and as you know, ICANN is just one of many different actors who make up the Internet Governance space, although like others, we are potentially affected by the commission’s work.  So, just as you raised, we were very interested to read about the public case of the public core norm, and when it was first published in 2017, and then some of my colleagues in the room here actually were able to participate in the September meeting you had in Singapore.

So, the definition of public core in the draft of earlier this year included the operation of the Domain Name System, and it included registries and name servers and processes such as DNS Sec, and as you know, all these operations are squarely within ICANN, so we are very interested and want to engage in discussions as this moves forward.

ICANN, as I'm sure you can appreciate, is a multistakeholder organization and so we value the work and we note that this work has been based on inputs from a wide variety of stakeholders, as well, so we feel that also reflects a multistakeholder model and that this kind of deliberation on governance of cyberspace really makes sense, rather than a narrower multi-lateral approach.

And, in our highly connected world, having that multi-lateral approach is really a more sensible solution than mandating a single group of stakeholders to figure out how governance should evolve.

So, the evolution of the proposed norm on the public core is also relevant to the current discussions that some of you may be aware of at ICANN about the effects of GDPR on ICANN, including the who is services.  And, who is services, because of GDPR, have changed as a result of European legislation.  So, the reason why I'm raising this is, you know, ICANN has taken its own work to assess where the legislative initiatives are headed and policies and whether national regional or global models will affect the stability security and the inner opera built of the domain name system.  You may find yourself thinking about this issue, as well.

And, as we found with GDPR, even well-intentioned laws and regulations can have unintended consequences.  So, that's why we're flagging that, and in this case the cuts of the redaction of personal data from the who is system.

In the same vein, we were recently involved in current deliberations taking place at the IT plenary in Dubai where proposals were being debated.

To sum up, we look forward to further dialogue along these lines today, and our continued involvement in the important work of this committee.

Thank you.

>> MARIANA KALJURAND: Thank you.  Thank you very much.

And, as you know, one of the commissioners is Vice President of Microsoft, Jan, and really happy to give for to Jan, our good friend. 

>> JAN NEUTZE:  Thanks very much, Mariana.  On behalf of Microsoft, let me congratulate the commission on adopting the Singapore norms package.  I think we have witnessed a revolution in the commission's work and deliverables over the last year and a half, and from our perspective we have been an early supporter and tried to be supportive of the work of the commission because frankly, it is a very important set of inputs that you are able to generate.

What I would say is, you know, we live in a world where not only do we see over 350,000 new types of malware being generated every day, we're also in a world that have over 30 Governments that have developed offensive capabilities in cyberspace, so getting to a place where we have robust governance and robust rules that govern the behavior of those nations, as well as Private Sector actors in this space is really important to us and I think increasingly to our industry.  And, what I would say is that one of the things that would be terrific to see is that the great content that you all are generating finds its way eventually into other for au and other processes such as, for example, the Paris call that President Macron will formally unveil in just about an hour, that does reflect already a couple of the norms that you all developed.

It is great to see the connection there and the impact, frankly, of the work of the commission, but I would encourage the commission to also maybe think about other fora and other processes and processes that you can guide as you mentioned.  Not in a competitive manner, but thinking about the content and the work that's generated here to help steer processes like the newly emerging group of government experts at the UN, like the work in the G7 and G20.  So, there is a lot of runway, I think, for the work of the commission to really have an impact over time.

So, thank you so much.

>> MARIANA KALJURAND:   Thank you, Jan.

And, I would like to give the floor to another good friend of our commission, Jan, please, Minister of foreign affairs.

>> Jan Neutze:  Thank you very much, Mariana.  (Speaking non-English)

So, France is a very important supporter of the global commission on the stability of cyberspace in the beginning, and I would like to really thank you and congratulate you on behalf of the ministry of foreign affairs with regards to the great work that you've done and on the package that was released today.

Obviously we've been following very closely all the work done by the commission over the last almost two years now, and we are very glad to see that a lot of the hope that we had put in this commission are starting to bear fruit because we're really looking at you as a way to develop norms that were not necessarily easily formulated by state only in the state negotiations, so we thought this was a good commission to make other new IDs and international level and I think that is what you managed to do with this great group of commissioners coming from different strands of life and former experiences with former people from government, people from technical community, people from Civil Society at large, and you manage to make those different voices heard and create a package that is quite balanced, because the address the bit of state and non-state actors, and as well as some of also every individual cities and technical community as such.  So, this is very important work, and we wish to offer our support, our support to the meta that you're following, the meta stakeholder approach and the principles that lead the content of these norms.

As you are well aware, and has been reflected in previous speakers, the French President will formally launch the Paris call for trust and security in cyberspace this afternoon, and I think that indeed those two narratives are very complementary to yours, and a lot of your ideas are enthused in our text that is also your text because I've e really contributed to improving it with a lot of different stakeholders, including Microsoft and other people in the entities and I want to thank all the stakeholders that have been involved in this initiative to improve and to give more visibility to these texts that it is our hope we'll give a new visibility to this topic and create some momentum to advance on the number of those topics that are -- haven't been dealt with enough at a high political level.

So, now these norms, they need to leave, they need to be accepted, they need to be respected, they need to be owned by each and every actor that is involved in them, and we are really looking forward for the next train of work of the commission looking at the future and how we can articulate these norms with more general governance, use enforcement mechanism to make sure the norms are used and owned and respected by each actor.

Thank you very much.

>> MARIANA KALJURAND:   Jan, thank you very much.  And, now we open the floor.  And, I have a gentleman here and a gentleman there and gentleman there.

Yes, please.  And, could you please also introduce yourself. 

>> Public:  Hong Kong, thank you very much for this presentation.  An observation and question, if I may.

First of all an observation with respect to the norms, I thought it was very clever that the way you presented them in the sense that you know we will recall the in net is made up of layers of protocols, so the way you've in some sense layered your norms so that the one that is are lower that relate to the physical hardware side obviously has ramifications above.  I think that is a clever way of presenting these norms as digest table to all of us.

The question I have is really beyond the layering of norms that reflects the layering of protocols is really the question of incentives.

So, what is the incentives for countries to -- countries or actors in this space to incentivize, to conform to these norms, and in the event that there are breaches, that those are recognized that the feedback mechanisms are in place for the stability of the systems.

Thank you.

>> MARIANA KALJURAND:   Thank you.  Thank you.

Gentlemen, please. 

>> Thank you.  Josh Gold with Canadian and Houstonian Internet societies.

It seems like these norms transcend the so-called free Internet versus cyber Sovereignty debate focusing on things that are in the interest of all regardless of politics.  While developing these, did you run into any liberal verses ill liberal problems?

I understand that the point was to be A political, but were there any attempts to build norms that you ultimately could not agree upon?



Gentleman next to you, please, and then we go. 

>> Public:  My name is (Indiscernible) and I'm from Internet Society.

On the call to protect the public core of the Internet, the focus is probably on protecting the technical core of the Internet and the infrastructure, and isn't it more important also to protect the core values the way the Internet works and what makes the Internet what it does, so that -- shouldn't that also be included as part of the pursuit of protecting the core of the Internet.  Not only the technical code, but also the core values of the Internet.

Thank you.

>> MARIANA KALJURAND: Thank you very much for questions.

There were a couple of others.  We have three questions, and three will come in the next round.

Let's go.  Who would like to take the questions?  Who would like to start with incentives for countries to confirm, how difficult it is to develop the norms, I can tell you very difficult.  We are having negotiations face-to-face, we're having online discussions for months, and not everybody is happy with the text.  I can tell you that.

But, at some point we just have to finish elaborating, and at some point we have to introduce something, and that's why we open for comments.

And, the protection of core values.

So, who would like to start? 

>> Incentives.  Wolfgang, please. 

>> Wolfgang Kleinwachter:  One question why I have ceased adopted by the IATF are respected by everybody, because it is interest of everybody.  It means if somebody ignores an IFC, it works against him or herself.  And, I think this is the tweak of the norms that we try to formulate the norms, that its interest of everybody to respect the norm, otherwise it would, the person or state or non-state actor would punish him or herself.

You know, it's the hope, reality is different.  You have always bad guys and you know what Olivier said, how to police this, it needs a system probably an organized system of naming and shaming, and to reduce the number of bad guys.  You cannot ex include them, it will continue, so it is a permanent struggle, but the main incentive is really the universal nature of the norms. 

>> Yeah, and I build on that and say that, you know, first a question from the gentleman from ICANN or the observation.  We still have to get people to accept these norms, right.  It's the same for the norms that came out of the group of governmental experts in the UN.  These are not universally accepted so there is a lot of work to do, and this goes to Jan's point, make sure we embed these in other frameworks, talk to other stakeholders, to other government groups, too.  That goes to the incentive point.

It's interesting you're not going to get Governments or parties to agree to norms because they're not in their best in in the long-term.  So, how do we create incentives to not disrupt, button sent tiffs to cooperate in cyberspace to reach that equilibrium.  They have to be in their best interest but then also goes to something we said we need an accountability framework and that is a hard issue, too.  Naming and shame go in my view, there are some parties that can't be named and shamed.  You have to look at the fool *m full tools how do you that.

The last thing, to your point, about do we avoid questions about, you know, differences and opinions on things.

Well, no, but I think a lot of these things do transcend that, and of course we do keep the core values, the last gentleman's point, in mind as we look at all of these things.  We all look at the core values.  That's not in stability per se, but it's something that informs our work just more generally.

>> MARIANA KALJURAND: Thank you for the questions.  I think, you know, the notion of the heated discussion that is we're having really also says something about how serious we are about being multi staying holder, because we among ourselves are kind of like a summary, like a mini ecosystem of different stakeholders.  Not everyone, but I think those discussions already balance out some of the very different starting points and interest that are also to be found globally in society.  So, I was just thinking maybe we shouldn't try to be a norms factory but sometimes does feel like a sweat shop the way we're working.

And, as such, we have permanent links with other initiatives in society with, you know, legislation, with the universal declaration of human rights, with corporate interests, with global variation and perspective.  I mean, when you sit in Asia, you may have a different view of the world than when you sit in a developing Country in Africa, for example, or when you sit in the heart of Europe.  I mean, it's a global Internet, and we want to keep it that way.  I think that that is a core value that we share, to keep the Internet open.  And, that may sound super obvious for this audience, but of course you all are not our primary audience, necessarily.  It's also a matter of linking the technological communities and the more, you know, security oriented national security, national policy, political audiences out there who may not be thinking about the importance of the open Internet every day.  Who may not be from Canada or Houstonian to interesting combine examples.

But, it's difficult sometimes, and if we cannot articulate, for example, liberal democratic values for the inspiration, we indeed as Wolfgang said come to common denominator.  That is why you also see the norms are, I think, formulated in a minimal list stick way, but every word has been thought about.  I think it's important that you all feel how much work goes into compressing a lot of thinking and research that comes and people that share their expertise before us as a commission and then sort of boil it down, literally, to a number of sentences with the hope that that indeed is an entry point for multiple stakeholders.

And, again, we don't claim to have the perfect answers, but we aim to create gravity about which around which people can come together and, you know, the norm then starts to live a life of its own, gets reflected in legislation, globally or gets referenced by academics or is a space where Civil Society can rally around and say, hey, we want to support this norm, and we actually think this is worth pushing for, and we're going to hold to account people who don't respect this norm.  And, that's when, you know, you get gravity of people clustering around an idea, essentially, and that's what we hope to do. 

>> So, these two questions are actually interconnected more than you might think.  There's been a lot of use of the word factory, the notion of authorship, and I think that if I felt like I had authored anything here, I would feel that I had failed.  I feel like when we are doing our job correctly, we are anthropologists.  We are documenting the shared understanding of most of the world, right?  The documents that we are writing down are the least common denominator that just about everybody can completely agree to, right?  Not everybody, everybody, because that's what failed in the UN.  Right?  When everybody, everybody can be there and veto, then you don't actually come to agreement, at least not in the current environment.

So, since Chris hates it when I use the United States as an example of a miss grant, I'll pick on some of the Internet's friends to address why this is important.  With regard to enforce men.

We don't have enforcement of a norm, because the norm is just a documented understanding of what most people agree to.  It's not a treaty, right?  So, another example, not in the Internet space is whaling.  The enforcement of whaling is that any time Japan, Iceland or Norway are trying to get anything else done, it's a little bit more expensive for them diplomatically, because people will say oh, sure, international banking this and that, but what about those whales, right?  So, ideally, we would get to the point where these norms are documenting an important enough understanding of how the world needs to work, that any time the US, Russia or China tried to do anything, everybody else would say, yeah, well sure, but what about the Internet.  So, that's where we hope that things will wind up.  We hope that these documents are clear enough that most of the world can look at them and recognize their own interests represented in these words and say yeah, that's us. 

>> I'm going to try and be short.  You asked a question why are the underlying values of the core not documented?  I was like yeah, why didn't we do that, or did we actually do that?  So, I quickly looked up, and if you look at the public core of the Internet document, its first paragraph says the Internet has changed the world political economic and social growth, more generally, cyberspace promotes communication, commerce, education, human rights and livelihood on every level.  To continue this progress, we believe that stability of cyberspace is essential for the good of humanity new and to the future.

Those are the abilities that the Internet brings.  We have not documented as such what are the values or the -- what is that openness and innovation and so, so at the Internet Society we always talk about.  That is not was we documented.

What we did document was the positive attributes that the Internet brings to humanity, and I think that is something where everybody gets -- can get behind.

Was that 30 seconds? 

>> (Laughter)

>> MARIANA KALJURAND: Yeah, not really.  We have nine minutes.  We have four interventions, and then I ask commissioners very briefly to reflect on them.

Gentlemen, gentlemen, lady, lady.  Gender balance. 

>> Thank you.  My name is Hans Klein.  I'm on faculty of Georgia Tech and currently on the faculty of Princeton University.

I'm coming up to the speed of what you've been doing for a while.  My question might be basic.  I think the work you're doing is terrific and important, but I see -- I'm having trouble seeing the forest through the trees.  I see the norms, each one makes sense, I'm having difficulty seeing sort of clusters of them.

So, I'm wondering, are there -- I'm seeing a consensus, but are there some overarching philosophical differences out there?  Are there some big philosophical differences that you nod navigate that would help me understand the terrain in which you're operating?

I know that, for instance, the GDE there was a divergence, I guess.  I heard the position of Cuba and others, there was a split there.  I talked to – Vennie was telling me today about the Russian and U.S. introduction of various proposals in the context of the United Nations, so I'm wondering, can you tell me a little bit about some of the big pictures, constellations and philosophical differences that are overarching the many specific norms you have here.

Kind of related to that, is your commission, would you say that you're a globally representative group or maybe I see more as a consensus among folks in the west and is there an east/west split and maybe you have one perspective on that.  I don't see anybody from China, for instance.  So, if you would help me on that, I'd appreciate it.  Thank you.

>> MARIANA KALJURAND:   Thank you.  Gentleman over there.  Please. 

>> AUDIENCE:  Good afternoon.  Paul Wilson.  I was in (Indiscernible) last week at the world Internet conference, and the reference in norm 7 to Sovereignty reminded me of the repeated use of the word cyber Sovereignty, and that hit that context, which has been discussed for so many years now as a member of the high level advisory committee I was given the chance to sort of look at the next draft outlook, and it was suggested there that cyber sovereign tee is a concept that has been accepted by numerous countries, and I actually questioned that, and I felt that cyber Sovereignty within this document really was ill defined and we really couldn't say that a concept that had just been referenced, albeit so many times, was well accepted, and I sort of tried to suggest that maybe we were still exploring cyber Sovereignty.  That was about as much as I could do in that context.

My sort of suggestion here or question is whether that term itself could be kind of used, occupied in the work that you're doing, to try and actually find some closer agreement or some state of definition somewhere of what cyber Sovereignty might actually mean in a useful way, because I really think that has been given a huge amount of importance in Wagen (Sp) and sort of left to be sort of referenced and used in a way that I think we could probably help give it some more clarity.


>> MARIANA KALJURAND: Thank you.  Lady over there, and lady over there. 

>> AUDIENCE:  My name is Melinda Klein with Afilili (Sp).  My question is about the interaction of the norms and if you've identified any sort of play in terms of how specific recommendations might be prioritize.

So, by example, well into the future f we've made enough progress mitigating significant vulnerabilities and protecting the public core of the Internet, might that lead to a recommendation of moving more infrastructure and systems in the electoral process online.

>> MARIANA KALJURAND: Thank you.  And, unfortunately that is the last question because we can't go into President's presentation.


>> PUBLIC:  Muriab Back (Sp), thank you for this really important initiative and I like the spirit to reduce the number of bad guys, but at the same time, I don't really believe that we will fully fulfill this aim.

So, I'm wondering if one part of this declaration should not also be something where are the limits of IT.  For the public value and core infrastructures, I think we should discuss if electoral in is useful infrastructure or just be analog.  I would prefer that.

We should also discuss critical interest like water supply and things like this.  Should there be something like an analog back up structure, at least so that we get along at least for some hours or hopefully days.

We have to think about a good combination, and this might sometimes might not be in the interest of IT companies, but it should be certainly in the interest of states to really discuss this and I think it should be part of the norm discussion.

Thank you.

>> MARIANA KALJURAND: Thank you.  Thank you all.

I'll start with the answers and then look at my colleagues.

First of all, big picture.  There is a huge ideological division.  I was twice in the panel of the UN experts, and the ideological division was there.  The benefits, also challenges and benefits like-minded countries.  On the other side, countries who see the use of ICT as a way of interfering into the domestic affairs starting evolutions, brain washing the citizens.  The division is there.  That the real situation in the United Nations, and result of that ideological division are those two resolutions that were passed last Thursday, from I day in the unite e nations.

Are we geographically represented?  I would say yes, because we have commissioners from Berkeley to Beijing, to Johannesburg.  So, yes, we are.  We are a political organization.  That is why we're not discussing information operations.  We're not discussing democratic elections.  We're not discussing state often see.  We are not discussing political questions.  We are a political institution.

Which norms will be prioritized?  It depends on you.  We are proposing and now it's very much depends on those who will either support, make amendments, recommendations, it's now up to international community, everybody.  Governments, industry, Civil Society, academia, institutions, startups, whoever, to support us, and then we can see which norms are gathering more attention and which norms will be more important than the other ones.

And, as to the limits of discussions, happy to discuss water supply, but our mandate is global commission of the stability of cyberspace, and we are operating in the field of peace and security and cyberspace, so that is our mandate.

And now, colleagues, please, who would like to jump in.  We have two minutes. 

>> I'll jump in quickly in just responding.

I think for us as a commission, one of the challenges is do we develop norms that are very aspirational.  None of us want the Internet to be used in any way to create harm, for attack.  So, or do we develop norms that respond to reality, that acknowledges, that in fact states our developing cyber-attack capacities, and how do we have norms that actually can operate in the real-world situation as well as still make a significant value statement about the importance of not harming the Internet particularly the public.  So, I think that is one of our big picture concerns that we have to navigate.

I think similarly the notion of Sovereignty and I think Paul is right, that that needs to be discussed more.

And then finally, I think one of our big picture issues as well, and I think that is what makes us different from many of the other initiatives, like the recommendation from the GGE is we are addressing state and non-state actors, and you will see that some of our norms only address states, some address non-state, some address state and non-state.  That is different, I think.  That's a different way of thinking about norms.  But, at a bringing picture level, that's also quite challenging. 

>> Yeah.  Go ahead. 

>> Yes, thank you.  I just wanted to come back to the whole Sovereignty issue, because I think of course states have very different perspectives on what sovereign tee means in the digital space and there are many challenges to state Sovereignty and to the ability to exercise sovereign powers in the digital space, and of course the question is more acute by -- for states who feel threatened buy in their ability to maintain the stability of their regime than in states where -- that have a supreme ma see of various dimensions of cyberspace.

Now, with regards to your commission, I think we recognize that international law applies po cyberspace and that our system is, our international system of peace and security is still based on the principle of state sovereignty, so it's really with regards with states’ rights and duties that we use the term Sovereignty and a lot of our norms are grounded in the principles of state -- I mean of international law.

Just to go back, the person is gone, no, you're here.  The overarching differences, I think that's what I wanted to answer to the first questions.  I think it's more the overarching agreement that we really work for the stability of cyberspace and the -- we discussed whether we're defending the public core as an infrastructure or the core values that in the end what we want to defend is the ability to do whatever we do that relies on cyberspace and on what the Internet provides to us, and whatever we want to call it, it's what we want is to preserve enough stability so that we can continue to develop our activities over the Internet. 

>> So, very quickly.  We're not trying to boil the ocean.  There is lots of other activities, lots of other initiatives out there dealing with lots of different parts of cyberspace.  We are trying to focus the stability on the stability issue and bring new voice toes that debate.

And, the second thing I would say is I don't dislike the norms.  I'm happy with the norms, but the norms are only part of the larger framework.  So, our work is going to be turning to some of those recommendations, principles, that framework.  We look forward to your input in that, and I'll stop there.

>> MARIANA KALJURAND: Dear colleagues, ladies and gentlemen, thank you.  It was very useful.

You will receive the norms.  Please be in touch with us.  And, I think after this warmup, we are ready to listen to President of France.

Thank you.