IGF 2018 - Day 3 - Salle II - WS131 Balancing Cybersecurity, Human Rights & Economic Development

The following are the outputs of the real-time captioning taken during the Thirteenth Annual Meeting of the Internet Governance Forum (IGF) in Paris, France, from 12 to 14 November 2018. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



>> KERRY-ANN BARRETT: I wanted to begin workshop No. 131. I wanted to welcome to this workshop. The workshop is on Balancing Cybersecurity, Human Rights, and Economic Development. The topic is a pretty big one in a sense that it does cover a lot of issues that we believe is interrelated.

      The thing that we wanted to look at is in actually doing economic development, a lot of times people don't take into considerations the human rights implications that it could have and often time does have. And also recognizing that government oftentimes looking at cybersecurity, we try to look at the security side of it, try to just ensure that our citizens are safe.

      And on that note, my name is Kerry-Ann Barrett. I'm from the organization of American states. This workshop is being put together with that thinking, with the Global DeSanto, Privacy International, and Karisma Foundation.

      The intro I gave because there's several organizations organizing this. We recognize that this conversation needs to happen and it needs to continue to happen. Recognizing that economic development is where the digital world is taking us in a whole new different way to think about it. With all of the technological advancements and the economy being pushed all other things we normally consider has to come into play.

      I know we have a very, very, very dynamic panel. And I'm really happy and proud about it. We have with us the senior policy officer within the Dutch government, we have William Dutton, a professor. We have Claudio Cocorocchi, the acting head of the Information and Entertainment System Initiative. We have Angela McKay from Microsoft. And Leandro Ucciferri who's an attorney that works on human rights.

      So, if you think about the topic and the panel, we're trying to make sure we're touching on the elements we want to discuss. The structure of the workshop will be that given each of our finalists five minutes to give their perspective on the topic. And then after that, I might ask a series of questions based on your presentation and I'll open it up to the floor to get your feedback. And to have your questions. One of the panelists said please don't make it a monologue. Please let's get the participation of the audience, I'm pleaing to you, please, participate in our workshop as much as you can. It's a very open and relaxed discussion we want to have.

      So, on that note, I think I want to start with Lisa and just give us your play on the topic.

     >> LISA VERMEER: Thank you, Kerry-Ann, giving me the first floor and allowing me to speak here. It's an honor.

      Such a wide topic and urgent topic. But you gave me a hard time deciding on what to focus on. Because all of the three issues are important but also very broad. In the end, we decided to focus on two more overarching aspects from the government perspective. So, the first is maybe rather boring. I thought it would be interesting to you because it's not common to have an insight in how the government is actually organized. I'm quite proud of how we organize in our ministry in foreign affairs but also in the Dutch government, the work on these three angles.

      For example, the team, the task force on international cyber policy within this has three pillars. And those pillars are human rights, international cyber -- cybersecurity, peace and security in cyber space, and developing cyber capabilities. So the three angles are integrated in one team which allows us -- I'm proud to be part of that team from the human rights perspective, to really get an integrated view on what's happening in our weekly exchange with the group but also the regular exchange with my colleagues allows us to have INTERL linkages between the three topics that are not obvious to me. Because we are able to collect the developments that one of my colleagues is talking about. A U.N. cybersecurity. I can add a U.N. rights director immediately. He or she will add to my human rights work with the development work. So, this links all of the work that we do and allows us as employees to really check on this field and all of the challenges that are developing in such a fast pace in a way that it is rather original for a government institution.

     So, I wanted to share this with you. There are government organizations in the Netherlands. It's logical for us to approach everything in a centralized, inclusive way. And the people who work are in main stream economic affairs, foreign affairs. They all aim to -- we have a lot of meetings that focus on specific developments and bring all of the people together. Sometimes it feels we're in this bureaucratic, vicious circle of working together. But in the end, it has an impact because we know what to do. And the illustration to this is our Dutch delegation to IGF, for example, are from the government but the governments are all represented, all of the different aspects are represented and we're here and we're also in other IGF. So, this is something that works very good for us and ensures us as well that we have an impact in the international cyber policy, an actor that matters, although we're a rather small country in the end.

      And the second point I wanted to focus on is inclusiveness and multi-stakeholder operation. I think you have a tremendous panel with all stakeholders present that's a panel. Maybe not all, but at least a broad panel. It's our firm belief from the government perspective that you need to have all of the voices around that you have impactful policy or regulation initiatives with broad support from a broad group of people that really are suspect and therefore will be implemented and will have an impact. You only have good policy if you engage all of the stakeholders.

      This is a firm belief. I wanted to mention it to you because I think I won't go into everything. I made a list myself. I was like, oh, no, it's incredible. The GCCS -- they are all processes. That are -- that we focus on to make it as inclusive as possible. Two of them and the global firm for cyber expertise are explicit multi-stakeholder initiatives that we support financially or in kind in any way. Because that's the only way to have impact. If you look at the multilateral, the IGA or Europe or ITU. We always make sure that we really push for firms that enable participation from civil society, private sector, academic community, and especially from my human rights perspective, I would like to address the fact that civil societies and origins and you don't want civil society and NGOs to participate, but we strive to have them have valuable participation. Not only being there, but really bringing there knowing -- and for example human rights. It has a particular setting that we believe is very intimidating. We have to prepare as well, the civil society groups to have a cooperation.

      Last, I want to mention programming offers. Of course, governments have a lot of impact by finding groups, by being a responsible donor. And one of the initiatives that we found is the global partner s digital with the work on inclusive and multi- staple strategies in several countries. So, we're proud to be able to enable this kind of project.  I leave you with that. I'll look forward to diving to the topics with the panel. Thank you.

     >> KERRY-ANN BARRETT: Thank you. I'll hand it over to Leandro.

     >> LEANDRO UCCIFERRI:  Having a human rights perspective is not incompatible with the economic perspective on cybersecurity development. My role here today is putting away the idea that putting human rights in is not profitable and appealing to investment and growth. So first, referring to the concept that we understand is closer to the human rights approach to sign security is the work that the coalition did with one of their working groups. They define it with the ability and the integrity of information with the underlying infrastructure to have the security of persons not only on-line but offline. It's worth coming back to the concept when we talk about security. It gives us a framework on how to -- how to start thinking on the very development.

      To go in deep in terms of human rights and what we mean by that, well governments, we know they have both positive and negative obligations for human rights, that is to take measures in order to guarantee and exercise as well as avoiding or refraining from carrying out activities that may undermine or interfere with human rights. Businesses as well are bound to these kind of publications. And we have already principles by the U.N. that state the companies and businesses need to avoid contributing to human rights, impact the internal activities, or even prevent or mitigate the human rights impacts that are directly related to the operations, products, services, and so on.

      So, we can talk about specific cases on this, but we can talk about corporations cooperating for surveillance and other cases that we need to take into account. So, going back to -- to cybersecurity policy development, together with charisma and the organization that I worked for, so basically the three organizations in Argentina, Colombia, and Paraguay, we develop together a whole set of documents and a framework to give not only people, but specifically companies as well, guidelines on how to think about cybersecurity through human rights lens. So, I wanted to highlight a few points. Then maybe we can go to the workshop.

      So basically, when we address how companies interact with cybersecurity, we're not only thinking about the need to protect the product or the services or the platform in the very sense of the word "protecting," that is security measures that can be taken technically. But rather to put a human rights approach to that business development. We can think on topics like design that tries to implement a framework rooted within the company's culture that in that way, you can start thinking on how the whole process cares about the people whom you are trying to address by your product or service and so on.

      Also, ethical considerations when talking about the technology call developments that you're putting out to the world. There are a few examples on how to think ethically. And this is related to one other topic that you might have heard before which is, for example, so it's -- you can start -- stop worrying a little bit about data breeches if you minimize in the way the amount of data that you collect in yourself. And the independence on exploiting the users and the data. So, these are few like grave topics that can be taken into account to start thinking on human rights without maybe talking directly about human rights, but rather taking this into account to indirectly start expressing this through your own business developments.

      I also wanted to highlight in that we already have legal frameworks on there. I will say that businesses are powerful human rights obligations, but they're bound to different legal frameworks in the national level, where they were based or even in countries where they operate incorrectly. Or where the users may be based.

      Another topic that can be taken into account when thinking through a human rights lens is also the transparency as a whole, as a cultural approach within the company and how to talk to the people who your products or services are addressed to. So there's been a lot said in terms of transparency reports and the experience of the organizations in Latin America, we see that they are usually the exception. And the companies don't take the transparency reports into account that much. So that is another thing to -- to consider. And how they communicate to the people.

      Also, when we think about the private sector, it's worth noting that it -- when we talk about cybersecurity and the private sector, it's usually the financial sector who's involved. Or you think about the more traditional business sector that not necessarily comprehensive of a concept that also relates to, for example, a news outlet that are also for profit organizations and need to be taken into account in this human rights -- in this cybersecurity space where journalists have their own needs of digital security, protections, and the need to be taken to address also their needs.

      When we talk about having civil society involved in the moll SI development processes, and one of the -- one of the questions that Kerry-Ann wanted us to address as well is how to take into account as well in the debates. I would say it's important to build trust with the stakeholders. It's easy to spot contributions on this topic globally. Where you have them doing surveillance on the civil society groups, and other different groups. So, it's worth taking into account the need to generate trust among the stake holder else.

      And also in terms of being able to listen to their needs, one possible thing that can be done in that is having an independent body, for example, that can talk directly to the civil society groups and allow for that fluid identification and address their needs and concerns and address it from the human rights perspective as well. So, I'll leave it at that. Then I have a few other points that we can address through the debate. Okay, great.

     >> CLAUDIO COCOROCCHIA: Good afternoon, everybody. I hope you're not suffering from workshop fatigue in the monologues. I'm going to keep it short as possible. I work in the international institution focusing on public-private partnerships, we're most famous for our annual meeting that happens every year in Davos. However, every year is where a lot of our work is done and a significant amount of what we should be better known for happens.

      We do have a center for cybersecurity, which is a forum. I'm not here representing that. I won't be speaking about that in detail. What I do at the forum is I find a work-around the economy and information systems. And we take a very systemic view and approach to those let's say those ecosystems and the messages of the different challenges and issues that affect those ecosystems.

      And cybersecurity is one of them that we deal with. And in general, what we've noticed is there is a trend -- this is a private sector of the -- it would be much more conscious and aware of the individual companies' impact on society going forward. There's a societal demand asking -- let's say companies that have more of a social purpose. What we're sealing is the emergence of importance of digital ethics and diversity. What we're going to see in 2018 is taking it that much more seriously, taking care of the digital platforms, especially after some of the scandals that have come up that say infringe on human rights, in particular, personal data management and privacy. I think we see trends towards much more protection, much more care.

      So that's a positive note. I'd like that to leave the group with. Ho through our work, we facilitate ed an organization for DQ institute. It's digital intelligence. If you follow IT stands for and DQ, then digital intelligence is actually a comprehensive set of technical, cognitive, and social competencies that enable individuals to face the challenges and adapt the demand of digital life. So, it's a very comprehensive sort of competencies. Within there, we have this institute has defined eight different competency areas, digital rights, and in particular, digital security and safety.

      So, these are competencies that we have noticed already at a very young age, build concretely. Society needs that. Because particular and personal data and privacy and let’s say freedom of association. These are all things that I think relate to digital citizenship in general. And so what we've been focusing on is this acupuncture point within the system of challenges that if you're able to increase the level of digital intelligence in citizens, then you improve the level of cybersecurity and the impact on human rights. So, again, the systemic approach is what we've been focusing a lot of work on. I'll leave it -- I don't want to continue my monologue and I look forward to discussing at least that aspect of cybersecurity where the rest of the panel. Thanks.

     >> KERRY-ANN BARRETT: Thank you, Claudio. So, just to kind of tie together as we go to Angela's intervention is we think about it from the government perspective that we've spoken about the role that this can play in economic development and policy and even what Leandro spoke about in terms of economic development and increasing the digital intelligence. I think one of the roles that Angela has been playing is that whole public-private sector relationship and how it can be impacted and I think --

     >> ANGELA MCKAY: Thank you, Kerry-Ann, it's exciting to be here at the internet governance forum. This is my first and very clearly starts to represent the kind of integration of security, economic, and human rights that is starting to occur in the ecosystem.

      In my opening remarks, I thought I would highlight how approaches to these Toledo mains are actually evolving and starting to integrate with each other. As Kerry-Ann noted, I will say this briefly about my background because it plays to how I look at these issues, I've been at Microsoft for ten years and I lead our global public policy work on cybersecurity. Before then, I worked supporting the U.S. government in the development of initial efforts. And before that, I was in an engineer for a company that exists in New York called BellSouth, which is now AT&T.

      I say that because those different points of view, both having spent time in the industry, having spent time with the government, and having spent time as an engineer on the technical side of the issues gives me some perspective as I look at the last 20 years of approaching security, economic opportunity, and human rights.

      What I would highlight is in the beginning, these strategies focused on three core principles. Being risk-based, being based in public-private partnerships, and focusing on a series of consequences which notably did not include human rights or digital protection. It really talked about how do you protect national security, economic security, and broadly, public safety. What I find interesting is on a global basis. We watch the policy developments at Microsoft of almost 150 countries on a global basis.

      Whether folks are developing the first cybersecurity policies and strategies or updating them, what I'm finding very encouraging is these strategies now incorporate three additional backers. They are starting to look at not just national security, economic security, and public safety, but human rights, individual rights, ethical considerations, and, as one of my colleagues here noted as transparency and how to improve transparency of government efforts, transparency of industry efforts, and to help improve the digital literacy of the populace so that they can engage in these conversations.

      A couple of things that I would highlight here I think moving forward, ways to continue to drive this integration. Which, by the way, it's not easy. These different folks come from different camps and different expertise in many ways as is represented by this panel. So, you have to find models to help to bring the different points of view together. But ultimately, we're going disturb ultimately, we're going have to improve on how multi-stakeholderism works, how it incorporates more multi- disciplinary backgrounds. So how do you have not only the techies and the policy makers, but also the folks who are representing the more artistic side, understanding human behavior into these conversations?

      I also think it's very important to recognize that how these strategies operate will not be uniform globally. Each different nation as they're moving forward needs to make sure their strategy represents local context in which they are operating. Values are very different in different part PS of the world. How governments worked with society, what society expects of government, how industry operates, and the relationship between industry and government, and the relationship and expectations between industry and society actually differ in different places from the world.

      This is one of the things that I have found so enjoyable about my job. But as I engaged in different places, some people trust the government to take care of issues. Overs more trust industry. -- others more trust industry. Others don't trust either and look for answers to come from a bottom-up context.         

     So, strategies have to make sure they represent local context. They also have to make sure they represent where the country is in version of the digital transformation. There are those who are moving forward with some of the most advanced technology, with cloud infrastructure, machine learning, and artificial intelligence. And then there are also places in the world that are really getting on-line primarily via mobile devices. And these strategies have to MRIRP accomplish -- have to accommodate those differences.

      The last two points, you can implement security and human rights parallel, they're not exclusive. At the same time, there will be tradeoffs. And the tradeoffs are something that the society has to be involved in in making helpful decisions to represent, again, the values of a particular geography and context.

      I think one of the things that is very hopeful and announced here at the beginning of IGF by President Macron is the Paris call. I think one of the things we found very encouraging about that at Microsoft is that the Paris call represents the applicability of international law, humanitarian law, and customary -- customary law in terms of moving forward these rights and opportunities in the digital age. With 51 governments, 92 organizations. It does represent a major milestone in the multi-stakeholder dialogue and we think it's a significant milestone in the evolution of how to include the core values in harmony. Thank you.

      That's a perfect segue if you think about the role that academia plays and research -- Bill?

     >> WILLIAM DUTTON: Let me try to suggest a different perspective on this that is slightly different from what I call an impact perspective.  I like the digital citizenship and reminds me that OECD has a report called the digital security risk management. It's a nice term. But it's all you don't have to use the term cybersecurity.

      The C word somehow that cybersecurity has become a C-word or a why? Because somehow it threatens people. That is, if you have a cybersecurity focus, you're going to stomp on everything else of value, so to speak. Or it throws that kind of wisdom. So, I think that now we're thinking of, okay, when we develop cybersecurity policy, we need to gather multiple stakeholders around the table to make sure that we respect human rights, privacy, and b so forth. And economic development and we don't put any of those at risk in shape in the cybersecurity policy. I get that.

      But, I think everybody -- other people -- we're still -- it's the freedom of expression folks are -- are developing policies with multiple -- let me suggest that a different way of looking at it, which I call the ecology of games or the ecology of policy which is I don't know. There might be a few people in this room that get up in the morning and think they're going to secure the world on the internet. But most people wake up in the morning thinking they're going to do many other specific things. They're going to get their kids to school. They want to sell software. They want to make a living. They have many more concrete goals or they want to fight for equality or they want to support freedom of expression. So even if you think of cybersecurity, you think of how many actors are involved. It's overwhelming in users, policy makers, technical things and so forth. But it's worse than that. Because what we have is you have to think of any given actor is focused on various objectives that may be very different from your own if you're interested in cybersecurity. And they pursue those actions. And so, you have many games going on.

      Trying to support freedom of expression, trying to support privacy, trying to support safety. Trying to support economic development. And so, each of the policy areas have a variety of stakeholders shaping the policy in areas. And the outcome of those efforts shape security. So, security is an outcome of the ecology of gains. That is many different things going on. I think what it means is if you take that on, and, again, I've been thinking of this as -- I was introduced as the professor. As professors do, I've been thinking about it for three decades.

      So the idea Hoff the ecology of gains brings you in to the fact of instead of thinking of the impact of cybersecurity on different outcomes, like economic which we can study and connect those, you have to think of the different -- different people were involved in the different policy sectors and we -- people interested in cybersecurity in an ideal world, they try to follow development in all of these areas. Because you -- if not you need to bring the multi-stakeholders around the table to talk about cybersecurity. You need to be around the table talking about freedom of expression, equality, and all of the other areas.

      Because the outcomes of the other policy debates, the policy choices, we all shape the future of cybersecurity. So, it's a subtle move in that impact and keeps you focused on that limited cybersecurity to a broader view of the whole economy -- the range of policies that will impact security. And how do you get a grasp on all of the actors, the larger group of stakeholders in those gains. It's interesting to think about it. But it's a subtly different perspective that would move us beyond just input from multiple stakeholders to us having a larger scope of interest in many more policy areas in cybersecurity.

     >> KERRY-ANN BARRETT: Brilliant. I think what you're calling for is how to view it from a cybersecurity lens. And I think I wanted to probably take that opportunity to probably ask Leandro, because one of the things you spoke about was ethical development and we also touched on cross pollination even within civil society. That's one of the things, civil society itself, just the freedom of speech, experts working as much as you probably want to work with and doing gender issues and make sure there's a merger at all times. What do you think of this call as the stakeholder even the impact. I'll give it back to you.  

     >> LEANDRO UCCIFERRI: It's a tough question. We put that lens through the human rights we address. It's not talking about digital rights like it's another thing. It's human rights.

      It has been tricky for us as well at least from the organizations that -- if I can just speak from the secular, so be cautious, that we don't work on the grassroots level. So, identify the people and work at the grassroots level and whatever needs is a challenge for us as you mentioned. I'd say that we have taken the approach mentioned on having the holistic view of how to address sign security. Which on our own efforts trying to think of how cybersecurity affects these topics and trying to identify them. And be cautious on what kind of rights are being interfered with through those topics.

      I would say that just do it to highlight again, one of the problems we identified is that it is being used. One thing is because it's being used as everything and anything, we also -- it's also the need that we have to reshape the narrative as well. That's why I started my conversation about identifying what identifies us with a more clear approach to what we need. It's basically protecting people.

      So, I think that needs to be the lens. It's protecting people, not only when they use technology, but when they go to the everyday lives. Because if they're not using technology, the third policies are implemented in the technology, the impact on the people. From the government to the private sector, implementing technology, you probably heard a lot about the developments and how governments are starting to implement the technology to measure people's lives even if they're not using that technology directly. That's what we have to keep in account. It's about protecting people and making sure their rights are safeguarded.

      I would put that out for discussion as well. I would agree in terms of identifying different needs even within the stakeholders. Also, one thing that we need to take this, but it's not impossible but a lot of work.

     >> I want to jump in to Claudio and Leandro, because you're speaking on the focus on increasing the level of intelligence and that's what contributes to the discussion of them being part of this policy development and, Lisa, you mentioned a role of multi-stakeholders and being impactful on regulator policies.  Going to be able to have that impact. I wanted to see if you can have that concept a little bit more? 

     >> I'll say something about being eco-centric. If we -- I'll go back to the -- to the digital intelligence framework that this is about. Because although we have specific areas for development around security and safety, there is, there's companies linking to each other. An example, one area is called digital identity. So, this is about how do you ensure yourself as a user of the internet that your identity is secure? Obviously has an impact on your safety on-line and whatnot.

      So, again, I think DQ is very focused on people. As a result, a lot of the partnerships we are forming are in edge b occasion. So, looking at how to capacity build. How do we make the DQ  something that is -- concept something that is embodied in the classic public education system. But at the same time, to another coalition we formed is intelligence which is the tech industry -- let's say standards and body were also evangelizing and trying to standardize this framework, also cross industry.

      So, when we look at vocational training. We look at corporate -- you know, SOOIP security which is say the corporate environment -- cybersecurity and corporate environment. Data leakage is confident SHLG information. The company, the core competencies are the same. It's perhaps at a higher level, more advanced level. They're the same. They broadly, let's say, relate to everything that's important as well from the cybersecurity perspective. A lot of companies lookout side of security as being something about protecting their intellectual property and their assets and the organization. That is still driven by people. The people in the organizations that create the data loops, that perhaps create the opportunities. So again, going back to the importance of it being people centric, it's to benefit the individuals themselves and the corporations.

      Because if your employees are higher levels of digital intelligence, you as a corporation will be stronger and more protected.

     >> Thanks for the question. I was indeed struck by your turnaround about how to debate.

      Well, bridging the barriers between people in the various fields is very challenging. And to come to progression or from my perspective, policy regulation, you have to make sure first you can talk about the same thing. You address security and you know what you refer to when you say security and, for example, the English language is also -- it's already quite interesting in my opinion because you have safety and security which means something different. But -- (indiscernible) so, in the Netherlands already, you have to make sure that you talk about the same set that we want to talk about. So both if you want the cybersecurity people to engage in other discussions or human rights and not economies and it's this matter of language that you have to overcome to be able to discuss with each other what you actually want to -- want to proceed.

      So, in answer to your question, if you talk about regulation, the process to have regulation and policy. To make regulation and policy requires a very careful, slow, in our perspective, process. Because you have to have the input of all of the various players. That way you can avoid regulation that's in a sense powerful because it's set by states. So, for example, in the EU, there's the governments of the EU are quite hesitant in regulating for example content on the internet. Although it's quite fierce. But there's nothing much in place at the moment. What you see in the rest of the world are various forms of laws and regulations that are launched, such as social media. You name it, it's all of the examples I hear from the people around here all the time that our ways that governments try to break it in quick and often. Very often. By security, national security, cybersecurity, all kinds of intended or unintended consequences that couldn't have been foreseen. So, if you look at the approach that you would say is desirable, it's that if you engage with a lot of people and your processes in your process, of all perspectives, you can map all of the consequences and all of the material. But it's going slow. At the same time, the developments are going fast. It's an ongoing challenge of how to deal with this.

     >> I'm going to ask one more question and open it to the floor. The question is for Angela and for Bill.

      I think starting with Angela. You spoke about security in human rights and I think one of the person that person has been facing is -- from a human rights perspective is government has taken a traditional role of trying to secure. And I think in doing that, it's when the whole issue of when do you infringe on human rights for surveillance. I want to take it even higher, when is it that we'll GE into start thinking about -- begin to start thinking about security and cybersecurity as an ebb abler to be able to empower citizens rather than just trying to protect citizens. Do you have policy proposals on how we think the process. How do we rethink that policy is not just us going out to consult but it's always a complete and true open dialogue where human rights persons would invite cybersecurity persons in the room when they develop solutions for the issues they're facing. Begin to think about your questions. I'll open the floor after that.

     >> You think of I need to protect my citizenry, my enterprises, myself. When will it be more of an enabler. Personally, I'm ideal but I'm also pragmatic. We have time before this happens as my colleague from the Dutch government said. There are positive trends and there are concerning trends going on on a global basis. I think what is positive is all of the news around that are having impacts on the things like the British national health system or that are having attacks is raising the consciousness of enterprises and governments on the security. Brake-break. I think ate the same time, the approaches that are going  on largely are ones where governments are perceiving a need to act with urgency. And sometimes that's not always appropriately inclusive of all of the different values that really accrue reflecting a nation's overall sense of values.

      So, it will -- I think at least in the short term, we're going to continue to see movement that are fairly dramatic and fairly swift in law and regulation. At the same time, I do think that the social consciousness about digital literacy, digital rights, is coming particularly in the younger generations and there is a civic movement saying hold on this, is my digital domain and I will not have it mandated by the government and I myself will have a voice.

      We've been involved in the initiative that has 100,000 signatories on a global basis. Digital citizens for digital peace now. That is where people are saying that's my domain and I'll decide how it will be managed. In the near term, it will be a series of actions that are not appropriate and inclusive of the values and the kind of integration of the rights and opportunities that need to occur. As you start to see young people move in and express their interest, you'll see a change where security becomes to be more of an enabler.

     >> The point about terminology. We have all of these terms if you go across disciplines and departments and different sectors of society. I mean, what is the internet? People have different definitions of that. What is security? What is -- all of these terms are ambiguous. They might be clearly defined by different people but in different ways. You have to enter every conversation not assuming that you were talking about the same thing and finding out what they mean by this.

      We do survey research a lot and we say do you use the internet. They say, no, I use Google or Microsoft, whatever. So, were we used to this the difficulty of communicating? How do we -- how do we implement an ecology of gains perspective that might be helpful?

      And I think that -- let's say what the problem with us not having an ecology of gains perspective is that all of these things are like -- I'm an American. It's all like apple pie. We all want pie. We all want freedom of expression. We all want ethics. I mean, who he's against ethics, who's against privacy? Who's against safety? Economic development. We all want this. So how can you be forced to reconcile these tradeoffs. It's not just looking at, you know, we'll take one bit of that and a little bit of that. It's like -- so, when I did a -- I worked for the UNESCO asked me to help on the department of freedom of expression. Is that what that is? UNESCO's department of freedom of expression.

      And, so, I talked them to looking to freedom of expression from an ecology of gains perspective. That is don't just look at freedom of expression, because, I mean, of course. And everyone says they're for freedom of expression.

      And so, we also need to understand cybersecurity policy and how that might impact on who's -- what actors will -- are impacted -- what decisions are made that might affect the freedom of expression. We need to look at privacy and what will be the interaction of these areas. So, trying to get the department of freedom of expression to not need to departmentalize and embed themselves in, yeah, we -- you know, we -- that they're doing this because they're pursuing security. These people are pursuing privacy, and these things are conflicting in certain areas. And therefore, we have to have a much more holistic view on it. It may seem more words, but it's a step in the right direction of trying to balance these things.

      Otherwise balancing becomes rhetoric, you know? Because if you're still in your department to do X -- you -- you will -- that's what your mission is. You're meant to realize that you in other people and other departments and other objectives following different rules and the success of your gain or your -- your area is going to be dependent on what other people lead to the gains. Not just what you do in your -- -- in your area.

     >> I wanted to open it to the floor. Do we have any questions? Yeah, we have one here? Any other? Okay, any other? Here. I'll take both questions and have the panel respond. Introduce and give a background. We know we're multi- we're cross sectional. But interesting to see who's in the room as well.

     >> I'm from Mexico. I have two fast questions. First, in our country -- in our continent, we have different -- we have United States and Honduras and Salvador, they're very different. With this in mind, it's not possible but you can advise about principles -- the commitment with principles of cybersecurities for American region. In the Pacific? Because I know here in the European union, you have this directive to have all of this -- these principles. Sure, you have some like -- you have two of the cooperatives at the center. So, you have all of the organizers that are working to get at the goals. You have your own -- again, 250, so you are going together to say what? Sorry. It doesn't matter if the government is different, because that could get -- (indiscernible) in our region, we have different governments, every four to six years, we're changing the rules, it's really hard with something like that.

      You think it could be useful to have adversity concepts for social security as Americans? The other question is you have this economic aspect of international security strategies to study that's very interesting. I don't know if we can do that with guidance too. Because the economics aspect of all of the national securities, but it is some issue that we haven't been working on. And it's really important if you're talking about countries that are going to with this development.

     >> Say --

     >> Yes, Connor Sanchez from the Fletcher School in the United States. I had a question for Ms. McKay but anybody on the panel regarding the concept of governments perceiving a need to act with urgency.

      So, over the last three years, an increase on internet disruptions, state-imposed internet perceptions. And there have been some efforts to portray the costs that are inherent in these shutdowns. But I'm -- there's also a digital rights approach. I'm sort of wondering what would be more effective in the long run? Taking the digital rights approach? Or kind of conveying the cost of those events?

     >> I'll open it up to the panel to take whichever one they think they can.

     >> I can just jump in right to the first question briefly. One of the things that we and we -- the three organizations that we work together on this regional project from Argentina, Colombia, and Paraguay, we started to look at the role of regional bodies and specifically and the work they've done through the assistance to the countries and developing cybersecurity strategies and so on.

      One of the things that we identified is that given that there's another body within the OAIS system, the ICHR that basically give their input on human rights. We see there's a lot of room for development in terms of cooperation among the different buddies. So, one of the things we look forward maybe speaking to the digital team is how can we start thinking on these kinds of collaborations where UAS has specifically -- the team and so on, has this expertise of the core technical and security issues and the ITHR who had the human rights perspective on the traditional sense.

      There's a lot of room, especially regionally, in South America and the Americas to work at that level. The IT is quite up for the task and we already as I mentioned briefly in my introduction, we put out a few documents that are intended as guidelines to steer that conversation in that direction. And that can give substantive input for people who want to learn how the processes work and how to start working on them from that human rights lens. And navigating the whole, oh, yes, system. That is one of the things that I wanted to highlight.

     >> Just want to add to this conversation. Perhaps it's my interpretation of your question, so forgive me if I don't answer it properly. And perhaps a personal opinion of mine. So, what I got from your question is can we live in a world where we have two different standards or two different concepts of what is cybersecurity and what is human rights. That's the impression I got from your question? To me, you can't. To me, the purpose of human rights is -- there's a declaration of Universal declaration of human rights because it's based on principles that aren't based on values or ethics that can perhaps can change from country to country. Everyone has a right to privacy. And there shouldn't be countries that have different levels of security and privacy and whatnot. The answer to that is -- my interpretation of the question was, no, I don't think there should be two separate things. When it works for the U.S., it should also work for the other countries in the continent.

      And that's both for cybersecurity and for human rights. As bill said, everyone wants freedom of expression and heightened privacy and freedom to associate and all that. There shouldn't be any in the country or the region that interprets that.

     >> You can have the idea of -- so we can reach better -- because we don't have something specific. We don't have something specific.

     >> We would love to have -- that's something that we -- yeah, we -- that assignment should -- I think that's a role that UAS, with the -- can actually play in the Americas. And we would look forward to having that conversation at least trying to be proactive in collaborating.

     >> Aisle probably let Angela answer her question. Trying not to moderate the panelists. That's why I haven't answered directly yet.

     >> Thank you for your question on -- on how to make what I basically understood how to basically make compelling arguments when governments feel an urgency to act and taking blunt mechanisms like internet shutdowns. I would just say that I think for my both personal sense of values in Microsoft and when it comes to freedom of expression and access, internet shutdowns to me are a very poor approach to thinking about how to manage conflict or strife in a particular area. How do you make a compelling argument is what I heard your question to be. And I think ultimately, a little of it depends on who you're talking to. Where -- what country you're in. What region you're in, and which ministry you're talking to. It plays into this ecology of games discussion, that the arguments that you make with different individuals and different ministries and countries will be compelling in different ways. So, it's incredibly important to think about your audience and what is going to be the set of interests that they're representing.

      Now, I think the most effective argument is to actually think about conveying the set of different impacts that exist. And then highlighting those in the context of the audience that you're speaking to. So, if you're talking to a ministry of commerce, you would say, here are the particular economic impacts. But in addition to that, here are the individual rights that are affected as well.

      And if you're going to talk to the office from UNESSC on freedom of expression, you would say here are all of the rights that are affected but in addition to that, here are all of the economic facts. I think putting the arguments together but making sure you lead with the arguments you're speaking to is probably the most compelling approach.

     >> You have any other questions? Anyone else?

     >> Okay. Hi. I'm an organizational security consultant. First of all, I think it's a big -- sorry for the voice. I think there is a bit of a misleading sentence going around where it says everybody is up for freedom of expression, everybody is for privacy, because maybe around this room, yes but in industry, it's again freedom of expression. So, I think that's needs to be clarified.

      The second thing is a question for Mr. McKay, one of the first obstacles that human rights organizations find especially in developing countries, you want to talk about the economic development is the policy, besides policy, there's access to technology, access to the internet.

      And I know many partners in the industry, they act in programs to support NGOs and human rights organizations. What do you think can be done to further support them? It's not just the access, but as an example, one of the first issues around cybersecurity can bring more malware and use the -- the unlicensed software. So, the moment we take an unlicensed Microsoft Office in Africa and in Asia, they mostly do that, because it's the cheapest. So, I know that corporations have programs to support NGOs, I want to know if you're able to provide these things even more.

     >> So, happy to speak to this. And I really appreciate your question. I think there's a huge amount that corporations do including my own. And yet there's much more to be done in this space. And one of the things that I would even highlight one of our programs that we have been thinking about and some of the evolutions in it. And it is but one program among a multiplicity of programs that are in this space. But it was one that I found really interesting that we worked on refining quite recently.

      We have the initiative called the four Africa initiative. It originally included three core pillars of work. The idea was not to go and do kind of workshop training capacity building but to actually create local capacity and create local demand. So, it included three core pillars, the first as you noted was access. How do you ensure that there is access to not just technology, but access to the internet itself?

      The second was around skills and it was originally digital literacy-type skills.

      And then the third pillar, I thought this was at the time, probably eight years ago, quite -- quite interesting was a pillar around innovation. How do you actually help individuals in regions develop business plans and develop the skills and entrepreneurial skills for innovation, so they would actually start to generate businesses in their environment that could serve local need. So, it was local capacity and local demand.

      What I think is really exciting is that program has gone through a fairly significant innovation whereby in addition to access, skills, and innovation, there's an integration of ethics, security, and -- ethics, security, and -- sorry, I'm forgetting the third piece. Shoot.

      Anyway, the bottom line is it's gone through an evolution that starts to represent exactly what I was saying earlier whereby we're not just focusing on how to get technology into the space, but if you're going to be leveraging technology, how to do it in a way that reflects the security needs of the society. The ethical needs of the region and the third pillar I've forgotten at this exact moment. I apologize for that. I'm happy to take your information and get you more on that.

      But what I would say more broadly is not just my own companies but the companies in general are continually reassessing -- oh, that's it. Anyway, they're continually reassessing how these programs work. What their effectiveness is, and actually changing them and evolving them over time to better represent and better connect with the user base. So, I think that's one of the important things is deliver, learn, iterate, improve.

     >> Bill has an intervention and then I want to ask the panelists to give a one-minute wrap-up on what you want us to take home.

     >> I appreciate you saying how everybody wants freedom of expression. You don't want to restrict somebody else's freedom of expression. But, generally that's a value that certainly -- I've done research in about 20 different countries world-wide about internet users including Mexico and other countries where if you look at internet users, globally, they have an incredibly surprisingly the similar values and interests.

      Part of it is that I think you have to think of the internet as the experience technology. It's not just -- if you experience the internet, you sort of get it. You can realize what you do on-line. And you can realize -- and Mexico -- over half of Mexico is now on-line. And the digital divide in Mexico is a serious problem. But we have millions of users on-line. And it's the -- it's the center of the Spanish-speaking world on-line. And all of a sudden, Mexican educated public and internet users and Mexico are really realizing that they've got a global arena for news, information, and entertainment and so forth.

      And so, all through the global south and east Asia as well, you have -- internet users have similar values. And when they differ, you won't believe this, but it's the truth, in terms of the survey and research that Americans, for example, are less supportive of freedom of expression than many people in the global south. Because they take it for granted. They take the media for granted and so forth.

      And China, there are more people who talk about their politics who use the internet for political expression than people in the United States use the internet for political expression, proportionately.

>> It was not directed at internet users but directed at governments and the industry. Who are really not really everybody for privacy and freedom of expression. Of course, users are one thing. But on the other side, policy makers and industry. The freedom of expression.

     >> I want to support what you're saying, we did research. Not in 20 countries, in six countries, but in each -- the major sort of the major market in each of the different continents, we did the research. We had the exact same results, saying it's surprising about how -- actually it's surprising about how Americans in general care less about privacy and less about use of the personal data and control of the personal data than Chinese, for example, which is viewed as a very, very high priority in terms of what kind of internet freedom they want to have as a user. Very interesting, similar results.

      It's a counselor. So, in any case, just to answer one of your questions, the -- the world economic forum has also an initiative called internet for all, which looks at building essentially providing access to internet infrastructure through partnerships. Through mostly public-private partnerships. And not at all the Facebook model which you know has its own infringements on personal data and privacy.

     >> We're going to do the one-minute wrap-up. Oh, we have one more in the back? Oh?

     >> Hey, I also wanted to just add to what Angela said. A substitute -- what Angela said on the licensing point. If you know it's not a solution through all else. But highly encourage everybody to look at the text group where it's sort of many not just Microsoft, but Amazon and others go contribute a software into it. So, I think that's one vehicle where we try and sort of share as much as we can.

     >> Going to ask Lisa to start.

     >> It's difficult what is really a broad and especially with many things to add. So, perhaps it's the easiest for me to contribute some to the point that you raised and earlier in response to one of the questions about how you got your message across. And the point that you made that you have to take care of who -- who's your audience and how do you bring this over? And what are the set of values?  I agree with that. Would like to lay another layer over the top of it. Is that for example, in the network, it's very important that there's not just a broad set of arguments used, but also a broad set of actors actually bringing the arguments across. Because if you have a combined approach, for example, to Brigitte for violations of freedom of expression and one of the harshest is not very elaborate. But still practiced very often, mostly in the countries and it's still growing, and it's at the moment the analysis -- the coalition against the shutdown which is rather big is that -- rather vague, is you need a set of actors that work together to fight back, push back, prepare towards the governments and towards the countries that are based in a particular country to make sure it doesn't happen and it's out of the menu of options for the government, but also for the private sector.

      Ordering a private actor to act. Both governments, for example, a Dutch government representative in the country together with coalition countries together with the ISB that's strained by the ISB somewhere or Telco-companies. You have to find the partners and all of the different stakeholders to get across a message and the message should be tailored to the particular audience and the set of values that's at that space relevant. So, yeah, let me wrap up by saying that to have an impact on freedom of information on-line, of privacy, it requires elaborate steps at the moment to make sure that the global south and other countries but also in other countries, the trends are reversed. We need to work together and cross bridges. That would be my final word. Thank you.

     >> Yeah, I will be short and sweet. We don't need to reinvent the wheel again. We need to focus on this process to be multi-stake holder but also to focus on openness policy and inclusivity. I think those are key values that need to be taken into account in this process.

      In order for the outputs of the policies to be very comprehensive of the whole different perspectives. And it's discussed by the fellow panelists that in order to get a sense of what are there -- what are those stakeholders' needs, you need to listen to them. You need to invite them on the table and give them the opportunity to collaborate on and so on. I agree with that. I want to leave it at that and invite you all to read the work we put out. We have a lot of documents on this topic. They're in Spanish. Get back with us. We'll give you all of the details.

     >> Quickly on my side, bill built a concept around this ecology of gains. This is the link between cybersecurity and economic development and human rights. 

     >> It's been around more than it should be. This is the systems approach. The last point is that I would encourage everyone in this room to adopt systems thinking in their own work. So, again, you need to look at the whole and not just the pieces when it comes to these kinds of challenges.

     >> There's a key ecosystem while protecting human rights. And human rights are Universal. How those rights are managed and manifest in different places in the world do differ. And then I think that means that what we do is we have had not only digitally literate, but digitally engaged and an engaged society so that the conversation between people, industry, and government can figure out how to reflect those rights and values in the law and systems that are occurring and then how those were managed and manifest reflects the people's will.

     >> Rather than summarize, let me add another point. We've done some real systematic research on the role of cybersecurity capacity in relation to economic development. And I haven't had a chance or -- I forgot to talk about it. But we really can support the fact that the evidence from over 100 countries and using economic data, IT data, and also, the data on surrogate data on capacity building elements, when controlling for the size of the country, the internet users, the wealth of the country, those who have more of the cybersecurity capacity have higher levels of economic development. In other words, it adds an additionality to the -- to the economic development of the country. We're still working on that. We're trying to dig deeper and get better evidence. But from the preliminary work, it's been accepted for publication and there's other work in publication, cybersecurity capacity matters in terms of economic development -- economic development.

     >> And I think I wanted to thank, I think, all of the panelists because I think they've done a tremendous job unpacking this and it's given us room for more topics next year. Because I think from my conclusions to listening to everyone, there's a call for rethinking multi-stakeholders, just the whole idea of the gains makes us rethink it. It's a call for digital intelligence, for meaningful engagement I think which captures the other topics, and there's a call and not from the audience in terms of the question and answered, to consider the role that a regional body could play on Latin America and the Caribbean side in doing something similar to what has happened with Europe in regards to having a standard applicable to all countries.

      So, on that note, I'd like to thank the audience. Thank you that we -- at least Claudio cannot walk away from here and say that we did monologues. So. thank you.