IGF 2019 – Day 3 – Saal Europa – WS #63 Usual Suspects: Questioning the Cybernorm-making Boundaries

The following are the outputs of the real-time captioning taken during the Fourteenth Annual Meeting of the Internet Governance Forum (IGF) in Berlin, Germany, from 25 to 29 November 2019. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

>> MODERATOR: Good morning, those here for the cyber norms workshop, let's begin as soon as possible.  We only have one hour and a lot of things to discuss, so we are starting on time.

(Audio skipping)

>> MODERATOR: It evolves like that.  It is good that our series of workshops have not turned dramatic.  We have tried hard for them to be like a romantic comedy.  What are we trying to do here.  Essentially this is about two disparate communities, digital and technical to understand each other a little better.  There is no better meeting place to arrange a date between the communities than the IGF.

Also, we think a good subject of conversations is cybernorm.  Because they are in a way the future of Internet governance.  Certain agreements that impact behavior that shape the way the Internet works.  After three success.  IGF workshops, I'm glad the usual suspects have agreed to meet again for a date.  Here, now in public, recorded on video, transcribed so from the technical community, who do we have here?  Well, basically two communities in one.  The CSIRT communities, the first responders, the ones at the very front line of cyber incidents.  Many of them outside of the Governmental sphere, some of them within, but with a long history of cooperation through trusted channels.  We have here network operators.  Ultimately, they are the ones that might tell if a norm is meaningful.

As all behavior online occurs within their premises, on the other side there is the policy community, mostly Governmental, having trouble to agree on basic rules on how to be responsible with each other basic civility.

So welcome both sides for an open discussion full of sharing and caring.  Madeline, it is an absolute privilege to be working with you in this serious, in this romantic comedy.

Our role here, I think, perhaps is like a couple's therapists.  You know?  We're bringing issues out and trying to build or fix these relationships.  What do you think?

>> MADELINE CARR: Oh, thank you, Pablo.  I think all relationships need work.  So, you know, sometimes some maintenance.  So, yeah, let's see what we can do in an hour.

I guess, if we ‑‑ to extend the metaphor.

If we say men are from Mars and women are from Venus, I guess to an extent the tech community is from Jupiter and the policy community is from Saturn.  And this kind of intergalactic exchange is something Pablo and I have really enjoyed over the last four years and feel to be very, very important.

The reason why we think it is so important is because we have been able to push each other and explain to one another different perspectives to our own.  And that expanded our own thinking.  That is something we tried to bring into the workshops is the opportunity all for us to be open, to the idea that we don't understand perfectly other perspectives, and it would help if we did understand them better.

Because essentially, we can see ‑‑ and we all ‑‑ this is nothing new.  We all acknowledge and understand the problem of knowledge exchange between the technical community and the policy community.  And the recognition that that is not a one‑way ‑‑ that that is not a one‑way problem.  That while the policy community always benefits from having better technical advice and technical understanding, but also that the technical community very much would benefit from a better understanding of policy constraints and policy objectives because there can quite often be something of a gap there.

I think one of the initiatives that the Secretary‑General announced on Tuesday, this idea of appointing a tech envoy, a recommendation from the high‑level panel report is a really positive move.  Because I struggle to think of any other area of science diplomacy or technical diplomacy where we see so little effective exchange between the scientific or technical community and the diplomatic community.

If we were working on nuclear diplomacy or climate change governance, we see much better engagement with the technical and scientific community than we do necessarily in this space.  The IGF, of course, is a perfect opportunity for us to do this because these communities come together here.

I just want to lay out a very quickly what I see as differing perspectives here.  This emerges from the conversations we have had over the last four years and over the last 48 hours.  That is a recognition here.  A lot of us in this room would have been to norm sessions over the last few days.  And a lot of us have been to a number of technical sessions.

The international negotiations over norms of responsible state behavior come from quite a different place.  They don't come necessarily from a place of wanting to ensure secure transactions over a network.  Or secure communications.  Really, what's happening at that level is an effort to prevent instability and to prevent an escalation that could come about from a misunderstanding or miscommunication to a kinetic war.  So that, that's ‑‑ that is the objective of those policymakers and those diplomats.  What we're talking about at the technical level of cybersecurity is quite, you know, it is different.  I think there is a gap we need to be mindful of when we take the conversation forward today.  I think it will come out at different points in our conversation.

With that, I would like to throw over to the third of the three musketeers, to Louise Hurel that will take us through a set up of the norms that we will talk about today.

>> LOUISE HUREL: Absolutely.  It is a pleasure to be here.  It is a pleasure to be collaborating for the past years, and really as Pablo and Madeline have said, it is really about creating a space for dialogue.  And by ‑‑ actually, using the term "usual suspects" we're trying to see, okay, how can we bring those that are not the usual suspects to the table?  How can we actually ensure we're bringing the experiences from both sides and just having a conversation about that?

Just to set the scene really quickly, I think before we start sharing a bit more, I think the bigger question over here is how do we see norms?  What do we perceive as being a norm?  Obviously, at the kind of high end level that Madeline was talking about, we have, you know, the U.N. GGE reports that describe and refer to particular norms.  But there is also the understanding that norms are kind of the everyday practices.

So how can we reconcile these two realities?  How can we reconcile these experiences?  So norms, as we are talking about, they're political artifacts.  Be it at the technical level, be it at the high‑end political level, they are political mechanisms that trigger specific actions.  They constrain and enable at the same time.  At the GGE, there is one particular norm that we're looking at, though we decided as a group to kind of explore and I would like to bring it over here.  Which is a norm that talks about requests for assistance.  So it talks mainly about states should respond to appropriate requests for assistance by another state whose critical status is subject to malicious ICT states.  States should respond to requests of malicious ICT activity aims at the infrastructure of another state emanating from their territory.  Taking into account due regard for sovereignty.  So what we see here is at the underlying level, there is the necessity of having some kind of communication between states and at different levels to promote this request for assistance.  But what does that actually mean?  If we look at the experience of the incident response communities as we will dive deep and I will stop in a couple of minutes, it all started out with a discussion of how back in 1988 of how we're going to tackle the Morris worm.

Then, maybe we should set up a team and set up a focal point to respond to that.  But what we see is the visibility of cyber attacks and how socially, economically, culturally they're embedded in the way our Governments operate and the way our societies operate, there is a new level of visibility that is coming to the forefront.  And that is why this conversation is so important.

So just to start out and I'll pass over to Mariko, I would like to put out questions for reflection.  The first is how communication happens when a particular incident occurs.  What kind of communication avenues?  Who did you talk to?

The second one, were official channels needed or was it more of a trust‑based informal conversation between experts?

The third question, was there any expectation that if you raise a request, there will be a response?

And the fifth one, which is perhaps the most important question, does this norm, the norm on requesting access or requesting assistance, sorry, does it actually help to maintain the trust that has already been ingrained, in some ways, in the incident response community?  Is there something to be said about how these agreements at the U.N. GGE level and WEOG, how can we tackle that I want to pass the discussion to those that have the on the ground experience and to Mariko Kobayashi to explore the different cases and how a particular incident was tackled.  Over to you.

>> MARIKO KOBAYASHI: I happened to be in Astonia and played a part in the 2007 attacks.  Actually, this particular norm is a really good use case.  If I tried to look at ‑‑ if this norm existed at that time, how would how that incident was handled, how would it apply and where are some of the gaps?

So one of the things with Astonia was that in 2007, really, the world didn't know about Astonia.  It is a very small country.  You know, some people may have go to Thailand, but really it wasn't on everybody's radar.  They had become very digitally advanced because they needed to become viable in the global economic world.

So one of the things that happened was that during the incident there were diplomatic channels.  But internally within the country, they had a proper incident response and they could communicate between all the relevant players.  What they did not have was international relations.

Because really, it was unprecedented.  And so when you ‑‑ they had established a national cert.  And they actually were at a conference just around that time with other national CERTs, but the problem was they were so new they hadn't yet built the appropriate trust relationships.  When they asked for help, people were trying to figure out could they trust them or not.

From the diplomatic channels, again, it was, well, does this really constitute an act of war?  Who is actually responsible?  What is going on?  Because it was the first time that a nation state was very public about what was going on.

So what ended up happening is there was ‑‑ happened to be a conference, the ripe NCC during that time.  There was an Ad Hoc, trusted, global operational group where some of the members were in the country.  And so they ended up also being part of the defense.  So what you had was you had some diplomatic channels that were trying to get international cooperation, but they didn't quite exist yet.  Right?  The communication channels, the trust channels didn't yet exist.

So as I'm looking at now 12 years later, right,a lot has happened.  This was a use case where everybody woke up globally to say we had all the discussions about what if something happens, you know, in terms of somebody using cyber,s to attack critical infrastructure.  What do we do?  Now this was a real life case that people can talk about.

And when I look at ‑‑ you know, this particular norm, what I think of, you know, it has very good intentions, but it is quite ambiguous in terms of how do you operationalize it?  Basically, who defines what is an appropriate request?  And what is meant by malicious act?  Is it physical damage, how extensive, loss of functionality, digital espionage.  How do you define that in terms of when you act?  And all, how do you determine when to escalate and to whom?  So I am aware that there is the organization of American states and the organization of security and cooperation of Europe, that are trying to build these incident responsibilities and operationalizing it.

But one of the things that I think is really very important is when you are creating a norm, that all stakeholders should be involved from the beginning.  This includes policy, legal, technical, operational aspects must be understood.  And this will, in my mind, help assure cross functional transparency and create norms that can be effectively operationalized.

>> MODERATOR: Thank you.  Such an amazing story.  We can see through the example that there is needs of the international channels of communication and to that extent we might say the norm addressed what was recognized as early as 2007 as a gap, and something that needed to be addressed.  And now we have this proposal through the U.N. GGE that states recognize that responsibility and somehow uphold it.  But there are questions still about how actually that happens on the ground in the midst of an incident.

And although we have seen this kind of happen organically now, over the last 12 years, we want to think more consciously going forward about how these things are discussed and negotiated.  So perhaps, then, we will throw to Maarten who has another example.  Maarten, would you like to talk about your experiences?

>> MAARTEN:  Thanks very much and for the invitation to be here today.  The example I wanted to bring up is one that is considered to be a norms breaker.  It was an incident that led to many starting the discussion about cyber norms.  It happened in June 2017 when a piece of malware called NotPetya was discovered.  It was thought to be an old piece of ransomeware called Petya.  It infected large enterprises, shut down the large shipping company Maersk at the time, and had a lot of visibility.  It didn't intend to be as ransomeware, it presented itself as such.  In reality it didn't contain the features to decrypt information when a payment was made.

Once a system was infected with NotPetya it would infect other systems by exploiting shared credentials and through specific Windows vulnerabilities.  What made it special was the vector through which it happened.

At the time, many of the corporations originally effected did business in Ukraine and used one very specific application called Meadel, which was accounting software that was common there for filing taxes.  It turned out, after this company brought in forensic investigators that their update servers had been compromised and malware was deployed as an update on the system.  Anyone that did the right security thing, installed their patches would get the malware on their systems.  From there, the malware would spread through the enterprise networks often across country borders through VPNs and other intern networks.

This was impactful incident.  Later quotes were overall NotPetya cost about $10 million.  I can't speak to the accuracy of the numbers, it was widely perceived to be impactful.  Relatively enough it wasn't complex, it was I simple attack.

If you apply the norm, a couple of things stand out.  The first is related to appropriate requests for assistance.  This particular statement puts a very strong focus on the fact that states need to be responding to a security incident like this.  That is something that I think is more debatable than we think it is.  The origin of the attack in this case is pretty fuzzy because there is two different incidents.  There is this company with an update server being compromised and the affected organizations that install the malware and the malware starts spreading.

Second, Government incident response teams or national CERTs play a minor role in this incident.  Think of the flow of the incident responder, when your corporation is infected with malware, and through the third party system, you start responding and you reach out to the recall cert, through the CSIRT, if we insert the national cert we are adding latency and not productive president in cases where cases like NotPetya where it spreads quickly, that is a challenge.

There is a role for the national organizations to help respond, coordinate and get awareness to other companies out there.  It is not always going to be coordinating the response to try to end the attack.

The second piece that is a bit challenging is the definition of critical infrastructure.  Now, there is actually very little agreement between states on what critical infrastructure truly means.  In addition to that, if you think of accounting software and in this case a large shipping company, it is quite debatable whether that is critical infrastructure anywhere.

The ports for instance, may be and may be affected by an impact on the companies but really we look at the supply chain of critical infrastructure here, as opposed to critical infrastructure directly.

Third, there is a note around responding to requests to mitigate.  That is a bit concerning.  I think in many ways that is modelled after the fact that an attack can consist of flow of traffic from one country to another, that can effectively be done.

In this case it is encrypted traffic, transferring over enterprise involving PNs, there aren't really that many things a state can do to address the attack on the borders.

If we try to push states towards the point of being able to do that, we might be aligning incentives that aren't really fantastic.  For instance, malicious ICT activity can be defined in a number of different ways.  Second, incident responders often have no ability to stop traffic.  If we ask them to be able to do that, then being able to do that in a right, respecting way becomes a very important concern.

I want to flag that I think from a technical community perspective, the development of the norms is very helpful and very good and solid discussion.  What we learn when we look at the real incident, in the context of this particular norm, that there are many challenges in both proper design and implementation of the norm.  If that implementation is misaligned or doesn't really match reality and how we actually respond to an incident, those unmet expectations are actually likely to decrease predictability instead of in keys.  For me, that is a big take away looking at this and several other U.N. GGE norms in the context of an actual live incident.  Thank you.

>> MADELINE CARR: Thank you, Maarten.  It is good now to bring in a policy response or policy perspectives on the scenarios we have had, you know, where Maarten has skipped ahead 10 years from Mariko Kobayashi's example to look at another scenario where the issues of requesting assistance are clearly quite complex, still important, still central to resolving an incident.

As Maarten points out, it is not clear who needs to be involved in the discussion and the national CERTs are not always the right partner, and some cases they may even, Maarten suggests, introduce this latency or delay that is really counterproductive in addressing an incident.

Liam, I wonder if you could reflect a little bit on how do you see the scenarios connecting with the work that you and the Australian Government do in the GGE on proposing and defining norms of reasonable, responsible state behavior?  And how do you see the role of the state when you hear a scenario like that laid out?

>> LIAM:  Thanks, Madeline.  It is important to consider the context of the discussions happening in the GG, and the gel GGE, and the open‑discussion group.  This comes from the first group, focused on disarmament.  This will affect international peace and security things that may escalate to a conflict between states and they are focused on discussion and agreement of the role of states as an actor in cyber space.

The other aspect is that because these are political discussions in a multilateral forum, they reflect very long, very detailed, very hard‑fought negotiation to achieve consensus text that states can agree to.

And in doing so, we are to lose a level of specificity about many of the terms.  But this is a necessary ambiguity to achieve agreement to what is a general standard or agreement on the behavior of actors in cyber space.

So I will accept the criticism that there is a lack of detail about many of the terms included in there, but I would also say they are necessary to achieve the agreement in the first place.  In that context, what I would say is that the GGE are really a very clear sign and the fact that there are two processes happening now to discuss these issues both from first Committee, very clear sign that states are concerned, very concerned about the implications for cybersecurity incidents to international peace and security.  And that there is a growing consensus around very basic standards of behavior, both positive and negative objections.  Many of the norms are imposing negative obligation on the state.

But they're a clear indicator that a peaceful state in cyber space is objective of all states in the U.N.  And that is through the various processes and means available to multilateral diplomacy, what states are working towards.

We come at this from a different perspective.  When you are in negotiations, you are not often thinking about the very detailed aspects of how they'll be implemented, but rather setting a very clear sign post of what responsible state behavior looks like.  And what the expectations of the international community are of actors in cyber space.  In responding to serious cyber incidents.  So from that point, I would say this is the start of the conversation.  Setting a very clear indicator of where the state and what the expectations are.  And then I mean, we consider the norms as part of the broader framework that includes international law, confidence building measure and capacity building.  So looking at those other various means in which to implement the various normative agreements including through bilateral, regional, global forums including the ozone regional forum, we have been working hard in that forum to implement confidence building measures about negotiation, and engagement between states and during an incident, which we worked very hard with Malaysia to achieve agreement on a directory, so the state and Government level, we can discuss and have clear points of contact to reach out to in a serious cyber incident.

So in that context, I would say that, yeah, we're at the start of the discussion about defining what is appropriate and how we'll respond to serious incidents.  We have very good agreements that have come through the 2015 process.

We're now hoping to get some very clear guidance from the 2019‑20 process to implement that and put it in a Working Group as well to understand capacity building as well can assist to implement the norms across the global community.  Thanks.

>> MODERATOR: We were talking this morning about how so many things relate to football.  If particular, talking about different stakeholder groups, for example, the owners of the team, the managers of the team, the team players.  The stories that we just heard from Morocco and Maarten, are stories at the level of the playing field, at the level of the players.

Perhaps the stories that we're hearing from Liam are mostly at the seat suites of the owners of the team.  These are conversations that are sometimes difficult to bridge.  I think we can progress a little bit further through the norm that Louise Hurel exposed on how to approach those conversations.

I would like to ask Christine and Sumon.  Christine from the CSIRT common and Sumon from the network operator community, how have you received this particular norm in your area of work?  Let's start with Christine.

>> CHRISTINE:  Thank you, Pablo and everyone.  I think we are trying to grasp exactly what that would mean.  I think we have a problem and still have a problem in the sense to the technical community has a long way to go to understand how the norms space work.  And why it is important to be unprecise sometimes.  I also think that the norms people should understand our perspective as instant response teams that we are worried with all the things that Mariko and Mark brought, when you avert an incident from escalating, you need to be swift and quick.  You shouldn't be worrying if you are supposed to contact someone from a Government or not.  You are trying to prevent a worm from spreading.  Trying to prevent critical infrastructure to stop from working.  It is difficult to do that if you need to think what is my territory?  So when I look at the norms, the first thing that jumps to me is how do you define a territory in cyber space?

We have VPNs and Internet exchange points and traffic passing through different countries that don't even belong to that country.  If we have for example, for the Amsterdam Internet exchange points, that is an international one.  That is traffic from everywhere.  What would they do to stop Germany from talking to Belgium because the traffic is passing through.

For the technical community, it is difficult to understand how it is implement.  And the CSIRT, it is how to grasp how to operationalize that.

I think it kind of creates an idea of how to maintain trust and how to build.  If we go back to the work of the Best Practice Forums on SIRT and CSIRT that were here in IGF in 2014‑15.  The major conclusion is that for instant response teams to be effective, they need to build trust.  For this trust to be built, it is really difficult.  It is usually based on people‑building trust.

Timing is really a very big issue.  We need to be able to communicate freely.  CSIRTs are discussing data protection laws, other information.  Trying to grasp what to share without infringing laws.  The most important from our perspective is if the norms community understand a little bit how the norms translate on how ‑‑ because we are the ones implementing the norms in an extent, not all of it.  So would that prevent us from implementing?  So this is some of the things to worry us.

So with us trying to abide by the norm actually make things worse?  This is why I think we still need a lot of discussion.  And of course, I think both communities need to understand each other and talk more freely and be able to really exchange these worries.  It is not that we don't want.  We think norms are very important, but when we get some cases, then we start realizing how difficult it is to actually know what we are doing.  And if we're contributing to the norm or if the norm is helping us or not.  It just food for thought on that.

>> SUMON AHMED SABIR: I work as a network service provider.  When we talk about norms, in particular we have our own norms of working.  We work clothe together.  So far, it is working so seamlessly without having any proper particular mechanism, it is working fine.  But when I talk about this norms we're discussing, if you 0.out today what ‑‑ bring to the table, the cooperation among states around incidents, I want to bring an example from Bangladesh in last two years.

I think it is almost two years.  The money from the Bangladesh central bank, in transport to some Filipino casino in Sri Lanka.  It was so nicely, on Friday, it was closed.  Some order went from Bangladesh to this federal bank.  They transport the money on that night.  Saturday, it is closed everywhere.  Sunday, they came in the office, they found the last chunk of money was transferred to a different country.  They tried to communicate with the different country banks.  On Sunday, all Sri Lanka and Philippines is closed.  Monday a special holiday in Philippine.  In Tuesday, they found the money was transferred to a casino and gone, become chips.

And the Government and Bangladesh people came to know about it one week after that, when there is news in the Filipino newspaper that something happened there, some money transferred from Bangladesh and so on.  And then started investigating.  Here you can see that if we talked norms in the top level of leak, and Government officials it doesn't work.  It should cascade down.  To the technical community, the banks, others should be able to know this is the norms.  And how we can execute the norms when anything happens.

What Mariko was mentioning a framework, communication channel.  Everybody should know how we move forward.  They inform the Government to try to do in the banking channel the issues.  It didn't work.

Then moved back to Government.  In the second phase, now, there is two Government, two different country.  Still, that didn't work properly.

Still the case is under investigation.  There is some (?) in Filipino court, but no tangible outcome from there.  We're setting up norms best of your recollection really, we're not committed to that.  Is the Government or other organizations?  It is not cascading down.  Like from the steering Committee.  As I come to IGF, I know about norms and those things.

If you go to a technical forum, nobody knows about this kind of norms there, and that has a value.  Even though they're norms they don't know how to actually execute those. s there are the challenges.  It is not about the knowledge.  And she was saying earlier, when you are finding something, all companies should work together.

O in case of the technical example, like in our region, we have our policy discussion, we're discussing the policy, and we're finding it way up in the submission of the policy.  Only doing policy will not solve the problem.  We need to think about norms in a different way.  Thank you.

>> MODERATOR: I hope you are finding the stories around the incidents in Estonia, NotPetya, the Bangladesh bank heist sort of a useful tool to analyze sort of how these norms can be meaningful or not.  And how the development of the norms can how is improve.

It is now time to open for comments, in order to try to bring the discussion a bit further.  I will have Liam, Alex, Olaf ‑‑ what is your name?  Okay.

>> AUDIENCE: Great, it is useful to hear the practical experience of the people on the ground experiencing it.  I think that we still have a process to go through in terms of implementation that each state has to look at, and each, you know, each ‑‑ the regional groupings we have to use to do these things have to go through.

I think the process of having the agreement on norms is to set, I suppose, a direction or a clear guiding line for the community on this is our expectation, that you will share information in an incident, not to define how you do it or when you do it.  Because we aren't the experts in how that happens.  We are trying to create the conditions in which cyber space can be peaceful and secure.  Through agreement between states.

The process that needs to happen then is each state looks at the obligations of the norms and impose on them.  Australia has done this recently.  We actually tabled it in the U.N. as port of the open‑ended Working Group as how we work as a Government to implement the normative agreements we made in the U.N.  That is a process that each country will have to go through.  And in fact, through the capacity building program we're working in other states to do just that.

The other comment I will make, too, the concept of norms in cyber space is an interesting one from a context of international security in that many ways, we're doing it back to front.  Norms are generally developed over a very long‑term practice that then is turned into international law through very long, long discussions.  This happened in a range of issues, lord of the sea is a good example of a practice that developed over thousands of years is over the long‑term codified into the state practice and international law.

In terms of discussing norms for cyber space, what we are trying to do is kick start the process and have a really clear view from the get‑go on what is the standard of conduct and the expectations we have?  That then we can look at implementation.

Normally you have implementation flow through and agree that is the standard of behavior and over long‑term become international law.  We're doing it all back to front.  It is an interesting process to work.  And enjoy doing it.  This is ‑‑ I think the start of the process, as I said.  It is up to each state to look at how to implement the obligation that the norm has on them as a country.  Look at how as a global although regional kind of groupings we implement that.  Then at the greater level through the global community.  Thanks.

>> MADELINE CARR: Liam, can I follow up on one interesting point you made there?  You said we're doing this back to front.  Normally norms evolve over time.  We recognize them as common practices and common values.  Why are we doing it back to front?

>> LIAM:  Because we don't have time.  We don't have time to allow this to evolve in that long‑term natural process because of the speed and pace of technology and the reach that it has across the world.  The impact on our societies, national security, the potential is so enormous we need to kick start the process and make it happen much faster.

>> MODERATOR: Alex?

>> ALEX:  Thank you, Pablo.  This is Alejandro Pissanto from International Mexico.  Thank you for inviting me to be a member of the distinguished panel.  It is exciting to take part in this discussion.  Let me hitch what I was planning to say on Liam's recent statement.  It is very interesting to see that you are premising the DGE norms making process on the hypothesis that you don't have time.  Yet the process has been going on for several years.  It is in the second or third cycle.  On the sixth cycle, each of which has been three years or more.  There is also the open‑ended Working Group, which is a parallel and let's say hostile or competing process.  There will probably be a third process trying to be friends of the friends of the Chair of each.

So for something that is really, you know, time pressed, it doesn't look like in a hurry.  A hurry?  Time pressure, that is what Christine feels where or Maarten, people who are in the CSIRTs, they have to respond in minutes to decide what's happening, what the source is and what the appropriate action is.  From the technical and operational side, the norms making process at the General Assembly looks like countries trying to cover their backs and saying we did something.

So whatever can be achieved is having done something.

No chain of command or reporting chain that go to the SIRT and CSIRT that are working in a different regime.  I recently published a paper where I think I exhibit if not show or demonstrate the cost of the regime crossings.  You have a multilateral regime trying to operate at the extraction level of full countries.  You have the operation of the regime which is within the law, not against the law, not a lawless or ungoverned space as often said.  But you have these things happening more in the multistakeholder regime of the Internet, way before it was called that way from the IETF.  The operators groups coming together.  They're trying to uphold the laws.  They're never against the law.  But they are basically trying to gain legitimacy not from having been all the way from elected Governments to the stop of the general assemble, but legitimacy by effect.  These are different regimes.  Countries that are playing both games, both regimes are being more effective and say, well, we discuss cybersecurity in the multistakeholder forum and take our conclusions in the General Assembly.  They caught that one.  There is sometimes not a connection for the foreign offices or technical communication office that is here.  Business connect is damaging.  In the end, it is damaging for the operation of those in front lines like SIRTs and CSIRTs that don't have the proper mandate and facing conflicted laws for data protection and demand for security.  Thank you.

>> MODERATOR: Thank you, Alex.  Olaf.

>> OLAF:  Olaf, Internet Society.  I have had the pleasure of serving in cyber space.  I came from a technical environment where I so recognize what Alejandro said continue.

I will give you two times.  24 February, 20 eight, 18:47UT criticism.  Sunday 24 February 21:01UTC.  That is the duration of the Pakistan YouTube incident which brought down a part of the Internet.

That is just a little bit more of two hours on the response time.  With a global scale of coordination on 60,000 networks.  That is what he we're talking about.

If we look at the implementation.  The people that do that self‑identify as the technical community.  The technical community shares a set of norms to keep the Internet running and to keep the environment secure.

I think that is often forgotten that that is what self‑identification of the technical community means.  A shared set of norms to keep our environment safe.  The people at that side of the table described how they're working at it.

On the other hand, there is the responsibility of states to not escalate these type of events into full kinetic war.  That is that conversation that is going on at the GGE and open‑ended Working Group.  Those are two different discussions with using similar words, but similar words that mean different things to different communities.  I gave the example yesterday, Deutsche industry.  Din.  The word norm is in there.  ISO norms, those are all technical standards.  When people talk about norms in that context they think about different norms than what we talk about in the GGE.  The norms around responsible state behavior.

Also stability.  Stability in a technical context means completely different things than the stability question in the international context.  I do think it is very important to bridge those discussions.  Because it is very important to understand from the technical community that on the longer time scales of interstate behavior and making sure things don't escalate, if these type of attacks these type of incidents happen, that there are mechanisms that make sure you that NotPetya is understand, attributed and states are held accountable if a state actor is behind that.  That is on a different time scale than the immediate incident response that is taking place.  I think that the worry of the technical community in this is oh, we might not be able to get our work done if these norms are misunderstood or misimplemented at regional, national level.

>> MODERATOR: I committed the floor to two more, we need to wrap up, we have six minutes.  I will give you the floor for tiny bit. Then Laura, then Luis.

>> AUDIENCE: Thank you. My name is Lito S. I'm the legal advisor for the national Israeli Cyber org. I work for the Government, three things, and we operate the national CSIRT.

In my intervention, I would like to share our views in bridging these very distinct fields, one is the language of the diplomacy of the high‑end stuff.  I completely relate to the discussion between the diplomats and technicians and I'm a domestic policy lawyer.

And I think that as we see the challenges of rising in cyber space for CSIRT, there is role for domestic law and domestic loyals that create better interfaces for corporations.  We have relied for a lot of time, this is what the IGF discussed in many places on the ingenuity and common shared norms of technologists.  Now we're relying on cyber space on a heavier duty.  The risk of the technical community and corporate functional of society is greater.  There is a some law to assist.

We will have a panel tomorrow discussing specific issues in which the law can assist.  We're looking at the case study of recital 49 of the European General Data Protection Regulation.  Because we see it as a use case of where the European legislative and additionally in the U.S., there is a similar law.

We are developing a similar law in Israel, in which the law interferes to make information sharing easier.  And to assist national CSIRT in their mission.  By that way, we reduce some of the unnecessary friction, the legal risk may create to national CSIRT in a net positive way.  This is the case, we can talk about other cases if people are interested where domestic law and domestic law interoperability, can promote security and cybersecurity in that way.

>> MODERATOR: That is a welcome intervention.  Thank you so much.  Vladimir.

>> VLADIMIR:  Thank you for the discussion I want to put another component into thinking, when we think about the incident of conflicts around the world.  This discussion is about norms, think about Russia, China, U.S., big guys.  60% of the conflicts today are in Africa, Middle East.  Cyber, those tensions and conflicts need any spark, and cyber will soon become a spark to turn intentions to conflict.  In future discussions, focus more on the subregional examples and try to bring these guys as well around the table.  That is where it will start in the next war.

When you look into the countries, there is training on countries on how to establish a national mechanism in responding to an incident, even there is tote chaos.  You might have a contact point appointed as an international contact point.  On an international level they don't know what institution works on what.  A response is hard, let alone someone else in this case, of a request.  Thank you.

>> MODERATOR: Louise.

>> LOUISE HUREL: I think it was an interesting progression toward our concluding remarks.  That is one of the questions I had and where I think maybe we're headed with this discussion and perhaps that the subject for another ‑‑ yet another panel.  Just to kind of wrap up, I think there are at least three themes that we talked and touched upon today, not only when we think about requests for assistance, the starting point, but how do we connect as I said in the beginning, the realities of the operational everyday incident response and the diplomatic level and thinking international peace and security.  I think the first challenge in terms of implementability and actually the question is what kind of implementation are we looking for when we look at a norm such as the one we're talking about, which talks about requests for assistance.  As mentioned how do we know who attacked?  Is it a nonstate actor?  Is it a state actor?  These are questions that revolve around different perceptions of what the norms can be, how they can be implemented.

On the one hundred, we have this demand of things, but the diplomatic side, there is a lot of consensus building and bringing the already to the forefront of the international peace and security discussions.

The other question is a question about temporality.  The question of temporality is exactly that latency that we heard about earlier today and how do we actually make sure we are responding on time.

At the same time, how do we make sure we have the time necessary to build that kind of dialogue and consensus and exchange the knowledge between this particular community that has been working on the front line for many years, and the policymakers and even the diplomats who are negotiating what attribution means, what an attack means.  How you will implement international law in cyber space.  That has a spillover undeniably a spillover to the national level.

That is the kind of a bridge we are trying to make here.  Which leads me to the last point, to conclude.  It is a point on capacity.  What are the capacities we need to actually tackle that.  On the side of kind of the technical community, we talked about, you know, trust building.  Mariko gave an example of in the early days there wasn't trust yet.  That was a constraint to having an effective response.  And how gradually different countries are still building that.  It is an ongoing process.

The main question I would like to conclude and going to Vladda's point, what are the policy players that are able to connect the mismatching temporalities, the mismatching implementation, ideas of implementation.  And capacities.

The answer to that, which I would agree, perhaps we should look at the national governance ecosystems and bridge those that are at the national computer instant response teams, the policymakers, legislators and diplomats.  I think it is a flow of information engrained in how the domestic and regional structures, how do they exchange knowledge of what is an attack or incident?  What do you do when you respond?  These kinds of information are not circulating as much as they should.

Perhaps that is the structural element aside from the governance structures in each country or regionally that should be in place.  How do we build these fronts?  I guess just to close with like getting on the policy side, I guess it is also thinking about the implementation of capacity building and confidence building measures.  I think that is still a very open‑ended question when we think about, you know, we need to have an SIRT and how do we make that?  How do we implement that?

I think the implementation is always coming round and round.  I guess that is the Panorama and this is setting the is scene for the next football game and seeing what are the players that we need to connect, right?  So yeah.

>> MODERATOR: A very good therapy session, this has to be cut short when the most important things are starting to merge.  Food for thought and until next time, thank you so much for all that came here and participated.

(Concluded)