IGF 2021 – Day 0 – Event #103 „Cybersecurity and Crisis Management”– combining cyber and kinetic threats. Best practices”

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> MACIEJ SICIAREK:  Hello.  Ladies and gentlemen, good afternoon.  But we are on the IGF Forum, so we are in various time zones so I presume for some of us rather good morning or good evening.  Special thanks for those who are in the middle of the night and who have chosen to be with us instead of having a rest.  There are some of us who are just in the middle of the night.

It is a great honor for me to start the panel titled, Cybersecurity and crisis management ‑‑ Combining cyber and kinetic threats:  Best practices.  My name is Maciej Siciarek.  I'm the head of Cybersecurity Innovations and Development Department at NASK, National Research Institute in Poland, a public institution that has a very important role in publishing cybersecurity environment.

On the left of the screen will support online communication channel and I hope fruitful Q&A session at the end of our meeting.  IGF was expected to meet all of us in Poland here in Katowice, the capital city of the Silesian Volvodeship in South Poland, and the central city of the Upper Silesian metropolitan area, but due to the known problem of pandemic that we are facing all over the world for almost 2 years, we are meeting in hybrid formula, as well guests of the session, as most of the panelists.

Last year during IGF meeting, I said that I hoped we were not yet fed up with number of online meetings.  This year, I'm not so sure we are not.  So we should face this specific symptom of crisis and manage it using digital tools and solutions.

I hope no technical issues will disturb us today.  Before our ‑‑ before I will introduce our guests, one technical remark for audience present with us online.  Of course, during the session your microphones will be muted but we invite you to use the online chat room and write your questions which can be addressed during the Q&A session by the end of the panels I mentioned, you can address your questions to either a specific speaker or to all panelists.  Katarzyna will help us.  We have only 75 minutes for whole panel, so we kindly ask you to keep the limit of about 7 minutes for each answer, so after this brief introduction, it is my pleasure to welcome such distinguished guests who join us today from far and near as panelists.

I wish we could host you all in person, but not today.  Let me invite Mrs. Amy Mahn, International Policy Specialist from U.S. National Institute of Standards and Technology, NIST.  Welcome, Amy.  Good morning.

>> AMY MAHN:  Good morning.

>> MACIEJ SICIAREK:  Yes, thank you.  Mr. Dong Geun Lee, Director of Incident Response Division at Korea Computer Emergency Response Team.  Hello, Dong.  Can you hear us?  Okay.

Mr. Juhan Lepassaar, Executive Director of ENISA, European Union Agency for Cybersecurity.  Hello, Juhan.

And Mr. Jakub Boratynski, Head of Cybersecurity and Digital Privacy Policy Unit, European Commission, Directorate‑General for Communications Networks, Content and Technology.  Hello, Jakub.  Good afternoon.  And only one panelist together with me, thank you that you are here, Mr. Witold Skomra, Head of the Critical Infrastructure Department and Advisor to the Chief of Government Centre for Security in Poland.  Hello, Witold.

>> WITOLD SKOMRA:  Hello, everybody.

>> MACIEJ SICIAREK:  Due to the increasing interdependence of trade sectors and ICT system, it is inevitable to tighten the connections between cybersecurity and crisis management and face new challenges for digital security of world economy and not only economy but also its influence of citizens' lives.  Crisis management connected so cybersecurity is a global challenge which concerns every country but we all know there are different ways and solutions applied by European Union and other countries, so we are just in mixed panelists.

So starting the panel I would like to first to pass the floor far, far away from us.  Amy, I'll start with U.S.  Amy, you're representing U.S. National Institute of Standards and Technology.  I know that the range of issues, security issues, that NIST is covering on level of standards and recommendations is really, very, very wide.  Could you share with us general approach to the specific subject of combining cybersecurity and crisis management on basis of NIST experience, possibly including some conclusions from evaluation process?  Welcome, Amy.

>> AMY MAHN:  Thank you very much, and I again appreciate the opportunity to be part of this discussion today and join a great group of panelists, so thank you.  My work as you noted at the National Institute of Standards and Technology which is a non‑regulatory agency at our U.S. Department of Commerce, and our role is to help advance measurement science and standards and technology in ways that can help improve our economic security and our quality of life.  In our information technology laboratory we work to develop standards and guidelines that can help cultivate trust in technology and we develop a number of cybersecurity and privacy resources in close collaboration not just with our other U.S. Government partners but also in close collaboration with the Private Sector, industry partners and international partners to bring those perspectives into our tools and help keep them effective at managing cybersecurity risks and it's forums like there and chances to exchange information that help us refine these tools and standards and guidelines.  Under our Federal information security modernization act, NIST has the role to develop the standards and guidelines and Federal information processing standards that our U.S. Government uses to secure our systems and that can be used in a time of managing an incident or a crisis and they are voluntarily used by the Private Sector and by industry but because they closely collaborated with us in the development of those standards we have seen a lot of voluntary intake and we've seen our United States also use the tools like our cybersecurity framework, our privacy framework, and other guidance on that voluntary basis, incorporating it into some of their regulations and for some of their Private Sector acts.

At NIST, we work closely with Government agencies like the U.S. Department of Homeland Agency, who has our U.S. CERT Computer Emergency Response team that handles from a perspective, but it takes into account and uses the different resources that NIST puts together through that close collaboration and we have really seen a lot of use of these resources and learned from these different implementation and use of them to continue updating them.  We convene regular stakeholder meetings to get input on how people have used it whether in a crisis or other situations and those successes and challenges help update them.  Tools like our cybersecurity framework also leverage international standards and best practices already used and found to be of value throughout the word like ISO 27001.  ISA/IEC 62443.  NIST's own Special Publication 853, which is a catalog of security and privacy controls used for Federal information systems, and tools like our cybersecurity framework will leverage those for doing different cyberspace outcomes organized around identify, protect, detect, respond, and recover, spanning the entire breadth of cybersecurity Risk Management from the preventive through the reactive phase after an incident occurs so those like respond and recover there are different actions and controls to be applied using existing standards and guidelines and we continue developing tools so they can be used in the approach flexible enough to apply in the various infrastructure structures of which there are 16 in the United States.  This can be used whether it's in the health care Sector, nuclear or energy and those Sectors have some of their own regulations but the cybersecurity framework is meant to be used along side them and we've learned from these Sectors who have put together profiles of how to use the framework and those best practices will then go into future iterations of the framework and help make that useful and continue to be a tool that all of our critical infrastructure Sectors can use both being able to protect and try to mitigate anything from an incident and be able to respond and recover if something does occur.

That flexible approach has been found to be very useful and used in the more operational context although at NIST we develop the standards that can help be used for managing these crises, rather than taking the first steps from that operational perspective.  Thank you very much.

>> MACIEJ SICIAREK:  Thank you very much, Amy, for sharing with us your approach.  I think it will be very interesting to raise in the future aspect of obligatory and voluntary implementation of various regulations.  It's quite interesting.  Now let's give the floor to Korea and Mr. Geun Lee, Director of Incident Response Division at the Korean CERT.

Dong, as we know, last summer Korean Government announced the new deal policy which is mostly about economic strategy, but as a part of it Ministry of Science and ICT announced a strategy to promote key cybersecurity policy.  In this strategy among long, long list of goals and aims on technical level, we find also protection of important National facilities and strengthening security capabilities of small and medium enterprises.  Could you please introduce us a little bit in your role in cybersecurity in Korea at the regulation level and also operational and especially implementation of the strategy and key challenges you are facing combining cybersecurity and crisis management, as well locally in Korea as in your Region.

>> DONG GEUN LEE:  Yeah.  It's an honor to participate in this historic event as a panelist.  Thank you.

I will briefly introduce the KrCERT.  KrCERT is a National CSIRT in the Sector of South Korea and is operated as a part of KISA starting with a small team in 1996, about 150 employees are currently working for cybersecurity proponents.  Various tasks such as responding to instance preventing campaigns and cyberthreat information sharing and we have been responding to major cybercrisis in South Korea.  The Korean Government announced the Korean person of the new deal as a National project designed to revive the economy after the COVID‑19 pandemic, and decided to create investments and jobs in three areas:  The new deal and strengthen safety nets by 2025.  In accordance with the new deal policy related to cybersecurity, the Ministry of Science and ICT announced cybersecurity strategies in February of this year.

The K‑Cyber Security Alliance present task for establishing these are safe National foundation, strengthen response to changes in the security paradigm, and expanding the foundation for fostering information protection industry.  Among them, I would like to look at several major tasks related to KrCERT of KISA.  First, KrCERT establishing cooperative system in which major private companies participate, through the ICT cloud service providers and et cetera.

It was named the K‑Cyber Security Alliance.  We have the kickoff ceremony last month and plan to quickly spread the correct information to the Private Sector, including major companies, institutes and the general public, and to support the development and the distribution of security parties in connection with security companies.

Information sharing is carried out through KrCERT/CC's Cyberthreat Information Sharing System called CTISS, and small and medium sized companies that lack threat analysis or processing capabilities will be provided easily through website or emails to narrow the information gap.

Second in the event of an incident anywhere in the country, experts will be dispatched to the site to support the analysis, investigation, recovery, and prevention of recurrence.  In this process, it supports the introduction of necessary products and solutions by conducting security consulting of companies in connection with private security companies.  Third, for the security of the supply chain which has become a big issue in recent years, major development companies in the multiuse and public service Sectors will be selected to strengthen safety at each stages of software development.

Supply chain security companies are promoting the spread of diagnostic tools that can increasingly implement security systems on their own.  Fourth, KrCERT/CC provide free personal PC checkup service called My PC Carrier, which will expand the security techs to prevent the public facilities or personal PCs from being abused by attackers and will provide cybernotification service that individually informs users of threat information on PCs or IoT devices.

Lastly, KrCERT/CC conducts cybersecurity exercise on crisis response in the Private Sector in the first and second half of each year.  The cyberexercise which has been promoted since 2024 currently consists of three areas:  Hacking response, attack response and testing.  It was conducted on a set topic for a set period of time every year.  SMEs with sufficient response personally had low frequency of participants and cyberexercise was conducted on topics that did not match the cooperation period.  KrCERT/CC has a platform to serve these difficulties of SMEs and is preparing to promote hacking, response training at any time anyone wants from next year.  I briefly explained our story.  Thank you very much.

>> MACIEJ SICIAREK:  Thank you, Dong.  I think it's very, very important to mention this well coordinated plan for supporting companies until so arranging cyberexercises.  I think the topic of cyberexercises may become cyberexercises is worth of mentioning at the end of the session, maybe something to arrange altogether.  Thank you.  Thank you again.

So now let's give a voice to Europe.  Juhan, I'd like to start with ENISA.  As introduction to further discussion and thought exchange, could you please show us a big picture of current actions undertaken by ENISA in the field of large scale incident coordination.  It all started as I remember in 2016 with the request of Council of the European Union to the Commission for project of coordination in response to large scale.  Could you say us more what happened and what ENISA did in this subject.

>> JUHAN LEPASSAAR:  Thank you very much for the good question and thanks for inviting me into this panel.  It's a pleasure to be at least virtually in Poland and at the same time also around the world.

I would like to actually start from the fact that in 2016, the Council already agreed to apply a new directive which set a kind of framework for critical Sectors when it comes to cybersecurity, so that the Network Information Security directive that came into force in 2018 set sort of a minimum standard for the industry in Europe.  But wit, it also included a number of bodies that were set up and one of them was the CSIRT network, the network of National CERTs that started to coordinate and operate within Europe, across borders.  This network which now has existed more than 5 years has really proved very useful.

It was one of the pillars of the European coordinated response to large scale cybersecurity incidents, and it remains as one of the pillars.  We've seen that time and time again, recently during the Kaseya incident or the ransomware attack against the health care system.  It is a platform to exchange information rapidly and also to coordinate Member States' responses.

So what happened after the request within the form of the appropriate, the Commission responded but it hasn't remained static.  Europe's coordinated response mechanism has evolved over the past five years, and I think that is something that we are very proud of, as well.  So in terms of the CSIRT network, we have the cybercrisis that has its own officers, cybercrisis liaison organization network.  It's a very complex name but the essence of it is that the National cybersecurity agencies not only coordinated an exchange of information at the technical information but they're also at the operational level, when it is needed.  The network has been set up, it has several times it has gathered and it has its own clear goals when it comes to increasing its capacity to coordinate any kind of response to a large scale crisis.

What interests Agency at ENISA is how the Member States and how the EU bodies and institutions collaborate together with the Cybersecurity Act in 2019, it is a mandate to establish synergies between the EU bodies, institutions that deal with international cybersecurity and also bridge these synergies with what the Member States are doing.  And of course we've been doing that gradually when it comes to building up capacities in organizing exercises, putting in place procedures but I think what the most important is that we also are gradually building up a joint situation awareness and understanding what goes on and a system whereby we can exchange information and also of course coordinate our activities cross‑border when need be.

And there I think the recommendation of the Commission that was initiated last summer and that the Council has already also made conclusions on, is also a step in this direction, that we see what still remains to be done, whether the framework, what are the specific goals when I say a situation awareness, this is not something that can be defined in very simple terms, and it is clear as well that it exists in multiple levels, but I think having these more coordinated, more synergetic approach to build Europe's capacity to respond, also capacity to exchange information, capacity to understand, and in the end of the day will help ‑‑ all the actors in the field will help to make Europe more resilient, but also more efficient when it comes to any kind of a response to potential large scale cross‑border crises.  Thank you.

>> MACIEJ SICIAREK:  Thank you, Juhan.  Again we've heard about exercises, so it's something important probably.

Let's go to Poland for a while.  I'd like to ask a question to my onsite guest, Mr. Witold Skomra, from Polish Government Centre for Security.  Witold, as an Advisor to the Head of Government for Cybersecurity in Poland, you day by day deal with various issues of crisis management.  Can you tell us how cybersecurity fits into the general view of the various dimensions of security?  What has changed in recent years?

>> WITOLD SKOMRA:  Thank you.  Maybe at the beginning some words about Government Centre for Security.  We are a small office, close, only 60 workers, close to Prime Minister.  We are preparing our administration for crisis situation, and we coordinate information during them, so we are not decision makers.  We are only office.

I'm personally responsible for critical infrastructure protection.  My team is the link between the work of administration and the work of business.  It's difficult because business has different goals, different language, different attitude to security, for example.  10 years ago, we started to promote an integrated approach to security.  We called it six dimensions of security, or six‑pack, in short.

Typically, organizations tend to divide security into different areas.  For example:  Physical, technical, legal, cyber, personal security, and business is continuity.  We wanted to achieve a state where there is only one security system with several dimensions.  We have to notice, there is no cybersecurity without physical protection of the server room.  There is no physical security without control and access systems and capable solutions.  Of course, there is always a starting point for building such an integrated system.

10 years ago, it was physical security, maybe because terrorist attacks at that time.  Today, that starting point is cybersecurity.  The risks in the cyberspace today than any other.  But there has been another change in this 10 years.  Along with protecting IT systems has come the issue of protecting industrial control systems called OT.  For critical infrastructure protections, OT systems are much more difficult and much more important than protecting IT.  However, the principle of one system with 6 dimensions still works, still applies.

>> MACIEJ SICIAREK:  Okay.  Witold, it is true that cybersecurity is not the ‑‑ it's no more add‑on to the security.  It's in various aspects rather the base of security.  So thank you for this voice.

I'd like to ask Jakub Boratynski, Jakub I know it's not easy to split, to decide the European Commission activities so maybe Juhan touched a little area of your expertise but I think I can ask you for Commission strategic view on completion of your crisis management framework.  Would you please tell us something about it?

>> JAKUB BORATYNSKI:  Thank you very much, Maciej, and thank you for the invitation.  It's a great pleasure to be here in IGF at least in an online fashion.  Juhan indeed gave a very comprehensive overview of all what we have done over the last years.  Let me maybe share more general reflections.

We are at the stage that indeed the scale of the challenge is unparalleled.  Cyber is everywhere, because of course of how far we have gone digital and that actually creates a major challenge actually for policymakers.

I mean, don't doubt cybersecurity is a shared responsibility.  It's responsibility of the citizens, of the companies, of the Governments.  Here in Europe we have a very interesting testing ground because obviously as a community of 27 Member States, we are indeed trying to see how we can best work together.  There are major differences among Member States in terms of the capacities, the maturity so in itself it's a very interesting grant.

If we look, what I would say is it's a challenge for policymakers because cyber is everywhere, and the specific challenge of cybercrisis management is a case in point because when we speak about cybercrisis ultimately this is a crisis that would manifest itself in an impact on ‑‑ in a tangible impact, in a kinetic impact.  The Colonial Pipeline attack in the U.S. which we are at least happy for that part has also been a trig fer for important wave of initiatives of the federal government.  Was a case in point basically showing how basically the attack of a group of cybercriminals blockaded basically on the other side of the planet had such a profound and tangible impact on the security of the supply.

We have to take this fully into account in basically designing the systems that we work which again is very much based on the idea of shared responsibility.  In the EU as Juhan referred to that, we have been back four years ago when we had the first recommendation of how to build this crisis management framework blueprint, indeed we identified the fact if we want to be effective we need to actually on the one hand to address all the levels, the technical level represented by CERT communities, more policy level, represented by cyberauthorities but ultimately we also have to make sure that we have a proper way of articulating this mechanism.  Also, at the political level, as indeed given the stakes involved in case of a major cybercrisis, there is definitely a level of Ministers or even Prime Ministers that would need to be involved.

So this is not an easy task because of this complexity because obviously it's an area of shared activity between the Member States, between the European Union, and also within that context this most recent initiative of joint cyberunit is for us basically an opportunity to work towards completion of this framework, to actually implement in practice what we all know that cybersecurity has different dimensions.  We cannot work in the silos, that we need some ways of bringing together let's say the civilian cybersecurity community with law enforcement, also the diplomatic dimension and finally defense so this is challenging at the level of every country.  It is even more challenging at the European level but I think this is really the direction in which we need to go.

Last but not least we speak about crisis management, which is a lot about exercising, about preparedness, about having the right situational awareness is also what Juhan was stressing and of course having the procedures in place so that we know whom to call when, and I think in such a complex organism like the EU, this is really not easy.

But with all of that, I think this basic investment in cyber‑resilience is of essence, so the work is I would say bread and butter for example for our friends from NIST are doing, that investment at the level of the companies is essential and in that sense, we have this new, let's say, face of the Director in cybersecurity legislation which we are now let's say in the advanced legislative process which is, there are issues related to crisis management indeed, as well, but what is ultimately most essential is that we will have really a significant part of European economy of important companies in many Sectors now covered by basically baseline cybersecurity rules, and I think this is something that in terms of us being ready for the crisis when it comes is of fundamental importance.

Again all of that of course requires sometimes out of the box thinking, not just being stuck with the way we have been doing since forever, and obviously last but not least which is important message in the context of IGF, finding ways how we can cooperate on this internationally because of course the cyberthreats are universal, the same attacks are targeting important assets across the globe.  So thanks a lot for this opportunity again and back to Maciej.

>> MACIEJ SICIAREK:  Thank you, Jakub, for this introduction to the what the Commission does.  We'll be back in a while in a question of international cooperation and Intercontinental rather cooperation but I'd like to come back to Poland for a while and ask Witold, because Jakub was talking a lot of regulations.  We talked about regulations recently, talking about adaptation of your regulations and its possible amendments to the law in Poland, and you said that regulations supporting cybersecurity and crisis management mostly and I stood the directive and project of CER, directive so critical and infrastructure resilience, impose various obligations to entities including Private Sector of course, which provides key essential services.

Do you recognize any threats to fulfillment of those commitments by entities and companies?

>> WITOLD SKOMRA:  Yes, we finish first step of preparing critical entities resilience directive, a proposal of directive of course, at the moment.  Both of the directives are very important, a very big step towards increasing the resilience of services critical to security of the European Union residents.

Critical entities will have new obligations.  However, there's little talk about Government support for these entities.  Of course exercises, know‑how and something, but there is still a prohibition on direct financial support of entities operating in the common market.

There are already situations where an entity is prepared to give up part of this business, if the obligations are too costly.  I often wonder if the entity maintaining critical service is still clear or regular business, or maybe a public institution, and whether therefore part of the costs connected with public security should not be paid by the State.

Maybe it's not the question for today, but in my opinion, maintenance of electricity, of water supplies, it's too serious an issue to be left only to the rules of the free market, so connecting Government and Private Sector will change because of cybersecurity.

>> MACIEJ SICIAREK:  Thank you, Witold.  I'd like to touch this international and intercontinental subject.  Juhan, if I can ask you about the aspect of coordination, international coordination, but I mean, Pan‑Europe coordination, because in a while, I would like to ask our panelists from Korea and U.S. about similar things.

Do you think ‑‑ how do you think we can come on the international level?  Because the inside Europe coordination is for us only first step.  Some problems with coordination even in Europe were mentioned, but it's not enough.  How to coordinate this aspect over a continental level.

>> JUHAN LEPASSAAR:  It's a conundrum.  Thanks very much for this, because we're an internal marketing agency, so our mandate is to enhance whether it takes place within the ‑‑

>> MACIEJ SICIAREK:  I know.

>> JUHAN LEPASSAAR:  But I think if you look beyond this, there are a number of areas where we have common interests, and I think this is something that, of course, if you look at capacity building and awareness I think especially with the partners with which Europe shares similar values and has longstanding economic relationships established relationships, I think there is a lot which can be done in terms of awareness raising, capacity building, resilience.  We talk about standards and potentially building certification skills which will be applied within the internal market, but of course we are interested that like‑minded partners across the world understand these steps and potentially also follow these, so I think there is a lot of scope for cooperation and also when it comes to responding to potential cybercrisis of course, and this is not now the territory where I feel comfortable about, but we'll probably need to ask Cuba and unfortunately we don't have an External Action Service in the panel but I think the recent steps that Europe has taken vis‑a‑vis the diplomatic toolbox together with our allies across the globe show that there is also a scope for good cooperation and coordination on these matters.

>> MACIEJ SICIAREK:  Okay, so if you have mentioned External Action Service, maybe Jakub can comment that this topic.  Jakub, can we imagine exercises that are touching in of course in civil area?  Because we know that in military area, we've got some exercises coordinated by NATO, but can we imagine some exercises combining Computer Emergency Response team or coordination networks from various continents, or generally how European Union can contribute to achieve preparedness to crisis touching society and consequences of cyberincidents, what other ways we can find together.

>> JAKUB BORATYNSKI:  Well, I indeed wouldn't prefer to speak for External Action Service, but based on my understanding of how things are today, first of all, we have to realize that in please matters of course trust is extremely important and that is why, you know, promoting information sharing with international coordination takes time.  We have this challenge everywhere at all levels.  You have challenge at the level of Member States.  You have this challenge in Europe.  And clearly when it comes to international arena, the challenge is even bigger because we don't work for obvious reasons on a daily basis together.

What Juhan said is extremely important.  Of course, the question of the principles, values, is of fundamental importance.  In that sense I think that we can clearly see more room for cooperation with like‑minded countries.  If I refer to both representatives of the U.S. and South Korea who are on this call, of course they are definitely partners with whom we have established cyberdialogues, we coordinate our positions not only on international arenas, we shared the Division of the Internet.  Now I wouldn't be so specific to now speculate how far can we have a specific common exercises.  I would say clearly there is room for cooperation for example within CERT community which exists because there are different international fora on which this cooperation is taking place.

But I would say clearly now we are seeing on this particular point we would be stepping up our cooperation with the U.S. on Cyber Issues so I would say that creates a space for some specific initiatives that would ‑‑ that could go further than is the case today.  Thank you.

>> MACIEJ SICIAREK:  Thank you.  Of course, this session is too short to touch all the levels of coordination that are possible.  Technical coordination, strategic level, and at the end this level we have also mentioned so political and matter of diplomacy but of course as Jakub mentioned, or partners from Korea and U.S., so let's return to Korea.

Dong, if I can ask a question about your view on international cooperation.  As you have heard, in European Union, we developed some tools and structures of cooperation.  They are created and considered for future.  Could you point to some main actions that may be possibly developed and implemented on international level, for example with your attendance, cooperation between Korea and European Union, the United States, to avoid consequences of cyberincidents on citizens' lives, economy, and so on?

>> DONG GEUN LEE:  I believe that international cooperation beyond Europe and South Korea can be considered in several ways.  For example we could conduct joint cybersecurity exercise for preparedness of instance affecting the world, such as cases where their infrastructure is attacked.

Another is building a system that can quickly exchange information in the event of cyberthreats, as well as sharing information to prevent the spread of cyberthreats in our Region.  Also to make one more suggestion, it is thought that a campaign to raise awareness will be possible.  Thank you.

>> MACIEJ SICIAREK:  Thank you, Dong.  So Amy, could you comment on this topic of cooperation.  Jakub mentioned it that trust is key feature of cooperation.  I think we can all agree with that.

Mr. Dong Lee is talking about possible common exercises that I also mentioned several times.  Could you comment, could you tell us how do you see this possible cooperation?

And I think in fact, technical cooperation, exchanging various feeds from systems is a base of cooperation to learn more what's happening in our cyberspaces.  Could you comment, Amy?

>> AMY MAHN:  Thank you, and we'll definitely build off the excellent remarks so far from my Fellow panelists, all very great points that have been raised.  Noted since an international Policy Specialist a lot of my work centers around international engagement on our cybersecurity and privacy resources and at NIST we very much found value in these types of exchanges, at this time pacing bilaterally and multilaterally in discussions on these approaches and resources such as this and believe that it's very important to continue these conversations especially as the tools and resources and frameworks that we develop often need to be updated to keep up with changes and emerging threats and changes in the cybersecurity Risk Management landscape so we definitely value and want to continue engaging in this way to share information and learn from others and see how these types of tools can be adapted and continue to be approved to meet these types of threats.

I noted our cybersecurity framework that had been organized under the five functions of identify, protect, detect, respond, and recover, and we had found value in that in the United States and from that collaboration with the Private Sector who also agreed and stakeholders saying that having that common language have been very important, and those with varying levels of cybersecurity expertise could engage at the level of the five functions, and those who have more technical expertise to implement and use certain standards and guidelines to achieve those outcomes.  When everyone is speaking on the same page, it saves time in responding in a crisis, and as we've had conversations on the framework, we've seen others use similar approaches, and we learn from seeing that type of implementation, as well.

When our cybersecurity framework first came out, the President asked us to put out the first set of voluntary guidance that has to be used by the Government but we saw used internationally including with Italy, who used elements of the first version of the framework.  Japan was the first to translate and use it within national policy.  Israel putting it in that cyberdefense methodology.  Uruguay, who is on the fourth.  Using this across regions has been helpful and we found value in hearing how others have used it, seeing the ways they've adapted it and have existing translations of the framework in Polish, Spanish, Arabic, Indonesian and others and helping make that available has been helpful and something we continue to do in the future.  A framework and our framework leverages International standards.  That's an area where we want to continue cooperation with our partners in the development of these standards and using that open and transparent collaborative process to develop standards that can be used and leveraged and applied across varieties of critical infrastructure Sectors and within different countries to help improve ways we can respond and manage things that can happen during an incident.  Even going very far back in our history in our country there was a great Baltimore fire where a crisis was happening, there was a fire burning and people had come from neighboring areas bringing their hoses to try to help and contain this fire but because there was not standardization of the equipment, hoses wouldn't work on the hydrants there and that was a time that was more challenging to try to contain that crisis because there weren't standards in place to rep reduce complexity and make more efficient the way we respond so we're still very much fans of continuing to develop these international standards that be used in our tools and frameworks and help improve the way we manage and mitigate effect from different crises and even with our cybersecurity framework, we very much invite international and all types of engagement on the development process, and even when we last updated the framework back in 2018 we'd hear from stakeholders about different new emerging types of threats or different topics that should be incorporated into it to make it a useful tool so now there's mention of supply chain and coordinated vulnerability disclosure and just as an executive order helped start the development of the framework NIST is also currently working with partners throughout the world on different executive order for improving our nation's cybersecurity that asks us to develop more tools and resources around supply chain security, also a labeling program and criteria for that and we've very much benefited from having participation and virtual workshops.  We put out draft documents for comment and that helps us to gather that input and put it into our guidance.

We also will keep working with industry and partners throughout the world.  We have a national cybersecurity center of complex that takes advantage of the fact we can use and leverage existing technology and international standards to solve different cybersecurity problems across critical infrastructure Sectors.  We actually do have a physical lab that's set up with participants and industry members who come on a voluntary basis to help develop these solutions and it comes out in practical guidance organized in those five functions of the cybersecurity framework including responds and recover.  Examples like in our health care Sector, there have been a problem of how to more securely deploy medical infusion pumps since there are a lot of benefits to linking those pumps to electronic patient health care records but also a lot of vulnerability is introduced to allow somebody to break in, change the dosage or turn it off or some other type of malicious incident so by working with our partners there we were able to develop some solutions where we don't always say it's the best or the only solution but just one way to approach that problem.

So we want to continue those efforts of working with the Private Sector and international partners to develop these types of solutions for problems that we're seeing and also using aspects of the cybersecurity framework to develop a profile for managing ransomware risks, another type of threat we've been seeing more recently and taking advantage of how an approach like the cybersecurity framework and those various outcomes for how to better protect critical infrastructure and respond if an incident occurs and restore your critical infrastructure services as you're responding, how that can be used in this specific type of context and we've put that draft out for public comment and inviting feedback as we refer to expertise around the world of how to approach the problem and want to take that into account as we develop the profile.  So we hope we can continue this type of cooperation speaking in these types of dialogues and participating in standards development organizations.  Even ISO/IEC released some documents with aspects of the cybersecurity framework and approach be but does not say NIST or the U.S. Government but is a document coming out of a standards development organization that helps make this approach widely available so those are the types of areas we hope to continue in, and I know there will be many other ways and opportunities for us to engage on these important areas so thank you again for the chance to share some information on our approach.  Appreciate it.  Thank you.

>> MACIEJ SICIAREK:  I like the way you're talking about standardization.  It's nothing strange, with representing various institutions in standardization.  I can also confirm that talking about preparing guidelines for cybersecurity of cloud services in Poland, we are looking carefully at what NIST is giving in cybersecurity framework, so thank you very much.

Yes, we've got still about 15 minutes.  Katya, do we have some questions in the Q&A chat are room?

>> KATARZYNA SOKOL:  Well, thank you, Maciej.  I think if I may, I think that the topic of cybersecurity and crisis management is equally important and equally interesting and broad.  So therefore, I think we have just scratched the surface really but because we have such a distinguished speakers and it's such a rare opportunity, I think we should take advantage of that and give an opportunity to maybe exchange some thoughts or some questions between the speakers.  I think that if maybe you would like to ask some questions from each other, make it more interactive, that would be also of interest to us.

If not, I would ask the audience to ‑‑ I would like to give them the opportunity to ask some questions because clearly the question generated a lot of interest, and it is such a broad issue, so therefore, maybe our distinguished guests, do you have any questions to each other?

If not, then I would like to turn the floor to our audience.  Ladies and gentlemen, do you have any questions?

Great.

>> MACIEJ SICIAREK:  There are two hands up.

>> KATARZYNA SOKOL:  Let me pass the floor to our first guest.

>> AUDIENCE:  Okay, I have a question for Mr. Lepassaar.  Could you tell us something more about the role of joint cyberunit in the cybersecurity ecosystem of European Union?

>> JUHAN LEPASSAAR:  Thank you for the question.  I think ‑‑ how much time do we have?  15 minutes, okay?

>> MACIEJ SICIAREK:  We've got still 15 minutes, some time for closing remarks.

>> JUHAN LEPASSAAR:  Of course, I'll dip into this as numerous seminars among the U.S. and Member States and we're still not there of saying what the precise role is.  I think it is very much a work in progress.  I think the concept of the joint cyberunit is quite clear, that there should be more synergies built between first the EU institutions, bodies, and Agency, when it comes to building resilience, but also synergizing their own capacities in order to help Member States to respond to large scale crossborder cyberincidents at the EU level.

And then of course how to also facilitate the coordination and collaboration between the Member States in such crisis so I think that is the overall premise of the joint cyberunit.  It is not a unit.  There is nowhere anywhere a specific structural entity.  It is more like a platform or network or an umbrella of existing cooperation mechanisms to make them more efficient, streamline them a bit, but also see whether there are any gaps that still need to be fulfilled.

For me, first and foremost what I see is the creation of a common situational awareness between the EUXs but between the Member States to see how the UXs can contribute and add to the value of the awareness of the Member States.  That's the first step for me.

And everything else follows from that.

>> MACIEJ SICIAREK:  Yeah, okay so it's kind of new cooperation idea which is the next puzzle among the CSIRT network, and so on.  Okay, thank you.

Next question from audience.

>> AUDIENCE:  My name is George.  I represent the Georgian Information Security Association.  I have two questions, one to Mr. Lepassaar, as well.  You mentioned the cooperation between the member countries and the different opportunities for them, so of course, my question is about the countries beyond the EU which are the associated members.

So apart from the harmonization twinning projects which running almost two years right now, we have the EU twinning project to harmonize the Georgian cyberlegislation to the NIST directive, but, like, this is okay, but what about the other opportunities for more tangible and technical expertise?  I mean, like, I receive a lot of offers on LinkedIn, for example, about cooperation for ENISA in terms of the cyberexpertise and consultancy but when it comes to the nationality, they say you're not a EU member country national, so sorry for that.  So it's a final stage actually worry so it's about my personal experience but about the institutional experience, what opportunities and chances so‑called we can say will have the member, not member countries but associated member countries, which tried and which are knocking on the EU doors.  As we know the playground for our ‑‑ the adversaries often are Ukraine and Georgia in terms of the cyber as well, apart from the other playgrounds so that's for Mr. Lepassaar.

And one quick question for Ms. Mahn from the NIST, will be about the, we have the Risk Management framework.  We have the cybersecurity framework revised and et cetera so is it expected to be somehow combined version of that in the nearest future, to have the CSF be next edition?  But incorporated with the IMF, as well?  Thank you.  Thank you in advance.

>> MACIEJ SICIAREK:  Okay, so if we can start with the question to Juhan Lepassaar.  And thank you for the Georgian question.  Yes, it's a very interesting aspect.

>> JUHAN LEPASSAAR:  So as I mentioned of course, we are an internal Agency so whatever we do beyond the borders of the internal markets needs to add value to our mandate.  And previously when the question was raised and I mentioned awareness and I think I would like to specify awareness about what?  I think there is merit especially with the associated or neighborhood countries to understand the threats and the risks in a similar fashion so I think of course raising awareness there, so that we both understand what the threat landscape looks like, how would be the best ways to respond.  With what are the risk assessments methods.  When we talk about technical terms, there's a lot to do in the taxonomy so that we have a clear understanding what we are talking about, so I think these avenues are something that I would like to explore.

But again, there the keys of the cooperation are held by the Member States and the External Action Service to help and assist but we're not driving this cooperation forward.  Thank you.

>> MACIEJ SICIAREK:  Thank you, Juhan.  And question to Amy?

>> AMY MAHN:  Thank you.  Very much appreciate that question and understanding that at NIST we do have a lot of various frameworks as you noted our cybersecurity and Risk Management frameworks and we recently published a privacy framework and our National Initiative for Cybersecurity Education, NICE, recently updated their workforce framework showing different competencies and ways to better achieve and train cybersecurity staff, so since we have various documents were constantly looking for ways to better integrate make them a little more aligned as the privacy framework came out in 2020 and we made it similar in structure to the cybersecurity framework with five functions and categories to help make them a bit more complementary and better able to be used together.

As of now we don't have one sort of framework that incorporates all of them but we have continued to try to put out guidance to show how these frameworks can be used together and better integrated.  That's an area we're always looking for more input on how we can better do this.  I noted earlier we'll be updating the cybersecurity framework, and we'll be also doing that in conjunction with our executive order to produce supply chain security guidance and maybe look for ways how that update of the cybersecurity framework can help achieve those goals whether a framework on that supply chain area so we'll continue having events and asking for ideas how to better incorporate the different frameworks and make them better able to be is interoperable with each other but we have various ones that showed how they can be used together but always open to feedback on whether that looks like we need one better integrates them or continue this specific type of guidance.  Thank you.

>> MACIEJ SICIAREK:  Thank you, Amy.  Any more questions from audience?  Maybe one question from the chat room.  We are almost run out of time so I will let me give the message if any of the questions is not answered, we'll try to send them to the panelists and answer in written form.  You can also refer to the I mail address [email protected].  We can be back with answers but please Katya if you can catch something from the chat room.

>> KATARZYNA SOKOL:  Unfortunately as usual we have more questions than time available.  But let me just maybe address one of the questions from Mr. Amir Mokabberi.  Hello, everyone.  I am from Iranian academic community.  My question is, don't you think it is better to totally ban destructive cyberattacks with such a huge effects on civilians by legally binding instruments at global level rather than regulating cyberoperations in the interests of those who have already offensive capabilities and doctrines?

Okay, well, anyone would like to address that question?

Any of our speakers?

>> JAKUB BORATYNSKI:  Maybe I will comment.  I think it's always important to remember that we have actually a very robust framework which is provided by Budapest Convention which was created 20 years ago which is I think by the way a remarkable example of how in this fast‑changing area there was really a commendable effort of defining the type of cybercrimes in a fairly neutral technological manner.

Now so I mean that has been very much position of the EU and of a number of like‑minded countries that this is really a very useful tool.  And even if it is not being ratified as such, it has been also used as a blueprint for National cyber laws.

We have of course an ongoing, in the UN at every stage but I think on that, it's clearly not going to be easy to reach an agreement as it is very difficult to actually completely somehow divide or take out of the context the issue of fighting Cybercrime for also our views of how we see basically it to be governed internationally, on that we do not have a consensus and we do not have a consensus in the context of the UN, so I think that what again could be really a good step forward, just basically to build, which many countries did it actually, the laws based on what has been done in the context of the Budapest Convention.

>> MACIEJ SICIAREK:  Thank you, Jakub.  I was sure that 75 minutes is not enough for such meeting but we don't have more time.  Just a while before we started somebody asked me if I plan any closing remarks.  And I said no, however I'm not sure but while later I thought it may be available time for opening remarks because I strongly believe it's worth of opening remarks for future cooperation and even though cooperation approach, those are words that are recognized as sort of buzzwords when we talk about cybersecurity, I strongly believe that we should concentrate on real cooperation in Europe and also thank you very much for Georgia for the question about countries that are very close to Europe with which some ambitions and with future Association with European Union.

So both are also very important questions about cooperation.  So let's leave it at opening remarks for future.  I hope we will publish some summary of the session, and feel free to contact us.  We will invite all your questions or all your suggestions to fulfill this information about cooperation and make stronger connections between cybersecurity and crisis management.

Many thanks for all who took part in the session.  My special thanks for presence and contribution to the panelists.  Thank you Amy, thank you, Dong.  Thank you, Juhan.  Thank you, Jakub, and thank you, Witold.  A really special thanks to Korea.  It's later than 1:00 in the night so, Dong, special thanks from Katowice.  Thank you very much and feel welcome to contact us.  Thank you.

>> KATARZYNA SOKOL:  Thank you.

[ End of session ]