IGF 2018 - Day 3 - Salle XII - BPF Cybersecurity

The following are the outputs of the real-time captioning taken during the Thirteenth Annual Meeting of the Internet Governance Forum (IGF) in Paris, France, from 12 to 14 November 2018. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 


>> Good morning.  It's not yet time to start, but we will start in two minutes sharp.  We have 90 minutes allotted and we have to leave the room or stop at 10:40 because there's a session scheduled after us.  Please take your seats and install yourselves.  Those who don't intend to be in the room for this session may I ask you kindly to leave the premises and continue discussions outside.  Thank you.

>> MARKUS KUMMER: Okay.  Let's get started.  I'm Markus Kummer, co‑facilitator.  Ben Wallis.  He's in Dubai attending the plenipotentiary.  Good morning, Ben.  Over to you.

>> BEN WALLIS:  Good morning, Markus, I wonder in the room can hear you.

>> MARKUS KUMMER: We can hear you, but it's rather faint.

>> BEN WALLIS:  Yes, good morning, everyone.  I'm in the ITU plenipotentiary conference.  I'm sorry that I cannot join this session in person.  I look forward to following online over the next 90 minutes.  And producing a report of this session.

I have been honored to be the mag member co‑facilitating this best practices forum for Markus and supporting the work that I have.  And I'm looking forward to hear the draft outputs to what many of you have provided valuable contributions.

Just quickly before you get on to the discussions, I will offer a quick report on discussions here at the ITU plenipotentiary conference.  In the ITU cybersecurities covered by resolution 130 on strengthening the role of ITU in building confidence and security in the use of ICTs.  And on the one hand, there is some positive news.  There has been agreed ‑‑ a substantial amount of new and modified text, which provided new work on cybersecurity issues for the ITU, including some targeted act the ITU providing support for developing countries.

However, there are two main areas of outstanding difference, which are preventing adoption for text.  Firstly there's disagreement about whether to include a decision it update the ITU's Global Cybersecurity Agenda, GECA.  And the other major block is disagreement about whether to resolve ‑‑ that the ITU should start or that ‑‑ it resolve, to start with the urgency the development of an international security on the cyberspace, taking into consideration the work of the ITU sectors.  That's the wording that's being objected to by a number of parties and although the conference ends on Friday, in practical terms, agreement needs to be done tonight in order to allow enough time for translation and formal adoption of the text.  There's no sign of how these issues will be resolved and I expect negotiations to go late into the night.  So I look forward to following things and I will let you get back to the sessions.

Thank you.

>> MARKUS KUMMER: Thank you Ben for that.  And before starting the discussion, let me start introducing people here on the panel.  Next to me is Kaja Ciglic from Microsoft who will be the co‑moderator of the session.  Next to here is Ephraim Kenyanito, from Article 19 and next to him is the Saleela Salahuddin, who has been holding the work from Facebook and he'll talk about the tech cord and next to her, on program you have Alexander Klimburg but he was not able to make it.  He had a family emergency and he's replaced by Louk Faesen.  So these are the panelists.

Before giving them the floor, allow me to say a few words on this session.  The background the Best Practice Forums are the pillar of the intersessional work and this is not just a standalone workshop but the culmination of work that has been ongoing.  Before that, there were two best practice forums, one on unsolicited emails ‑‑ is that better?  Yes?

From 2014, there were two best practice forums on unsolicited emails and c‑certs and after two years they folded up, but it was felt that this was a necessity to continue work on cybersecurity and then this Best Practice Forum on cybersecurity was started.  It started with more definitional role and looking at the different roles of stakeholders.  In the second year, it looked more at the contribution to the SDGs and now in the third year, we look at norms and values in cyberspace.

And when we'll introduce the papers that are our discussion, we received contribution and some of the major contributors are represented here on the panel.  The discussion here is conceived as a final discussion and it will go into the final output of this Best Practice Forum, and we'll also have to look at if there is room for future work.  Should the work continue?  Should the IGF deal with cybersecurity in another way?

But in any case, it is a big issue and all of you here in Paris know there has been the Paris Call.  This is something we may also wish to discuss and address and maybe this may be a focal point for future work.

And to conclude my introduction, just a few practicalities.  We do have remote participation facilities and there have been some complaints that we have not given, paid enough attention to remote participation in the past.  So I would call on those looking at the remote participation to alert us whenever there is a wish to take the floor.  And there is a system on the website.  You see when you click on the website, you can put your name in the queue when you want to talk and the idea was that we give ‑‑ we create a level playing field for those would want to participate remotely, and those who are in the room because obviously, there's a natural tendency to give preference to people who are physically present in the room.  So the cuing system should allow those coming in remotely to come in at the same time whenever necessary.

So with that, I will give the floor to Wim, who will introduce all the documents and then Kaja will moderate the substantive discussion.  Thank you.

>> WIM DEGEZELLE: Thank you, Markus and good morning to all.

As Markus said, I will briefly give an overview of the work BPF has been doing.  I think it's very important to understand that the BPF started working shortly after the previous meeting of the IGF, and brought different specialists and different stakeholders together to discuss this topic on cybersecurity and specific on cybersecurity norms.

There are two draft papers out.  Draft ‑‑ specifically, because there are intended to be discussed at this meeting, and only be published after the IGF meeting, taking into account the discussions here and taking into account other experience, other case studies and examples.

So that both documents can be published.  This year's BPF focused on forms and culture of norms in cybersecurity.  Why?  Because there is observation that norms have become more important as a mechanism in cybersecurity for state and non‑state actors to agree on a responsible way to behave in cyberspace.

Why?  Because it is the evolutions go very quickly and it is clear that the traditional way of law making, or the traditional way of agreeing often goes very slow and very late to take immediate action.

The document ‑‑ the first document describes how there have been alternative challenges to create these norms.  But it immediately comes up with the idea that these norms, these alternative ways are often ‑‑ are often developed in relatively close communities in relatively close groups of different stakeholders, who do not ‑‑ would do not communicate with each other, who really focus on their own specialties and do not involve the others.

Therefore, the BPF started with exploring the field of cultural norms and values in cybersecurity.  What questions ‑‑ like, what norms?  What different types of norms are out there?  Where and in what groups and what fora are they developed?  And what lessons can be learned if you look at the norms and how are they communicated?  How are they ‑‑ how is it made clear that others follow the norm that they were aware of them?

The BPF took also a very important second track and those looking to the question, looking into the question of a possible cybersecurity digital divide.  Starting from the idea, is it possible or is it a reality that in some parts of the world or in some communities or even in communities and countries, some groups of people are just not aware of some secure ‑‑ some security norms or just not ‑‑ just are not aware are not able to follow the norms and that because of that, there exists ‑‑ there is a kind of security ‑‑ a security divide or development divide within the communities.

Roughly what I have said now is published in the first paper that was developed with input from different stakeholders that looks in a more theoretic way to the issue looking for examples.  And the second part of the BPF's work is the call for contribution that went out to everybody in the community, a set of seven questions.

Basically, also intended to test what smaller group had discussed, whether that fits with general opinions and opinions of everyone.

Some of the favorite surprise.  If you ask the definition ‑‑ for a definition of cybersecurity norms, that there are a great number of definitions coming in ‑‑ of responses coming in that are in line with what probably the cybersecurity community will think of as norms in the effect of clear rules or clear guidelines for states, for companies and so on.

But if you have that open call, we also saw a number of different angles coming in, different definitions coming in.  For example, people that focus on the culture of norms and the culture of cybersecurity within a specific organization within a company.  And put that next to ‑‑ next to the more global or general norms we discuss.  A number of different views came in that for example people start talking about norms.  If you ask about norms that people started focusing on end user behavior.  I think there was one very ‑‑ well, one very interesting contribution coming from school teacher, from European country that is more ‑‑ it repeated the question of norms in terms of what kind of behavior do we have to explain or do we have to expect from end users and came up, okay, if you talk about the norms for cybersecurity and you look really at the end user perspective.  And you can come up with very simple things instead of ‑‑ like anti‑malware scanning, like the fact that you have to install updates.

So that's a completely different perspective, I think most of the initial panels were ‑‑ were not immediately thinking of ‑‑ the document also asks for examples of norms that worked well, of some participants or some contributors refer to existing frameworks, one that came up was the NIST framework from the United States and I mentioned it, it was mentioned not only the framework but also mentioned as an inspiration for other countries, for example, Italy that has its own framework that copies or is inspired by the ‑‑ by the US example.

In our contributions, we also asked for concerns ‑‑ concerns and with regard to norms and norm implementation.  Some contributors mentioned that often norms have good ideas, but effective norms are not implemented or not followed.  It has no do with the fact that they are defined, that there is no clear agreement on ‑‑ or no clear understanding of the exact details.  So that is the norm is there.  Everybody agrees but nobody is doing anything with it.

And some other contributors really flag the fact that as I mentioned in the beginning of norms are developed within a specific stakeholder group or within an interstate environment, and that it is very difficult to turn that into a multi‑stakeholder environment, while other multi‑stakeholder environment or multi‑stakeholder support can be very difficult if you want to implement it.

They were a few contributors that pointed out that there is a need for a lot of training and additional research on ‑‑ first of all, to know what is out there already.

And probably that's a lesson that everybody agrees that the interpretation of norms takes time and it doesn't go from today until tomorrow, but it takes time.

And to finish also in the last question, in our call for contributions, was specifically asking whether or not people see digital security divide.  I think most of the contributors agreed that there are ‑‑ either there is a ‑‑ there clearly is a risk to have that kind of divide between ‑‑ either between developed ‑‑ less developed worlds but also clearly between people that are just joining the Internet, that are just moving to the Internet and people that are already longer online.

People that are longer online have in a way been trained and know better or try to know better from experience how to deal with some risks and how to deal with some ‑‑ some security tricks, while people that are now joining really have a steep learning curve and need to ‑‑ need to adapt to a lot of things that's a high level of the contributions.  As I say, we all hope that the discussion today, with the panel and the audience is very fruitful.  So that we can harvest a lot of different ideas that go into the final paper.

Thank you.

>> KAJA CIGLIC: As Marcus mentioned at the mentioned this is a really short remarks from each of our panelists to sort of, I think, maybe highlight some of the contributions and some of the exciting work that has happened, I would say over the past two weeks in the norm development process, whether you look at the Geneva dialogues in Switzerland, whether you look at the ASEAN commitment for the norms.

Whether you look at the UNGG process, and the possible two parallel processes that will be going on to discuss norms in the United Nations system, or whether you look at the Paris call.

I think this is clearly a space where a lot is going on, and ‑‑ but, like, we mentioned, I think there is a perception that there is a lot going on in industry‑to‑industry conversation and not so much in the multi‑stakeholder.  I think this is the one slight exception to it.

And with that, I want to kind of hand it over to Louk to start with, and to touch upon one of those things that I haven't mentioned when I was like, all the exciting things that happened the last two weeks.

>> WIM DEGEZELLE: Sorry for jumping in.  This Best Practice Forum was not here to develop normed but to look at norms that were developed elsewhere and to comment on that.

Pause there was some apprehension at within point that some people thought we were here to develop norms, but that was not the case.  Thank you.

>> KAJA CIGLIC: Thank you.  To talk about the world of the global commission on the stability of cyberspace and the Singapore package.

>> LOUK FAESEN:  Let me introduce myself, my name is Louk Faesen, I work for the Secretariat for the global commission of cyberspace.  Unfortunately, Alexander Klimburg was not able to come as his deputy, I will give a short introduction about the commission and our work on responsible behavior.

The Global Commission on Stability of Cyberspace, GCSC, the acronym for it, was launched at 2017 Munich security conference.  It is chaired by Marina Kalijurand and two cochairs, Michael Chertoff and a deputy security advisor from India Latha Reddy.

We have that commissioners in addition to the three chairs.  They basically come from all different regions and so we have people from Beijing to Chinese, Russia, Europeans, Africans, the US commissioners.  They also represent a different community basically.  The commission is very much focused on international peace and security.  So our mandate is very much focused on developing proposals for norms and policy initiatives in this space with that increased international peace and security.

So think about it within the UN system, for example, it's first committee, those kind of issues.

The members, however, they act independently, so in addition to that, we also have people from the IGF community that function as commissioners and advisors, for example Vint Cerf.

Let me tell you about the organization itself.  It has a research advisory group.  So basically that is constituted by one email list and I encourage you all to sign up to, to basically get feedback on the work the commission and also, you know, develop any proposals or any ideas that you would like to are us to pick up as well.

Now a little bit about the how.  So explaining why this commission was set up.  The reason behind the commission is very much focused on the discussions of international peace and security within this field, are very much done within the first committee or the regional organization for that matter.  For example, the developments within the united ‑‑ the UNGG, as Kaja already explained.

What we see there, that discussion is very much only a ‑‑ a discussion among states, and also a small group of states, for example, the UNGG has 25 members, which are only governments.

What we saw or what we believe in is that this discussion could actually benefit from the expertise and the knowledge and also not only on the content but also on the process from other communities and especially the technical community and multi‑stakeholder processes that reflect the actual state of space, in which civil society manages most of the Internet and political resources of it and private sector develops most of the services and deals with most of the ‑‑ owns most of the critical infrastructure.

So we feel there is an added value of strongly believed that states should not only ‑‑ should actually take in that expertise and the knowledge from the other stakeholders when they are negotiating and talking or discussing about international peace and security in cyberspace.

Which is always strict because in international peace and security, the states have always been the predominant actor, if you look at, for example, treaties arms control or developments in technology, it's always the committee that is most difficult to import and other expertise and other knowledge from other stakeholders.

The commission meets four times a year.  We have two hearings.  The last time that was in Singapore and we invite governments and other outside experts also coming from the technical community, the Internet Governance community and basically, give feedback on the work of the commission and actually consult with us on, you know ‑‑ on, for example, things that we are developing.  One of the those things that came out of that meeting and which we also had things discussed at the IGF on two days ago is the Singapore norm package.  I was asked to give a little bit of an explanation on why did we end up with these norms.

So in addition to the first two norms that the GCSC developed which is on the protection of the Internet, and the protection of electoral infrastructure, the commission decided that some of these ‑‑ some more norms are necessary.  In that sense, it was basically a bottom to top down approach and so what we did is we start with the norms.  That was the first part of our mandate.  So develop norm proposals.

In that sense, it gives a good indication for many of our members to actually identify what is missing in the current, let's say, ecosystem or the current norms that have already been established elsewhere and we are looking at very much inspired by the norms that have already been developed weapon the UN group of elemental experts and other forums as well.  And we think these are the lower hanging fruit and what is to identify or each some kind of stability in cyberspace.

So you can basically sum it up and norms that are ‑‑ which are also submitted and be in our submission for the BPF is that we basically link it in terms of critical ‑‑ often critical for cyberspace, and you can basically fill those up, like, very much at the core of the Internet itself and then you have the electoral infrastructure which is in application much more.

And then basically fill those up along the way and you can put these on that spectrum.

In addition to that, I would say maybe also looking at the developments that, you know, we have seen at the Paris peace forum and also within the UN first committee.  So maybe take a step back on that.  So what is the commission's role or added value in this kind of sense?  Is that ‑‑ what we see is that, for example, there's now two proposals ‑‑ or two resolutions that have actually gone through.  So in addition to the US, the UNGG resolution has been passed.  There's also a Russian proposal, which is about an open‑ended Working Group.

Now the likelihood of ‑‑ of course, it's very hard to determine it at this time already, and what kind of success it will bring or not bring, the likelihood of two countering resolutions, I mean the prospect for success in that is not that great.

So what we see in that sense ‑‑ and also in addition to that, the ‑‑ the involvement or the language that you use of those things of involving other stakeholders.  Not only states but involving non‑state actors and civil society was not as great as we had hoped.  So that's why we believe that, you know, in such a forum like this and other initiatives like what we have seen with the Paris call as well, it doesn't always bring ‑‑ it's not only states that sign it but it was a large group of civil society and companies that sign on to it.  And that's exactly, I think the benefit of these kind of initiatives and also the global commission to bring those discussions of other stakeholders and especially like the technical community and Internet Governance community and inform those deliberations in the first committee.

Maybe a little bit more about the future recognition and up until now we are very much focused on developing norms.  So we have now a collection of eight norms.  In addition to that, it doesn't mean that, you know ‑‑ the ‑‑ the focus of the commission will be focused much more away from norm development and much more towards implementation and also like basically the question of where should they be situated or where are they housed within the larger international peace and security architecture and that's basically what the commission will be focusing on for the next year.

That doesn't mean that, you know, with a small ‑‑ they might still develop one or two more additional norm if, you know, they feel the need or the current developments that they feel the need is there are for such a norm.

And moving forward, we very much look forward to engage with you and also to receive feedback on these norms that have been developed and also on your ideas for further implementation of these normed for actualizing them.  So please feel free to reach out to us, either via your website or email address or approach me afterwards as well.

>> KAJA CIGLIC: Thank you, Louk.  I think the other thing to point out between this particular norms package, traditionally you have norms develop for states in this space, and I think the global commission has sort of reached out a little bit more and continued in the tradition of trying to find ways of putting forward norms that go beyond that, and look at private sector entities as well.

I think that's an interesting intersection.  I think maybe if you could now talk a little bit about from your perspective, from Article 19, on sort of what do you see about your contribution to the BFP, but what do you see as critical issues in this space.

>> EPHRAIM PERCY KENYANITO: Hi, my name is Ephraim Kenyanito.  So our concern has been looking at the ‑‑ basically from a human rights perspective because in my part of the world, cybersecurity laws are used to sneak back in criminal information and other issues determined about infrastructure, but about ‑‑ about protecting someone's individual reputation and other ‑‑ and maybe also trying to protect public officials from scrutiny and criticism and from independent journalists.  So that has been our ‑‑ our concern.

For example, I will give the example of Tanzania, or other parts of the world where I work in.  So for instance in Eastern Africa, we work to Madagascar and other parts within the region and we noticed a trend of legislation whereby there are laws developed which are not human rights friendly.  They are supposed to get us to deal with cybersecurity issues, but then the ‑‑ you end up sneaking in other non‑cybersecurity issues such as prevention of sharing of information over the Internet that would be used to ‑‑ to question public officials.

For example, some countries would not want the official statistics questioned.  Which may be the discrepancies about the official narrative from independent narrative and I will give the example of recently World Bank in one of the countries we work in, for their ‑‑ amending some of their laws and making it illegal to question official statistics.

So that concern is at the international level and this is being brought through the cybersecurity laws.  So our entry point to this convention has been when you are coming up with cybersecurity laws or cybersecurity legislation or norms or policies, it should be human rights friendly, it should not infringe on free speech or independent generalism or bringing other non‑security issues because for us, we have cybersecurity from an infrastructure, and not about the ‑‑ the fake news or criminal information issues.  So that has been our concern, whereby the drafting or the language.

Because cybersecurity is a field where very few people engage other actors, maybe the lack of the interest or the lack of knowledge.  So we just think it's cybersecurity and in that you determine sometimes some things end up being sneaked in, into some of those laws which end up not being very friendly.

And maybe just to give maybe also more example is we were part of a Working Group on cybersecurity, and we ‑‑ they were setting norms in cybersecurity and human rights which we reference as maybe a starting point and given the coalition is a coalition and this is well recognized all over.  And these are maybe the norms we would ‑‑ maybe we start as a good starting point of observations when you are having these conversations with various stakeholders.

And then also something else that we would maybe advocate and we have been trying to advocate is opening up these conversations to be multi‑stakeholder and not just to be single stakeholders because in my part of the world, we have some of these policy making processes are closed to the public, or closed ‑‑ not open to scrutiny.  So sometimes you will have a conversation and someone from Europe or the US or from ‑‑ and they will ask you, when is this law expected to happen?  When is this expected to ‑‑ like, some of these are unpredictable because they are not open scrutiny.  You have to really put your foot in much further than other parts of the world.

So it's just ‑‑ that's what we would emphasize, that more multi‑stakeholder and more human rights friendly are not the rights of independent journalists, just journalists and investigative work and then also cybersecurity research, sometimes it is criminalized to do cybersecurity research, which is not helpful to the public and not helpful even to those institutions themselves or those governments.

So trying to find a multi‑stakeholder way to work in this space, both in cybersecurity research and in order to sneak in other information on cybersecurity laws, I think contributes to the issue and should be legislated in specific ‑‑ in different laws not on cybersecurity.  Cybersecurity laws and norms should be about infrastructure and should be human rights friendly, and should allow for human rights assessments, among other mechanisms.

I think that's how I would open this conversation.

>> KAJA CIGLIC: And I think we would probably have wide agreement on the panel.

I think that sort of highlights some of the challenges that we have seen this international level as well, right?  Because the two different approaches, when you come to a global discussion around what norms could we agree on, and what ‑‑ how do you implement norms and so that's kind of the controversial issue, the two different approaches.

And I think with that, I will go to Saleela to talk and provide an industry perspective and some of the industry initiatives in this space but also to highlight the Paris call that was launched earlier this week in which I think both Facebook and Microsoft supported.

>> SALEELA SALAHUDDIN: Thank you everyone to be here.  It's my honor to be here.  As you can tell, I'm recovering from losing my voice.  I literally have not been speaking for the past 48 hours so I could talk to you today.  So please bear with me.

As Kaja said, Facebook is a very proud member of the tech accord.  As some of you may know, the tech accord is a public commitment among more than 60 global companies to protect and empower civilians online, and improve the stability, the security and the resilience of cyberspace.

As you heard from our panelists today, norms are really tough, because you have different stakeholders and you do have different interests.  And I think the tech accord is phenomenal.  When you say the tech sector, that encompasses so many different equities.  And I'm just going to name a couple.  More recognized, if you will, names of tech accord members.  Microsoft, which is a wonderful leader and I would like to single out Kaja for her amazing leadership in driving many of the tech accord engagements across companies.  Facebook, certainly.  Cisco, CloudFlare, Oracle, Panasonic, Telefonica, fire eye.  And what do we have there?  We have a massive social media company, Facebook, we have a massive software developer, micro soft.  We have cybersecurity researchers, fire eye.  These are all companies with different interests that were joined to go.  And what are the norms that bind us?

There are four and I would like to they're them with you today.  What I would like to single out as you listen to the norms it applies to all of us and we are able to come together, despite our breadth of engagements around the world with our business enterprises because they apply to all of us and they make our businesses more effective and more secure and they make us trust us and use our services, which really goes to the integrity of the Internet within the developed world and also the integrity of Internet and the security of cyberspace for those who are joining that community now.

Number one, we will protect all of our users and customers everywhere.

Number two, we oppose cyber attacks on innocent citizens and enterprises from anywhere.

Number three, we will help empower users, customers, and developers to strengthen cybersecurity protection.

Number four, we will protect each other with like‑minded groups to enhance cybersecurity.

So it's a very high level, but it's profound because it has brought many large and also small companies together under a common umbrella to be united, and I would like to highlight some of the work that we have done collaboratively, since our founding, that really goes to the good impact that we're having already, and that we hope to continue to have.

As I said, we are more than 60 now.  We hope to continue grow and share our values and implement our goals with more partners who share those.

I would like to point out the manners initiative.  The tech accord supports the mutually agreed norms for routing security.  This was an initiative that was launched by the Internet Society to increase the security of the routing system.  And finding technology solutions that would reduce hacking and other risks.  Microsoft is a leader there.  They joined with KPN and BP and I'm proud to say that Facebook is also a member with our network security representatives to promote a safer cloud‑based environment.

We are also big supporters of coordinated vulnerable and this is industry practices that are fixed in terms of policy and practice.  And for example, since August 2018, alone, we have seven additional members to the tech cord, who have already developed, posted and are implementing policies and procedures that are about coordinating the identification and the information sharing of vulnerabilities.  And that goes to protecting cyberspace beyond just the confines of a single company.

Because there is access to information that we have, that once leveraged across our network goes to not only securing us individually but also more broadly and because of the breadth of our users that impacts the globe and I can't underemphasize the importance of that.  And then to speak to the desire to share knowledge and training globally, regardless of whether people are members of the tech accord, we also have an ongoing webinar program and these are really focused not so much on very high level cerebral norms but rather technical education and training.

We have had one‑hour deep dives through these webinars that are ongoing and continuing on very technical subjects as cybersecurity in the cloud, hardware and cybersecurity there, as well as encryption.  And we hope to continue that and deepen those in an effort to make sure that our outreach is not just focused on our membership but globally.

One thing that tech accord is looking forward to as we continue to grow and advance is being part of the multi‑stakeholder collaborator that's addressed by my fellow panelists today.  It's really important to have private sector and civil society at the table with governments and when we talk about discussing and implementing initiatives, whether we talk about respecting norms to bring those equities to the table is essential and that is actually a perfect segue to the Paris call for trust and security in cyberspace.  I think it's very significant that President Macron was here at the Internet Governance Forum to make the announcement of this.

I think this speaks to the world that he's trying to communicate this with and Microsoft did play a leadership role in this.  For that we are grateful.  And Facebook behind the scenes, in talks and developments as Kaja will attest was also part of that conversation.  And the goal here, if I might recap with the Paris call for trust and security, is to prevent and better recover from malicious cyber activities and protect the availability and the integrity of the Internet, cooperate to prevent malign interferences in electoral processes, IE, protecting democracy around the world, which is important, and to work together against ICT enabled theft.  That's something that certainly matters to a lot of companies around the world.

Prevent the proliferation of malicious tools and techniques, increase the security of ICT products and services and cyber hygiene which goes to the individual cybersecurity of the user.  And takes steps to hack back and important to it audience here, work together to strengthen the relevant international norms.

I was very privileged to attend a talk that Brad Smith and others gave the evening of the tech ‑‑ excuse me, the Paris call announcement and I wanted to highlight some points that were made there and who the people were that were making those points.  It goes to the desire for multi‑stakeholderism, among certain members of government and international bodies as well as the private sector.

We had an emphasis on multilateralism being important within the G7 as well as beyond.  We had the importance of the private sector taking responsibility for its role and the collaboration that is needed with other stakeholders.  We had the emphasis on the life cycle of a product.  We talk about security by design, and that is certainly something that I think is and should be enshrined in a lot of these norms that we are seeking to develop and implement.

And importantly, the Paris call is about affirming norms, and it is in many ways an international declaration and about the world's democracies coming together, to sort of support a unified vision of what the Internet and what cyberspace should be after a very wild, wild west period of development of the past 20 plus years and so what the goal is of the Paris call, more than anything, is in a very disciplined, responsible engaged and collaborative way bring together government, civil society, NGOs, private sector, businesses and others to build a movement to create a framework that we can respect within the bounds of the law and within the bounds of what is right for the real world and right for the world of cyberspace.

Thank you.


>> KAJA CIGLIC: Thank you, Saleela.

I think with that, I hope we have given a good overview of both sort of what ‑‑ what is in the actual paper, the draft paper that the group pulled together, as well as a perspective from a ‑‑ the global commission, sort of a multi‑stakeholder initiative, Facebook, the private industry and Article 19, which is one of the representatives of the civil society that engaged in this work.

And with that, I would like to see whether there's questions in the room.  Vlada volunteered.  Maybe you start with the first question.

>> AUDIENCE MEMBER: Thank you, Kaja.  And thank you for all of you for putting up such a great product.  Vladimir from the DiploFoundation but maybe wearing the hat of advisory board of the global ‑‑ and I can promise that we are going to do that next time.  But I think it's relevant to mention the global forum expertise which many of you in the room support heavily, when it comes to particular work to helping the countries to work on their national strategies and to map the capacity building programs awareness raising campaigns, and to enhance the implementation of various standards and so on.

So I wanted to simply ‑‑ the cyber expertise and to promise that we will try to contribute more next year.

Thank you.

>> (Garbled audio).

We have roughly half an hour for a freewheeling discussion before we have to wrap up, and I would like to invite you to comment on what you heard and what you have read on the work of Best Practice Forum, that may be also give you thoughts on the way forward for the IGF, the IGF could or should do in.  In what field of cybersecurity.

We could not have much time to separate the discussions.  So if you ‑‑ if your comments you can also address the way forward issue.  Thank you.

>> KAJA CIGLIC: Sure and maybe we start with the online participation.  So are there others in the room that want to ‑‑ yes, if you could introduce yourself.

>> AUDIENCE MEMBER: Hi.  My question is about the processes that you identified, the DDG and open‑ended Working Group which are clear opportunities to input into high level processes and I was wondering if the BPF has a strategy or thinking of a strategy to input into those processes that could emphasize the multi‑stakeholder approach.

>> KAJA CIGLIC: Maybe I will take a couple of questions before we answer them.  Yeah, go ahead.

>> AUDIENCE MEMBER: I'm Hans Klein of Georgia Tech.  The speaker on the right, on whose name, I'm sorry, I didn't catch.  And you said so far we are looking at norm design in the future, there's norm implementation but in the near term, it's an intermediate step when I would call norm authorization, which is look at authoritative and possibly located in some of these norms or proposed norms and attaching to authorization, authority, which would then lead to implementation.

So I'm excited interested in the near term phase, looking at the international architecture, identifying different kinds of authority.  There's state authority.  There's multi‑stakeholder authority, and there's industrial collaboration authority and so on.

So what kinds of authorities are out there and particularly, non‑state authority is really the most interesting one.  What opportunities are there, aside from the state authorization of norms for other states of authority?  Thank you.

>> KAJA CIGLIC: Is there another question?  So we have three.  No.  So then are there people on the panel would have views?  Co‑panelists have views to answer this question?

>> Panelist:  So maybe addressing that point, in authorization of it and thinking very much we first look at what have other organizations and institutions done and we will beyond them, it's not only DG and it's ISOC which are also very important norms held by Microsoft.  I think that's exactly what we will be doing the next year, exactly looking at like, who are the relevant parties, actually, you know, that should be involved and implementation models and looking afterwards and making sure that everything is adhered to.

For example, we are very much engaged with the IGF and with, you know, ICANN and other organizations and trying to, like, you know ‑‑ they are the ‑‑ the core measures of basically that norm, protecting them.  Not these organizations but also things that they protect and that they handle.

We have also for the ‑‑ we are also very happy that four of our other norms that are in this package, which are in the Paris call for the charter and that way, it's like it's being supported by many other ‑‑ you know, 300 plus organizations, including states and ‑‑ and private sector and civil society.

And in addition to that, we have also, for example, with public board room as an example again, we have seen that ‑‑ within the European parliaments it has been added in the resolution or an amendment as a resolution to become a law.

Of course it has to get approved through the EU process and it's the council that decides upon it as well.  There are a couple of examples in how we are trying to push forward the limitation and wane within the UNGG, or those developments, I think there will be, you know ‑‑ we are very much open to engage what ‑‑ you know, echo what our chair said through our session on Monday, that's ‑‑ the outcome of the resolution and trying to facilitate that multi‑stakeholder development within the committee.  Like I said, we are disappointed in that it's no stronger language in that or no formal mechanisms Yeltsin and trying to pour in that kind of ‑‑ you know, the consultation from those other stakeholders.  We are very much open to continue that discussion and I think maybe within the US proposal, we had the regional organizations and there is' window for which they have that for non‑state stakeholders.

>> KAJA CIGLIC: And maybe to echo that, to your question, I think it's not the ‑‑ you know, whether the Best Practice Forum should engage or it's something we should discuss.  I think it's actually the ‑‑ it's very difficult to engage for nongovernment actors.  And I think the ‑‑ that that has been a disappointment.

I think to your point around authorization, I think ‑‑ I almost don't think you can, like, pull them apart.  You know, the implementation authorization, I think this would almost emerge side by side.  And whether it's a naming and shaming where I feel state ‑‑ when people do not comply with the norms.  And where the civil society, the private actors and other governments call out malicious behavior and that enforces the norm and how that becomes accepted over the time.  It's probably the most likely outcome.  I think we all need to be engaged.

>> PANELIST:  It doesn't have a multiyear mandate.  It gets used year to year.  So this year, we decided to focus on norms, values, and next year, whether or not we don't know yet, but it's definitely something that has been discussed in the IGF context, and they offer multiyear programs and multiyear strategies which will allow the IGF to be more strategic.

This could be an issue for the BPF to discuss on the way forward.  Authorization, I don't think the IGF would have the limit to do that, but it could maybe recommend authorization of any of these proposed normed like the Paris call, but the implementation issue, I could imagine very well an issue to be discussed in a BPF, what does this norm mean actually when you translate it into actions and then have examples.  I don't think the BPF will be well established to develop legal language as such, but it could develop a narrative, what do we mean of this norm, and what should be done or not be done to essentially illustrate what could be done going forward, thank you.

>> Can I have a follow‑on clarification.  In some ways the IGF may face an opportunity, wow, that's unit related.  It's multi‑stakeholder, it's not ICANN.  So if Vint Cerf is the father of the Internet, Mr. Kummer, I think you are the father of the everything.  What can you speculate for the future of the IGF?

>> There are others with me.  It's a collective endeavor but I was involved in the IGF from the beginning.  That is a fact.  Well, I do think this is a great opportunity for the IGF.  We had high level participation at the opening of the Secretary General of the UN for the first time.  He actually was here at the opening ‑‑ his forum, it was ‑‑ the mandate was given to the Secretary General.  He convenes the IGF.  He encouraged the IGF to work, to improve and whatever to be stronger and with President Macron and with the Paris call this is for the sale to take it up and work with all the signatories of the Paris call and future implementation as a possible option forward.

And also, as you know, the IGF has always been staffed of resources.  It's a very minuscule Secretariat and all the proposals made for improving the IGF, they are not resource neutral.  And if industry believes the IGF should be a good ‑‑ and I look to ‑‑ to representatives of very important industry companies, if they think the IGF could be a venue for developing this further, I think they should also put the money where their mouth is.

Let's put it that way.  There is clearly a call for more norms, maybe also for more regulation.  Now, the question is:  How do we want to develop that?  Do we want to develop that in a multi‑stakeholder setting?  As you rightly said, the IGF has the credibility of the link to the United Nations, to the UN Secretary General, the UN has convening power.  It is seen as a neutral platform, but at the same time, the IGF is not a hostile environment.

It allows all stakeholders to come together as equals, which may be in a way, its weakness, as some ‑‑ thank you very much.  But on the other hand, it's also its strength, you are free to exchange opinions without any fear of what you say today may be held against you tomorrow.

So my appeal is make use of this platform that you have, if the IGF fails and discussions will go elsewhere.  As Ben said, there are negotiations on whether or not the ITU should develop a comprehensive treaty on cybersecurity.  If the ITU gets that mandate, that will definitely not be as open an environment to nongovernmental stakeholders as the IGF is to develop these norms further in multi‑stakeholder setting.  These are my comments.

Thank you.

>> KAJA CIGLIC: Are there other remarks in the room?  I would think particularly of ‑‑ we kind of talked about the way forward and it would be interesting to hear whether people in the room or even on the panel, think that the Best Practice Forum of cybersecurity should continue working in this space, whether there are other topics in this area that could be interesting for us to tackle.

You know, implementation of norms was one of them that was raised but cybersecurity is a very broad area of things.

So are there other suggestions and comments in the room?

Alternatively, if you ‑‑ you know if you look at the paper itself, are there ‑‑ I think one of the questions I have for Ephraim earlier was do you make sure that, you know, the norms are reflected ‑‑ the norms that we worked on are not just really driven by the west, I will say, but preserves some of the interest of other stakeholders of the global south while calling for human rights?

>> EPHRAIM PERCY KENYANITO: Yes, just on that, how do you bring on board other stakeholders?  As you have probably are aware, this process, of course, of capacity building, both resources and also ‑‑ both financial and human resource, whereby the building of capacity of experts this is something which partnerships ‑‑ more partnerships need to be developed to ‑‑ to build capacity for you to have more understanding and more input from those stakeholders where the ground, and they are not linked to the global processes on this matter.

And the financial and the human resource.  So basically also getting maybe the experts to also be more involved at the various regional and at the ground level, rather than very high level.

So that's something which should be more work ‑‑ worked on more already and issues with the ITU or the African union or European Union but we need more of those initiatives because some of those initiatives, for example, between 2008 and 2013, before the African union came up with the African union convention, on personal data protection, that ‑‑ there was capacity building or work around that, in coming up with laws and cyber laws and electronic laws across Sub‑Saharan Africa.

But that worked only with the ‑‑ the government officials and security officials and maybe sometimes they didn't have the capacity to fully engage in some of these conversations and these conversations may be worked closely.

And when the first came out in January of 2014 ‑‑ it was not human rights friendly as it was.  And so there was opposition, of course, around that first draft, and the African union and the other stakeholders went back and redrafted it, and came up with a draft in new Equatorial Guinea.  And if you don't involve the public and you don't involve the stakeholders right from the beginning, you come up with drafts or with norms which are not human rights friendly.  They don't focus on the user.  They focus on, hey, I'm President X.  I don't want my time limit to be challenge.  I would want to keep being president for life or my son to be president next or my daughter.

So I don't want anyone using this cyber ‑‑ the cyber things to challenge my authorities.  So that is the kind of laws that come up later if you don't involve the public.  So I keep insisting, multi‑stakeholder, beyond just states and because this is ‑‑ this is for the betterment of the whole ecosystem.  The ecosystem is much better, not just for you, but as this person.  Yeah.

Thank you.

>> KAJA CIGLIC: Thank you.  Are there any immediate reactions on the room?  Are there any ‑‑ I too he will that we have the unique opportunities to be able to gather input from the floor.  Rather than just hear from us.  I mean, we can keep talking but we get to hear from people in the room as well, in terms of, you know, the value of the Best Practice Forum, in terms of cybersecurity as a focal point.  Any views?  Suggestions?

>> PANELIST:  I'm sorry, can I chime in.  I want to pick up on something that was just said in terms of collaboration and I have been thinking about this a lot, in terms of some of the professional work assignments I'm focused on right now around the world.

But one thing that I don't think is really involved right now, in our collaboration conversation is the role of the media in highlighting what is happening under the guise of cybersecurity, of around the world.

To suppress speech to control content, and there are geographies where the media does not have that power.  That power is silenced by the government.  And I think that there is a role for global media to shed light because when you shed light, governments take notice around the world, companies take notice around the world.  Activists and others take action around the world.  And I think as we all contemplate how we collaborate and with whom we collaborate, the role of the media is really important.  And I'm going to append that by saying it's a responsible media that I am thinking about right now.  Not a media that will exploit narratives that are being spread to sew discord and division but a responsible and invested and engaged media that is focused on shedding light on some of these exploitations of cybersecurity norms to advance agendas that suppress people.

I wanted to make that comment echo what was said.  I think that's a critical point, you know, both in terms of the role of the media, but also the role of ‑‑ to your point, the role of capacity building and ensuring that ‑‑ and Vlada's point, that both the journalists and the activists and policymakers, the world actually know and are able to discuss cyber security best practices in terms of infrastructure and not just immediately go to sort of how do we regulate content.

And I hear that the people online have questions.

>> So several good examples where security, stability and resilience of cyberspace have been mentioned, however, protection against the theft of intellectual property is something that concerns me, not because I believe this to be an illegitimate issue but seeking this protection ‑‑ taken in further their goals against other legitimate interests such as freedom of expression, privacy, and data protection.

And could someone on this panel address this?

>> KAJA CIGLIC: So the question is around the freedom of expression and data protection.  Yes.

So anyone on the panel looking at how we balance freedom of expression, data protections and IP laws?

>> EPHRAIM PERCY KENYANITO: Yes, just to go back into that conversation and maybe to reiterate, we would want cybersecurity laws to respect human rights generally.  And about infrastructure and not about content because IP laws, you can amend the copyright laws which are already there.  For example, Kenya is in the process of amending the copyright law to reflect the digital age.

Data protection laws, it's different legal regime from a legal standpoint, the data protection acts are different from cybersecurity acts or the returning transaction acts and it's about infrastructure.  It's about content.  And it's about also mixture ever content and infrastructure.

So from the legal standpoint.  So intellectual property and trademark, those are different regimes.  All of these laws, the Berne Convention has been there.  There's WIPO, different treaties and these ‑‑ these African intellectual property organizations and other different regional organizations which deal with this matter.

We are in the digital age.  We shouldn't likely ‑‑ and all of this work that has been done since the 19th century all of these different conventions have been there on intellectual property and ‑‑ and other legal regimes.  We should just amend what is there and not use cybersecurity as the ‑‑ as a sneak point to bring in new legally restrictive mechanisms.

So that's ‑‑ that's what I would just emphasize on that because we should not reinvent the wheel, there are conventions or laws that our governments have passed.  We just need to amend them an make sure that they are human rights friendly, as mentioned the Kenyan to the act and the similar provision, and instead of bringing this to do the cybersecurity law and because they were meant to convolute infrastructure an content, you missed the point.  Because when you go to court, it becomes constitutional.

I will give the ruling in the Philippines in 2015, some were ruled unconstitutional because similar issues.  I would go back from my legal background that some of these issues going back to court, we would be found based on judges or from a legal standpoint to be unconstitutional and it would infringe on the rights of convoluted issues.  It's about infrastructure and not about ‑‑ it's not about the content.  So that's why we would be ‑‑ we would insist that if you convolute the issues.

That issue is a good one but let's not re‑invent the wheel and that will be helpful if we ‑‑ just learn from what is already there and not ‑‑ yeah.

>> KAJA CIGLIC: Thank you for that.  I think other thing to mention is also at the ‑‑ in a lot of the references in the international level, to IP theft, I think it's less about copyright, but it's more about what we have seen in the last ‑‑ I think not the last couple of years that much but like five years ago where there was a massive, basically hacking, sometimes sponsored by states, to steal intellectual property.  It's was less about copyright.  It's how do you get designs for particular machines and get them to other countries.

I think there was another question online?

>> EPHRAIM PERCY KENYANITO: Just to follow up, Kaja, thank you for that.

And it's a ‑‑ it's a trend that Microsoft and Facebook, that maybe you are noticing and partners in the industry, but maybe my suggestion or the best practice solution is the Berne Convention or the various treaties that are already there on this issue, rather than introducing this through the cybersecurity laws or data protection and others.  Maybe adding amendments to this, and it's very difficult legal journey to be ‑‑

>> KAJA CIGLIC: Generally, I would agree with you.  I don't think that content and that would be banned.  I was adding a perspective.  I agree with you.

Another question.

>> AUDIENCE MEMBER: Can we say that IGF is more of the debate takes place and ITU is where the actual policy making is done?  If yes, how can this be changed to that IGF recommendations are better translated in state and global policies.

>> KAJA CIGLIC: Do people ‑‑ I have ‑‑ again, I always have an opinion, but do people on the panel have views?

So I would say ‑‑ not necessarily.  I think it's ‑‑ it's ‑‑ in cybersecurity, ITU is, I think, still largely focused on capacity building.  There is not so much focused on driving actual regulation.  I think in the telecom space, that's obviously much more the case, but when it comes to cyber, I think so far, they have not really went into that direct ‑‑ gone into that direction yet, which I think is a good thing.

>> AUDIENCE MEMBER: My name is Wesley Gibbons from the association of Caribbean media workers and also the international freedom of expression exchange and this is in response to the concern about media engagement on this issue of cybersecurity.  I think you will find that all the major organizations concerned about media development and the protection of press freedom are very much concerned about the issue of cybersecurity.

In fact, there are hands on training modules that are being developed for journalists throughout the world, to understand the issue better and also to understand that as media, there are subjects and objects when it comes to the issue of cybersecurity.

One of the problems that has emerged is the relationship dynamics between media and other stakeholders because I think sometimes there's a mistaken impression that media workers, media practitioners can provide the service of an uncritical conduit for the flow of information between and among the various stakeholders and that has not always been the case.  There's no guarantee that journalists are not going to be critical, that are not going to investigate the details of it and are not going to see self‑interest as being part of the work that they are doing in this particular area.

>> KAJA CIGLIC: Thank you for that intervention.

>> AUDIENCE MEMBER: First of all, President Macron, mentioned the legislation and regulation, and how would you think ‑‑ I just want to hear your opinion, whether it be BPF about that.

And then secondly I come from IGF, not just me but there are so many IGF around world, and I found that each country has workshops every year and then ‑‑ workshops in their own country about the service.  Why don't you do best practices and reflect their kind of ideas and refer to each company, which are supposed to be published.  Then you can take ahold of the ideas from all over the world about the strike balance and freedom and then the data protection.

That's my suggestion.

>> KAJA CIGLIC: Thank you.  So the ‑‑ any comments on the question ‑‑ the Macron's call on regulation?

>> SALEELA SALAHUDDIN: I will take the second question.  I hear you.  I think that that notion of conversations being had all over the place in fora and then in countries and then within businesses, and where do you go with all of that?

And I return to the tech accord that is something that is an example of marrying those conversations with actual action.  And the fact that we have grown to be more than 60 global companies around the world, I think shows a desire to start putting things into action.  And I think, yes, there's certainly frustration among stakeholders would might not feel that a lot of action is being had, but I just wanted to emphasize that there is action actually being taken in a leadership role and in a collaborative way by the tech cord on many of these norms that fit under the four broad umbrellas that discussed earlier.

I think what is significant is that these actions are taking place across the entire spectrum of cybersecurity from a policy side, from a technical side and otherwise.

So that ‑‑ that concern is heard and I think that there are broad global initiatives underway such as the tech accord to address that.

>> KAJA CIGLIC: I will add one thing and answer your question and then maybe do ‑‑ call on Ephraim and see whether we are moving towards conclusion.  I think in addition to the webinar of the tech accord, the work of the cybersecurity expertise this was referenced earlier is also in a very good example of how do you share best practices and how do you bring the different stakeholders together.

I think I would ‑‑ you know, it's ‑‑ your point, every country does workshops.  I think it's hard to follow globally what each country does, but we would encourage everyone to contribute to the global forum, the cybersecurity expertise and Ephraim will go next.

And then the question on I think Macron's call, we'll see what happens.  I think the thing that was very, very positive in that call was the focus on working together with different stakeholders.  And the sort of proactive engagement, both with civil society and the industry to try to come to a place where it ‑‑ the rules of the road are beneficial to everybody.

>> EPHRAIM PERCY KENYANITO: Yes, you actually read my mind.  Just to emphasize on Marcon's call and to ensure that all stakeholders work together as I mentioned where these policies ‑‑ these processes are closed to, things don't turn out to be good.  I give the example of January 2014 and June of 2014, the African convention and thank you for emphasizing about the tech accord and it's a good first step that all the 60 companies have taken and just to reecho what I told ‑‑ what I spoke with Kaja a few weeks ago trying to expand that tech accord and those norms to other companies in other developing countries because there are little setups in other parts which maybe needs to adhere to these principles and to build more allies and for them to head in this direction of more action and then also just to emphasize, the 13 principles which have been part of the best Working Group on cybersecurity, which focuses on human rights.  Those 13 principles shouldn't just be ignored.

Like, there's a lot of work put into those 13 principles which we did and other stakeholders, it's very multi‑stakeholder inputs, and over the last four years.  So it's something, four or five years we need to do that work.  And then also the GFCE, and ‑‑ and the tech accord webinars, that's a good step.  And just to maybe bring to ‑‑ to attention there's a new expert group that is developed by the African union, cybersecurity expert group that will be officially launched in December and maybe also about the capacity building work, maybe building on to more of that work and that partnership that we are working on with the African union and the rest of the stakeholders back at home.

>> KAJA CIGLIC: Markus?

>> MARKUS KUMMER: My comment is very brief.  I would suggest for us, I think it may be more important for the call on the Paris call, rather on a speech by a very ‑‑ but the Paris has a real impact and it's a defense to all the national workshops international, regional initiatives we have now by spreading the IGF model across the world.

It's actually a very powerful model and there's one way of coming towards convergence of policy and that's sharing of best practices which may be more efficient than just declaring something top down which may or may not be respected.  Thank you.

>> KAJA CIGLIC: Great.  We will go to the last round of questions and I will ask our panelists to speak.  So do you have a question?  Are there other people in the room now?

No?  So I will ask us to go down the line before I summarize and do concluding remarks.

>> EPHRAIM PERCY KENYANITO: So just to close, we ‑‑ just to close and to summarize, just two points, multi‑stakeholder, human rights friendly.  So that's the summary that I would give the closing speech that they shall continue in the multi‑stakeholder and the polices with multi‑stakeholder issues should be opened up and should be human rights friendly and done in a very transparent manner in compliance with the 13 principles of the FOC best ‑‑ the Working Group on cybersecurity and the best practices forum work that has been done over the security and the cybersecurity.  That's what I would close with.  Thanks for the opportunity.

Thank you, it's been nice on this journey with you guys.

>> KAJA CIGLIC: Thank you.  Saleela.

>> SALEELA SALAHUDDIN: Yes, I think that more ‑‑ oh, I'm so sorry.  Forgive me.  I think that the important message here today is multi‑stakeholderism is the only way, really, to protect peace and security in cyberspace and peace and security in the real world and threats to cybersecurity impact companies and they impact governments and they impact people.  When you think about things like wanna cry, those attacks hurt a lot of people that had nothing to do with traditional cybersecurity or fancy global norms.

And so in order to make things work, in a way that is beneficial for the entire world in the future and also in the present, we need to make sure that the Paris call, the tech accord and other similar initiatives bring all of these stakeholders at the table with government, with civil society, with NGOs and with the common person, so that we can join together to protect ourselves and to reap the benefits of information and make sure that it's not abused.


>> LOUK FAESEN:  In addition to that, I would say that this year's IGF, BPF was, I think, very helpful in the sense that at the ‑‑ from an international peace and security point of view, for these diplomats that are there, they are very familiar with the norms developed within the UN first committee.  You see the norms by governments but also by non‑state stakeholders and Internet Governance and I think that's very good awareness and what is already out there?  I think especially also from our point of view, like the global commissions point of view, that's exactly what we should aim for is more coherency and convergence that there's one line, that's not something that I think we should be aiming for.  I think it's a very good first step from a different point of view from our communities.

Thank you.

>> KAJA CIGLIC: Thank you.  And I think ‑‑ I worry when we are always in agreement on panel.  That's okay.

Think the main points to think about, I think from the discussion and I think from the ‑‑ the actual document that came out, is that there's clearly an appetite for multi‑stakeholder work in cybersecurity.  Anything there at the moment is a lack of it, I would say in large parts around the world.  I think that's why we all are sort of liked and I think supported a lot of this on the panel, the Paris call, that the French government organized.

The ‑‑ the importance of ‑‑ I think balancing and separating, like Ephraim was saying, cybersecurity, the infrastructure level, and peace and security level, and content level, I think cannot be under ‑‑ understated.

And the ‑‑ the conversations and the inputs that this group of people can be put into the dialogues both in international and the domestic levels are critical.

I think we are not really ‑‑ I think we touched a little bit upon whether the ‑‑ this group should continue focusing on cybersecurity, and particularly on norms.  And the next year or so, I think there is people on the panel, we all think that probably yes and that's a good opportune moment, for the Paris call and the discussions at the UN, that are kick starting.

For the civil society, they can provide an opportunity for the civil society to come together and provide points into those processes and try and push them into a particular direction.

But we ‑‑ I feel that we didn't hear enough from necessarily from ‑‑ from the floor or indeed from online.  I feel that maybe we sort of ran out of time towards the end.

So we hope that you provide feedback and continue to provide feedback with you.  I will ask Markus to highlight the process.

>> MARKUS KUMMER: Thank you very much and like you, I hoped for more feedback from the floor and from participants in the room on the way forward, but it's not too late.  I think with that, I would hand ask Wim to give the details if you still want to make a contribution.

You now have the difficult task of this.  And we have a new meeting in January and a message from my co‑facilitator, from Ben who is looking forward to taking this discussion back to the Americas and hope for a renewal of the mandate for this best practice forward.  As said, its done from year to year and it will be more conducive to long‑term work if you could establish a work plan, but I think we have a very powerful agenda item on the table and that is the Paris call and I think the IGF cannot afford to ignore this Paris call in one way or another, we have to deal with it, but, Wim, what are the options?  What are the possibilities that people have?

>> WIM DEGEZELLE: Thank you, Markus.

Like I said, the document is still in draft form, between now and the end of the year.  This' a very short window to give additional inputs, apart from like I said at the beginning, we do our best to include points raised at this meeting and to the discussion to include that in the document.  But either ‑‑ you will find the links on the website where there is a review platform, where you can submit comments on the documents or might even be a better way if you subscribe to the mailing list, the BPF mailing list.

Immediately, as you will be subscribed, you will be informed on the plans on future plans for the BPF.

And then, like I said, the output is ‑‑ will be published before the end of the year.  The idea of the BPF is also that it is not a document to be archived, reflecting what has happened here.  The initiative idea of BPF is to collect best practices, ideas, and that they are actively used and feed into discussions elsewhere.

And I think Kaja referred to a number of conversations for years to come.  So also please look at the document like that and use it in that way.

Thank you.

>> MARKUS KUMMER: Thank you, Wim.  And with that, I thank my co‑moderator who has done an excellent job and all the panelists who have done an equally excellent job and thank you all for participating and with that, I think we can conclude this year's session of the Best Practice Forum in cybersecurity.  Thank you.