IGF 2018 - Day 2 - Salle VI - WS171 Multi-stakeholding cybersecurity in Africa

The following are the outputs of the real-time captioning taken during the Thirteenth Annual Meeting of the Internet Governance Forum (IGF) in Paris, France, from 12 to 14 November 2018. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> MODERATOR:  Okay.  We can start and good afternoon, everybody.  Thank you for coming to our panel discussion.  It's the last one of the day, so it's a bit late.  I see there's actually a very good participation, so thank you for being here with us.

     So the panel discussion is around a topic that somehow is considered the best practice in cybersecurity, which is different models of collaboration between the public/private and civil society sector. 

      We are going to approach this issue through the presentation of a case study that was developed by our research associate, Anri van der Spuy, who's here with us, together with Dr. Arlone.  It was done in May, 2018, and then we have a few panelists representing the academia, the private sector, civil society organizations.  And, unfortunately, we do not have government representatives because one of our panelists had to cancel her trip to Paris last minute. 

      Okay.  I would like now to give the microphone to Anri for the presentation of these case studies that, as I said ‑‑ basically we'd just figure the discussion with the panelists and public.

>> ANRI VAN DER SPUY:  So I'm going to talk about why RIA has looked at this.  I think most of you know we've done work on ‑‑ on understanding access and use of internet over a number of years in a number of African countries so why are we suddenly starting to look at cybersecurity?  And then also talking about cybersecurity in general in the African context.

Obviously, we'll be generalizing a little bit. 

     And then talking about mechanisms of collaboration as was mentioned at a case, which is an interesting case for many of reasons.  Where did this research come from?  Basically, as I mentioned a lot on connectivity and promoting sort of meaningful access but with that there's an increasing fear that there's a lot of focus on promoting access but not necessarily on promoting safe and trusted access and making sure that as we connect, remember, in Africa we don't really focus on the harm that might also come with access. 

      In broad strokes, the challenges that as we have the cross‑border nature of the internet and related threats, you have a need for fast response rates and also just massive resources needed to stay on top of technological change, and then these factors, which I've very briefly gone through, are compounded in many African context because there are so few cybersecurity frameworks in place and it's a starting point for the safe cyberenvironment. 

     We face very high levels of digital literacy and also just education more broadly and then also the institutions that we're dealing with and struggle with lack of capacity and also often woe, to be frank, to ‑‑ I mean, we don't believe online/offline banter but if you're dealing with real offline issues such as developmental issues when you have cyberissues and convincing governments those are important, too.

     So we talk about a digital divide paradox and the fear as we talk about promoting access, we have ‑‑ we're leaving people further behind and tied to that when it comes to cybersecurity is the fear that the people who are being left behind and becoming more marginalized are more at risk of cyberthreat, and we also see that with a lot of cybersecurity sort of cyberthreats being tested in Africa for a moment before being deployed in developed countries. 

      If I move on, at the moment the responsibility for cybersecurity lies between governments and private sector.  We see a lot of public/private collaboration in this regard for various reasons.  The governments, obviously, have to take care of their country ‑‑ the kind of citizens from a public sector and private sector, but there's a lot of the critical infrastructure that are crucial in this field often have more expertise ‑‑ their freedom of flexibility.  They don't have the bureaucratic sort of limitations that a lot of governments face when trying to deal with cybersecurity threats. 

      In other literature, we've looked at there isn't a big understanding or a lot of coverage of multistakeholder collaboration which we talked a lot about at the IGF.  There's more talk of public/private partnerships or a little bit more broadly public/private interplays or initiatives. 

      There are pros and cons to both, public/private, interplay and collaborations ‑‑ sorry, interplays and partnerships.  The one ‑‑ the pros being the ability to leverage joint resources and just basically to leverage capacities of the one versus the risks on the other side. 

      Some of the ‑‑ in some incidents, it's easier for private sector to act.  We've seen this, for instance, recently in the North Korea case where Sony was hacked after the dictator film and private sector being able to act ‑‑ whether that's legitimate or not being an issue, and often we see this sort of interplay and one party being able to act ‑‑ filling a gap when the other one isn't able to act. 

      The malicious case, which we selected, is an interesting one; the first being its rank as a top country in Africa and global cybersecurity index and sixth globally in the Mauritius case because it's an island state quite a small island state, so I'm not saying those findings are necessarily, you know, representative, but it's interesting for that reason ‑‑ in the region, the broader African region is playing a larger role in cybersecurity and capacity‑building with a consent of COMESA and SADC it's become a regional hub. 

     For regional capacity‑building and their models are often quite interesting because we've seen them evolve from quite a strict hierarchical public/private partnership to a broader interplay model for cybersecurity within two years, the required ability in making that change in relatively and summarily and be able to do that faster than other African countries can do.  They created a cybersecurity strategy in 2014 and implemented in two years, which is what this graphic is trying to depict. 

     Initially, it was quite hierarchical very clear reporting lines, and it was clear with stakeholders it just wasn't really trusted in approach.  There was a lot of mis ‑‑ lack of information‑sharing between stakeholders.  There wasn't information going ‑‑ going down.  It was only going up.  So as a partnership, it just wasn't working very clearly.  It evolved, as I mentioned, within two years.  It became a much more collaborative approach. 

     If you look at their strategy, they prioritized broader environment of stakeholders.  They don't call it a priority or multiholder stakeholder, but they talk broader ‑‑ stakeholders, including youth and different ministries including broader private sector stakeholders that were involved in the initial phases. 

      Some findings were that a lot of the ‑‑ a lot of the people we interviewed felt it was a step in the right direction.  It definitely was better than the first approach, but there are some fears around the environment falling so fast and how the model is able to adapt to that. 

     Although I think a lot of the fears, which are mentioned by the interviews, are fears, which, I think, are common to lots of other regions, it's not unique to Mauritius or other parts in Africa for that case. 

The risk of dominating parties was frequently mentioned by a lot of interviewees, which, I think, is also common in a lot of other cybersecurity collaborations. 

      Some recommendations we make, which is also in the policy paper, which is lying in the front of the room, is just, broadly speaking, the need for flexibility, the need for vertical and hierarchical collaboration if you think back to that diagram and the need to be more descriptive and proscriptive ‑‑ and we in the paper ‑‑ we don't delve directly into technology in the sense of whether this amounts to multistakeholder or an interplay or an initiative.  We do think it might be valuable to look at that in order to ensure that we have broader participation from civil society and other advocates who could ensure whatever cybersecurity we are promoting in the region is also human rights perspective.

     And I think that's it.  Thank you.

>> MODERATOR:  Thank you, Anri. 

     And this is basically a case study who would like to discuss with our panelists, and I apologize.  I forgot to introduce them to you in my introduction.  And the policy brief was developed also with the assistance of Dr. Ian Brown, and he's here with us, and he's our senior research fellow, currently working on cybersecurity issues.

     So we have in the room Professor Dutton from the Oxford Martin School. 

     We've got Arthur Gwagwa, whose center is in Strathmore University in Kenya. 

     Koliwe Majama, who's a consultant with APC. 

     And then we have Matthew Schears, a director of the Global Partners Digital. 

    And Michael Nelson, Tech Strategy Art Cloud Fair. 

      Okay.  So the first question is for Bill and Arthur, so our representation ‑‑ and the title of the session assumes actually there is a need for multistakeholder in implementation.  But as Anri says, it's not clear because in the literature, we found private/public power placed but not multistakeholder participation especially in cybersecurity. 

     So based on your experience and maybe on additional literature, do you see this kind of partnership emerging.  And if yes, what's driving them?  And how do they look like?  Do they create better incentives for such partnerships to emerge or do you believe we do not need them at all? 

      Professor Dutton?

>> WILLIAM DUTTON:  Thanks for inviting me to comment on the case study, and I must apologize in advance either my comments might be blindingly obvious or dead wrong.  Let me take a stab from what I take from reading the case study, and so forth. 

      One is ‑‑ I think it's a great example of collaboration on cybersecurities capacity‑building.  I'm not trying to flatter you.  I actually think it illustrates what ‑‑ let me just put forward ‑‑ there's a lot of criticism of multistakeholder models and one of the common complaints is that it's often limited to communication and sharing of information rather than we don't have the power to enforce particular aspects, but cybersecurity capacity‑building is directly involved with communication and sharing, and it's really clear that ‑‑ and, in fact, from your presentation just now, it's very clear that you may not have been able to do this had you not had this kind of communication support and sharing during the process. 

     So you have started this hierarchical process and people were distrusting and what's ‑‑ what are they trying to do and so forth?  And over time, it became a more multistakeholder process, and you actually involved everyone, and they began to trust ‑‑ because they began to trust what you were doing and that they were involved in participating, and, so it's really a good illustration of the potential for a multistakeholder collaboration to work in this area, not necessarily all areas, but ‑‑ and it reminds me there are other sorts of conventional criticisms of multistakeholder models, and one is the representation of stakeholders, okay?  So the idea that, you know, these multistakeholder models are going to be dominated by California tech firms and so forth.  Well, come on!  The participants are more local and clearly that just is a ridiculous criticism, and it doesn't apply to many cases of multistakeholder collaboration that really work. 

      Or that the new internet world is going to be marginalized in multistakeholder models, no.  It can be owned by and run by and serve people in the new internet world, which I call the new internet world, the global south in parts of Asia, as well that are some of the newer countries adopting the internet and are doing it in very exciting ways. 

      I know you want me to go fast, but I think we found this also in the ‑‑ I don't know if you want me to stop and come back to some other points or do you ‑‑ okay, okay. 

     I mean, the other point ‑‑ I think from ‑‑ it also ‑‑ at the ‑‑ at the global cybersecurity capacity center ‑‑ I mean, we're also using a multistakeholder model in working through capacity‑building projects and, again, it reinforces what we found that this model is actually very applicable and actually almost necessary in this area. 

      It also, you know, reinforces the point we're learning that geography matters and that one of the things we're realizing to do is in order to scale up and do a more global ‑‑ do more global work on capacity‑building, we're trying to set up hubs in different parts of the world, so that we make sure that it's more locally anchored and not ‑‑ and the global efforts have to be a hub and smoke model or all hubs that communicate with ‑‑ are collaborative with each other, and I guess a final point 'cause I know ‑‑ 

     Hopefully, I can get back in to comment on others' comments, but because this is done by research, ICT Africa, and one of the themes that's come out with me listening to ‑‑ so many suggestions and cybersecurity is the degree of so much discussion on cybersecurity is too far removed from reality, okay? 


>> WILLIAM DUTTON:  I mean, they don't know anything about users, and they don't know anything about the developing world and much less even the developed world.  These stereotypes of the people and the user, and you're on the ground, and you're literally blowing away some of the stereotypes of any given country because you actually know and talk to the people on the ground so much more empirical research.  Qualitative and quantitative needs to be done in this area, so that these stereotypes are not guiding public policy and regulatory responses, but I'll stop there.  Thank you.

>> MODERATOR:  Thank you, professor Dutton. 

      Professor Gwagwa, you have conducted research across a number of African countries on cybersecurity, so do you see these models of more participation emerging in practice or not really or what's your experience?

>> ARTHUR GWAGWA:  Let me start by two case studies.  I was involved in the forensic analysis of the Zimbabwean network we didn't even know who to share the findings with, so that case alone, I think, really showed me there wasn't any coordinated policy at the national level as to what it means, you know, to protect, you know, critical infrastructure because if we disclose that information to the government, probably the government is going to say we are intruding into their computers. 

      And then another example, I was sitting, you know, having lunch, another time, and I meet a judge, a former judge, who said I'm struggling drafting the cybercrime law for Zimbabwe and can you assist me?  And there I gave him advice, and then he said:  The opinion that you have written for me is very good, but I don't really think my principles accept what you said, so you probably need to talk to the government officials, so that also gives me a clue that, you know, the policymaking multistakeholder approach in formulating legislation in most African countries is haphazard in such cases or anecdotes ‑‑ be it other countries, but, I think ‑‑

     Let me just come back, you know, to the paper that was done by, you know, Professor Mueller, which, I think, the difference between cybersecurity and internet governance.  He concludes that, you know, those two ‑‑ there are many elements that are analogous ‑‑ that are similar, but what I'm seeing in Africa is that internet governance is run parallel to cybersecurity, so cybersecurity security issues are done in private, and then internet governance issues that implicate maybe so‑called softer issues things like child protection or agenda and issues that sort of, like, instruction are done in public, so I think we see internet governance policies being ‑‑ running parallel to cybersecurity issues, which are securitized or militarized, but I think ‑‑

     Let me just go back a little bit like in 2014, after the Sony attacks, the incident of security studies brought stakeholders together, which is very good in a summit they're saying is South Africa ready for these challenges, these sort of challenges, and I thought that was a good example of multistakeholder mounting of policies and where should policies go?  What was the enabler of that? 

     What I thought the enablers, the interest at stake, were in trust.  They are banks, protection of children, you know ‑‑ these are issues that command, you know, consensus. 

      And then Number 2, you know, the issue of the African convention on cybersecurity, that ‑‑ that convention could actually be providing a framework for multistakeholder approach at a national level, but why is that not the case because not many countries have ratified that convention. 

     Nigerian, Kenya are powerful, that played a literal role in the formulation of the convention.  And then at the national level the issue that we're seeing is the creation of the cybercrime laws in different African countries were imposed from the ITU, so they were not home‑grown, so there was no multistakeholder consultation at the ground level, which means those laws are coming from the ITU, so people have got no clue, you know, what ‑‑ what we are talking about.  It's just a template, you know, taken from another country being imposed on African countries.

     So you realize that ‑‑ I think once those laws ‑‑ the model laws come within the countries, the aspects of security ‑‑ they are dealt by the military, by the police.  The soft issues are disclosed. 

     Let's take, for example, Kenya, for example.  We see in the cybercrime bill, which is supposed to be the Department of Information, and it being within the limit of security department, you know, the ministry was literally, you know, pushed out, which is why you see that law in Kenya is being heavily contested in the courts. 

      And then it brings me to the issues ‑‑ different approaches to security.  What does security mean?  Security means different things, you know, to different people. 

      When you look at ‑‑ when telecoms, you know, produces cybersecurity reports, it got no mention at all of freedom of expression online.  So when you look at semantic reports, the semantic reports, you know, that is the conceptualization of security from a financial or corporate, you know, point of view.  But for me as a human rights lawyer, I look at security in terms of what freedom of association, freedom of expression and are previously in line, and the ‑‑ it leads to different threat models. 

     My threat model is different from different threat model is different from the government's threat model and what does it lead?  It leads to different approaches, you know, to technologies.  Technologies are being created or imported with political intention by the governments. 

     Let's talk about, say, encryption.  You see a number of African countries being hostile, you know, passing policies that are hostile to encryption.  Zimbabwe, Uganda, for example, let's talk of internet shutdowns, internet shutdowns ‑‑ what you guys are talking about on the internet, you know, this is terrorism, but the ‑‑ on the other hand, no, there's no terrorism.  We want to discuss ‑‑ we want to have, you know, freedom of expression online, so ‑‑ but we're beginning to see consensus is on the issue of digital economy and digital society issues because I think cyber ‑‑ the internet governance or the cyber ‑‑ cyberspace debate in Africa is gradually moving from freedom of expression to a digital economy.  Things like creation of knowledge economies, SDGs, AU agenda and then UNESCO and UNCTDA are pushing that agenda so beginning to see convergence of civil society, the private sector and the government coming together because the digital economy issues are issues that are more that attractive, But the threats for that in conclusion, AI, the good and the bad. 

     In facial recognition technology, we know are bad.  You talk of AI is good and the bad and then ‑‑ and then again, I think, when you're talking of digital economy issues, we cannot have sustainable development.  That is not part of human rights and the officials are beginning to emerge, thank you.

>> MODERATOR:  Thank you, Arthur.  You went beyond the discussion of multistakeholder frameworks, but it's great to see different modes of security for different stakeholders and actors. 

     And, Koliwe, in terms of socialization and cyberpolicy organizations social organizations might play a very important role because they have a different definition of what safety and security is from a governmental and private sector perspective as well but what's your experience of specific organizations engaging with governments?

>> KOLIWE MAJAMA:  Okay.  Thank you so much for that.  I have so much to say, but I think ‑‑


>> KOLIWE MAJAMA:  For civil society, it's the challenge that there doesn't seem to be any norms or standards around collaborating with governments or within a government framework around cybersecurity, and I think the challenge is really about ‑‑ when you're an African national, you have the nation state model versus what would be a multistakeholder cybersecurity governance model.  So when you're out there on your own, as a civil society organization, I think that the more key issues are really around whether it's about the nation or an individual, and I think that a lot of states are grappling with the facts that governments respond to cybersecurity on their own, so it's actually around a conversation that you're having with governments to make them realize or give them more awareness on cybersecurity or ‑‑ yes, cybersecurity affecting the users as well, so it's more around not around the security of the state but human security as well. 

      And then even the platforms that we interact on because ‑‑ and I'm glad that Michael is here because one of the conversations we had at the African Internet Governance Forum is that you have law enforcement agents as well who need to be part of this conversation.  And as a civil society actor, you're either interacting with them because you're working with the human rights or law groupings or lawyers for human rights, for instance, how do you have that conversation with law enforcement agents if they don't actually have the very, very basic information around cybersecurity threats, so lack of a clear framework for that sort of engagement ‑‑ if you don't have an internet governance forum, how are you going to see the responsible minister.  And from my background in Zimbabwe, the law‑making process itself is not made very clear, so you may have a law development commission or the attorney general's office handling the actual writing of the law, and then they would have what would be a multistakeholder engagement forum and throughout the country for selected elite groups.  So how representative are we as we as a civil society as well to adequately seek to cybersecurity issues broadly for everyone?  I think key is what others have just spoken about, about, the African Union Convention because when you look at the fact, Article 27 does actually have a multistakeholder approach in terms of development and also in terms of implementation.  But realistically, the computer emergency response teams and incident teams as well are not that inclusive.  So when you look at the process we went through in Zimbabwe to look at our ‑‑ our ‑‑ what would be our third, it had mostly governments.  It had office of the president.  It had defense, state security, but it didn't have technical people on it.  It didn't even have ‑‑ like human rights representatives or children's rights, women's rights groups, so it wasn't actually as inclusive as it should be. 

     So the challenge really is, do we as civil society actually know the mechanisms ‑‑ who are the right people we're talking to?  And how can we adequately represent the broader user and what should we follow, so that the contributions or conversations we're having ‑‑ whether it's a development level, implementation level, it actually is inclusive.

>> MODERATOR:  Thank you. 

      Matthew, so Global Partners Digital have done some work on multistakeholder participation in cybersecurity and at the same time provides capacity‑building to governmental organizations.  So based on your experience, do you think that capacity‑building is an effective tool for advocating multistakeholder participation?  Does it work?  Can you shed something, you know, across the African continent, for instance?

>> MATTHEW SHEARS:  Thank you very much.  It's a pleasure to be here, so, yes, we do undertake a number of programs to build capacity, and that capacity‑building is around building local ‑‑ local partner expertise in Latin America, Africa and southeast Asia, so we've done ‑‑ and much of that work over the past three years has been focused on cybersecurity and particularly more recently in about the past year or so of ‑‑ or 18 months on national cybersecurity strategy‑building, and I was so pleased to see ‑‑ although you've shown the bullets on this case study ‑‑ but actually, the text itself highlights five key points that you got up in front of me on the text, and I think those are telling because they very much capture the experience that we've had, which talks about collaborative approaches, vertical and horizontal interaction. 

     You listed a number of things that are essential, and so we did a study recently in Mexico, Chile, Kenya and Ghana, and we tried to extract from the commitments that have been made by governments to multistakeholders around cybersecurity, and then we tried to extract what we could in terms of best practices of what was actually done on the ground, and what we found was ‑‑ I would say was ‑‑ a general understanding in those four countries that there is a value in multistakeholder engagement, and there's value in civil society engagement as a part of that multistakeholder engagement. 

     It's important to note that in many countries, multistakeholder means government and multistakeholder, so you kind of have to dig into that a little bit more to get to the point which multistakeholder actually does include civil society and does include more importantly the technical community, so there's a slight differentiation when we're talking about multistakeholder. 

      We found there are many, many commitments from governments to multistakeholderism in the fullest sense of the word, and it goes from the national level down to the national level from strategies from Latin America, and it's translating that commitment into practice that is challenging for a number of reasons. 

      Some of the lessons that we drew from it are very much reflected in the Mauritius case.  What we found ‑‑ there are times when governments will engage the fullest sense of stakeholders, and it often occurs either in a review capacity or in a implementation capacity, so there's a point at which ‑‑ for example, in the national cybersecurity development where you get to an end point of a review process where it gets passed off.  And in approximate study, for example, in Chile and Ghana, there's a process of bringing together a broader sense of stakeholders in the final stage before it went into the adoption stage, and we also find that's true to some degree in the implementation. 

     There's recognition in many of these cybersecurity strategies that civil society and academia play an important part in implementing the strategies and is often characterized as kind of more on the education or the cyberhygiene side and things like that, but there is definitely recognition of that role, so I think ‑‑ and I agree with many of the points that have been said.  I think some of them are really important.

     What's really important here is that for civil society engagement to be ‑‑ to be seen as valuable.  It's very important that there is an understanding of the technology and of the technological issues that are being discussed, and that's ‑‑ that opens the door because then there's a sense of civil society bringing something to the table that's immensely and immediately valuable to government; right?  It's understanding the issue and addressing the issue. 

      The other thing that comes through also is it's often more useful to work across stakeholders in these situations, so the team with the technical community will go in together, and we've seen that's often a successful strategy for getting a variety of issues on the table relating to cybersecurity that doesn't necessarily pigeonhole civil society as human rights, for example or education or something like that, and I think we have a tendency to see in government this desire to kind of silo the stakeholders.  And by siloing the stakeholders, it enables the government to preclude them.  Saying we don't need that stakeholder because they only do education ‑‑ and we're actually talking about cyber‑resilience, but we have to kind of get beyond that kind of ‑‑ the old world looking at stakeholders.

     If you look at civil society now, you've got lawyers; you've got activists, of course; you've got technologists ‑‑  you've got a whole range of individuals that can be brought into those, and that's what we're beginning to see, a reflection that slowly of that appreciation of the importance civil society can bring more broadly into cybersecurity regulations. 

     If anyone is interested, I have the report with me, but there's potential there, but it's very much on a country‑by‑country basis, but there's lots of potential, thanks.

>> MODERATOR:  Thank you for your contribution. 

      Michael, interestingly enough, we recently conducted a study on content‑hosting from an African perspective, and a very interesting finding is that CloudFlare is the main hosting platform of African local content.  So you really have, I think, a very important role that maybe is not well‑known in Africa, but you host the majority of local news websites from Africa.  So considering this important role, what do you think an organization like yours in the private sector should have in cyberpolicy development and implementation and, of course, in addition to incentives related to commercial value of being involved in cybersecurity?  What are the other incentives for the private sector to be a part of the development of cybersecurity?

>> MICHAEL NELSON:  I really must get a copy of that study because there's a fundamental misunderstanding about the word "host."  CloudFlare is in the business of protecting websites not hosting websites.  But the reason people doing the study found us to be associated with those media sites is that when you look up the website, you're pointed to a CloudFlare data center, but behind that data center is a hosting company.  Sometimes it's Amazon.  Sometimes it's a little hosting company in the local area, but we're the front end.  We're kind of the bouncers of the internet.


>> MICHAEL NELSON:  If you come and try to attack a website, we're the big, burly guy who says, no!  And we do this in two ways:  One, we filter out the request for content that are coming from bogus botnets.  I mean, sometimes a small little site gets a million requests a minute. 

     We have an infrastructure that filters that out and the other thing we do, and this is more important is that we take the content from websites, and we distribute it temporarily on 155 different data centers.  9 of which are in Africa, and that number is growing very fast.  We're already in South Africa.  We're in Dijbouti.  We're working to get into Nigeria. 

     Significantly, we are in Mauritius, which is partly a reflection of the fact that they need this more than most people because they're a remote island, although reflection of the fact that very smart people are helping build the infrastructure there and understand the benefits. 

     But by taking content and distributing it to more corners of the world, we not only make sure that content is available, even if there are people attacking it, we also make the bits available more quickly because internet users are going a few hundred miles, not thousands of miles to get the content. 

     But just to be very clear, in general we do not host content.  We are starting to offer a video streaming service that will actually host all of your content and hold it there.  But what we really are is a protection service and a content distribution network, and that's quite different than a hosting company. 

      But that said, we are committed to building out the internet around the world.  We've done a lot with the internet exchange points in Africa and elsewhere.  Still in too many countries to go from one company's network, from one ISP to another ISP, you have to go through France or London, which is crazy, so we're building this network that's much more distributed. 

      The great thing about the service we provide is that it's so much easier to use than a lot of the old technologies where you had to buy yourself a piece of hardware.  We're a cloud‑based service, and so you just get on, and you reconfigure your website and then five minutes later traffic that's coming to your website is instead coming to one of our data centers first. 

      The other good news is it's free, and more than 90% of our computers don't pay us anything, and we don't collect personal data on them.  The reason it works for us is because by protecting ‑‑ by protecting 12 million websites around the world, we learn about where the attacks are coming from.  And over time, more and more people are paying us advanced premium services that uses the information we get ‑‑ the aggregated data we get from the threats. 

      Let me talk a little bit about the study and make two points:  One is ‑‑ I think it's a very useful study, and I think Mauritius is one of those smaller countries that is more emblematic of smaller countries that make up most of the world.  You know, we tend to focus on the big countries.  And often I think the smaller countries emulate what Germany, the U.S. or Brazil or the U.K. have done.  You need a different approach. 

     For the last nine months, I've been living in Cyprus, which is another island.  It's got about a million people.  It's a little bit smaller than Mauritius.  They do not have a CloudFlare data center, but they're going to get one, and I know a little bit about how the politics work on smaller islands now.  The good news is typically, in a smaller country, everybody has two or three jobs, so you have built‑in multistakeholderism. 

      When I went to Iceland for the first time, I met the ministry ‑‑ minister of defense.  He was also head of the chamber of commerce because ‑‑ he was also the head of the largest brewery in Iceland.


>> MICHAEL NELSON:  So he was a multistakeholder man.


>> MICHAEL NELSON:  And I'm sure if you go to Mauritius people, running the phone company are involved running the phone industry and the business organizations, just because they have to be.

     I worked in the White House, in the Clinton administration.  I got there the first day.  We got more done in the first nine months in the Clinton administration than they did in the next 3.5 years because we had half as many people as we needed, so we did the best half‑baked job we could do.  Over time they ended up having two people doing every job, not nearly as good, and in the U.S., that's what we've got. 

We've got so many different groups that think they're leading on cybersecurity ‑‑ even in individual narrow segments you'll have three or four groups that want take the lead. 

     I think Mauritius has the advantage that everybody has got to get together, but I do think you can learn from the model of the U.S. and other countries and realize that there isn't one special network.  I like your diagrams.  I think they do show a healthy evolution to a more person‑to‑person network.  But what I don't like it sort of implies there's, you know, one network and one mechanism, and that's not the case. 

      At the center of ‑‑ there's lots of different networks.  The one that really matters to respond to attacks is the deep geeks, the people who make networks work.  And in most countries, there's just a few companies that are really involved in tracking down attacks and responding to them, but that group is often sort of under pressure to share what they know with everybody.  That's great.  They've got a very important task, which is to know exactly what's going on in the network and respond quickly when something is happening.  They don't have time to tell the whole world and the nontechnical people who might want to know can't use that information, and that information could be used by the attackers to know what responses are being made, and it could be used by other attackers to use the same tools to attack somebody else. 

     I mean, if there's a new attack, you don't want to advertise to the whole world what the attack is until you have a response, so don't assume that better information sharing is always better.  For a lot of the people who are right in the core of the network, they have to trust each other, and they have to share almost everything. 

     We had a piece of legislation in the U.S. called the Cybersecurity Information Sharing Act, and it proceeded from two faulty models.  One was share more information with everybody 'cause that's always good; and the second was, share it with somebody in the government 'cause they'll take it all and put it together, and they'll send you answers.  That's sort of your first model here.  That doesn't work as well as everybody talking to and self‑organizing groups coming around a problem. 

      There are other groups that have to work with the broader I.T. industry, and then there's even larger groups that have to work with all the I.T. users, which is everybody, and I think that's what we should focus on here, and I think the good news is we do have a lot of free tools. 

     We have a lot of new ways of doing business that makes it so much easier that we don't have to spend so much time capacity‑building and, you know, sending people to two‑week courses.  It's a lot easier, but you have to build the I.T. consultant industry in your country and make sure that you're allowing companies and allowing for those services.  That's a random tour.  I tried to be provocative.

>> MODERATOR:  No, absolutely.  Thank you.  Maybe you have some recommendations of different areas of ‑‑ different levels of confidentiality considering on the threat, that disclosing this information actually could create. 

      Before opening up the microphone to the public, I apologize again.  I forgot to thank Sarah and Mozilla Foley, who's with us doing ‑‑ 

     So is there any question or comments from the public ‑‑ I think we discussed so many issues we got only 10 minutes but, Allison?

>> AUDIENCE.  Sorry, mine's really a point of clarification, and I think might not have come through adequately in the paper and also just to give some context to it.  This case study is an ex post facto case study of the Mauritius case, and the iterative form that it took.  Not a capacity‑building exercise as such ‑‑ and I know the Oxford school is planning to have a short one, I think, next quarter and is working with Dr. Ulan Krishna on the ground.  He'll be in charge of that, and he was in charge of the cybersecurity process framework that was put together and as the head of the regulator, so it was done with, you know, very organized policy and regulatory frameworks, which is the way Mauritius operates, and it's competitive regulative, but that's not all. 

     It's not a major collaborative, you know, inquiry process but what they were forced to do was to draw on the incredibly advanced competitive state forces, and part of their discussion was actually ‑‑ knowing they had to draw on the financial sector but also wanting to be in charge as a state. 

     And there was quite a lot of tension there, but they realized they had to ‑‑ but the financial sector, and they had to kind of carve their space as well to build this collaborative relationship, so I just wanted you to provide some of that context.  He's actually done this paper for us.  Some are former regulators and doing the research from the inside and sort of be working on, and he's writing this from the inside and done some subsequent interviews also together with Anri to analyze the process and some of these proposals ‑‑ 

     We propose extending the more public/private interplay to a more multistakeholder thing because we have another situation where there is a level of level of maturity in the banking sector and industry more widely but other countries we are particularly looking at these public/private enterprise where states are weak or fragile and repressed and not cooperating with other people, but there's not often a strong public sector to draw on in that case. 

     And where in the case of Mauritius, there was very civil society participation which we're proposing might have extended it but some of these other countries actually civil society, the technical community in civil society actually had some of the capacity not so much or even in the private sector, so this is why we're sort of thinking about this model, which is seen as a really good success model the way Mauritius goes about getting things done. 

     But in other context how could you use a more multistakeholder approach to show a more safe outcome or trusted outcome?

>> MODERATOR:  More questions or maybe this is an interesting discussion to discuss, to replicate. 

(Speaker Not Mic'd.)

>> AUDIENCE:  I'm Sema, like from the discussion probably much of the our discussion should shift from a value multistakeholder collaboration model is how to do it well.


>> AUDIENCE:  In other words, you can do multistakeholder collaboration, better or worse, and who's in and who's not included and so forth.  But rather than continually questioning multistakeholder approaches, let's figure out how it's done well and having some best case examples perhaps and also some of the ‑‑ every case study will reflect some things who's left out and could have been involved?

>> If I can pile on with that.  I do think this sort of goes without question that we needed multistakeholder process, but the only sentence I had a problem with in this whole paper was the first sentence of the last bullet which says commercial interests should not be the main driver for private sector stakeholders to participate in collaborative cybersecurity efforts. 

      If you count commercial interests broadly, so it's not just how much money are you making by doing a consulting gig, but you count commercial interests as reputation, wanting people to buy your product, you know, maybe corporate social responsibility, which I say think is a commercial interest, then this sentence is wrong. 

     At the end of the day, companies ‑‑ people with resources, and that include governments are going to do things because it's in their interest, and I do think making money is a good interest because it will sustain the process it won't be a grant‑driven project that disappears. 

>> AUDIENCE:  Very small comment.  I think I agree on a different basis after they want to cry a virus attack.  You saw a paper called "Protecting Three Types of Security."  I think, way, way back, they used to talk about two types of security, and now there's three.  That's why you see Microsoft is now pushing for the convention because they have to realize, you know, the state is not adequately protecting commercial interests, so they want to see if ‑‑ if ‑‑ was it a country ‑‑ not only the technology but something falling into the hands of criminals and then with ‑‑ I'm sure I made my point. 

>> I thought you were going to talk about the other triad of cybersecurity, which is confidentiality, availability, integrity and I do think a lot of countries have missed the last two.  It's much more spectacular when 20,000 credit cards are stolen or the prime minister's email or the CEO's email are revealed but not having your website work or not having a critical facility accessible on the net is really serious.  And then is almost as bad, if you have a hospital database altered so my blood type has changed.  That's pretty serious.

>> MODERATOR:  We only have three minutes.  If there's just one ‑‑ yeah, another comment from the public ‑‑ from the public, yeah. 

>> AUDIENCE:  Just in case you don't speak French ‑‑ okay.  I will ‑‑ okay, so I can go in French.

(Speaking Language Other Than English.)

>> We don't have a transcriber. 

>> AUDIENCE:  Okay.  This is a rare problem because Africa is not only English, and so how you manage multistakeholder model with the French part and ‑‑ I don't know if you have English syncing but to realize that Africa is diversity, but if we talk about how to prevent incidence on problems, you have to think about cultural habits of some people ‑‑ people who don't speak English.  Thank you. 

>> MODERATOR:  Yeah.  Sorry for that.  I don't know why there is no translation in the room, so we have only one minute, so we have to wrap up and close unless Matthew would like to ‑‑ you wanted to add something.

>> MATTHEW SHEARS:  Just 30 seconds.  I absolutely agree with what Bill said.  Let's find those multistakeholder models.  Let's highlight them, but there are things that need to be done before we get there.  We still need to build technical capacity.  We still need to build that kind of expertise or range of things that need to happen, so that when civil society and other communities come to the table, that they've got something to offer, and they're valuable and their presence is valuable.  Not simply because they're a stakeholder, but they're contributing whatever the challenge ‑‑ whatever the cyberchallenge or whatever the policy process is. 

>> AUDIENCE:  And maybe just a final, yes ‑‑

(Talking Simultaneously.)

>> AUDIENCE:  To echo that, I must say ‑‑ please forget which country I'm from.  I'm disappointed how little I've seen civil society involved in a lot of debates in the government that I currently work for, and that is the reason why ‑‑ if there's not a major concrete demonstration of value to policymakers, it will be much harder work to get in even though we all understand why it's important. 

>> AUDIENCE:  My name is Mike from Zambia and ‑‑ law enforcement in particular, and just to add on the issue of multistakeholder cybersecurity, it's one great area that is on the advantage of government, why am I saying ‑‑ look at the infrastructure.  Most are in the hands of the private sector.  The government has the upper hand because they are the implementers of the laws, so what happens ‑‑ it's easy for the private sector to sit alone and discuss company profits without anyone from government ‑‑ why are they doing that?  And it's easy again for the government to be on your side when they're on ‑‑ they're discussing cybersecurity matters so meaning in as much trust in between these silos like domestic models is not created, no one who ‑‑ or in other words way multistakeholders collaboration will not be achieved, but it lies in the private sector.  I speak from experience.  We do not have the capacity to handle those crimes, but we have ways of getting from the private sector.  But again, if it's universal, it becomes something else.  But once that body of trust is broken, it will be much easier for the private sector to see a draft policy where it's been discussed without anyone looking like ‑‑ maybe take the information that has been discussed in that meeting outside, and it will be very much easy for government to learn something from the private sector so basically the whole issue borders on trust. 

>> AUDIENCE:  Okay.  Maybe the last comment. 

>> AUDIENCE:  My name is Karen from the Global Cybersecurity Capacity Center, like Bill.  In one of the capacity reviews in Africa ‑‑ but in other countries is that often we have sessions where we interview people from civil society, and I'm talking about different issues in security cybersecurity capacity and often they go one, two, three, four persons in the country that are very strong and can contribute a debate, but there's a very limited number of people. 

     And the other thing the governments often don't know where those people are and those capacity reviews that we do are mostly owned by the government, the government select, like, maps and books for who should be in the room and invite those people and invite those organizations because they know who's in the country because there's only a few but maybe else because they're not ‑‑ there's not more people existing and also ‑‑ so there's always two or three people interviewed in every kind of context, but there might be more, but the governance maybe don't have the relationships with them, and it's often difficult to get the right people in the room, and I can kind of ‑‑ 'cause we did a review in Ghana, and there's one or two organizations who have ‑‑ know everything very well, but it's one organization for the whole country.

>> One good source of information is the U.S. Telecommunications Training Institute.  USTTI has trained more than 30,000 people all over developing countries.  You know, the whole range of telecommunication issues.  I've done some courses on how do you craft a cybersecurity strategy, and you can actually work with them to find some of the expertise that ‑‑ some of the experts they've worked with over the years.  Unfortunately, a lot of them do get pulled into the private sector outside their home country or they get pulled into international organizations in Geneva or elsewhere, and, so there's a bit of a brain‑drain, and that's an unfortunate thing, but the USTTI is a great resource, and they also have curriculum that can be shared.

>> MODERATOR:  Okay.  Thank you, everybody.  I'd like to end the session on what Bill actually said ‑‑ that we all agree there's value in multistakeholder model, so the question is then how to do it actually better?  Thank you and, yeah.  Thank you.