IGF 2021 – Day 3 – OF #50 Protecting the Public Core: Next Steps after the OEWG & GGE

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> We all live in a digital world.  We all need it to be open and safe.  We all want to trust. 

>> And to be trusted. 

>> We all despise control. 

>> And desire freedom. 

>> We are all united. 

>> ALEXANDER KLIMBURG: Well, hello, everyone.  My name is Alexander Klimburg.  Welcome to today's session.  I'm the Director at the Hague Center For Strategic Studies, and I have the privilege of serving as a Director of the Global Commission on the Stability of Cyberspace.  I was a multistakeholder initiative in encompassing 29 leading cyber experts from 16 countries including former ministers, heads of security services, but also thought leaders from the Technical Community, Civil Society, academia, and business.  Our final report, Advancing Cyber Stability, was launched November 2019 at the Paris Peace Forum by the French and Dutch Foreign Ministers, and has gone on to have. as one academic observer noted. a significant and measured impact on international discourse primarily in the U.N. first committee processes.  The impact included also helping define the term cyber stability, also presenting something called the cyber stability framework, but most visibly it's been our eight norms of responsible state and nonstate behavior in cyberspace. 

  One of these norms is a norm of noninterference in the public core of the global Internet and has been the most successful.  It has been featured virtually in every predraft of a major international cyber diplomatic discussions in the last couple of years.  And we sometimes heard it being one of the most discussed terms and most discussed norms of them at all. 

  Today we will drill down a little bit on the public core term as well as see where we are in the discussion around it.  We have three commissioners from the Global Commission to help explain the public core, and then four outside experts to help share some comments before kicking off into what we hope to be a group discussion.  So if you have some questions or points that you would like to raise, please use the friendly chat box, the chat function.  And then I will pick those ‑‑ either pick those issues out directly or call upon you to make your points. 

  With that, I'd like to first turn to our three briefers.  We will first ‑‑ they need no introduction, but I will introduce them anyway.  First we have Olaf Kolkman.  He is the Principal of Internet Technology Policy and Advocacy at The Internet Society.  He is also a board member of the Global Forum on Cyber Expertise.  Next we will have Anriette Esterhuysen, who is Chair of the Multistakeholder Advisory Group of the IGF.  Previously she was Executive Director of the Association For Progressive Communication.  And then we'll have Wolfgang Kleinwachter, Professor Emeritus from the University of Aarhus and a former ICANN board member and a leading academic on the subject of Internet governance.  With that I'd like to turn to Olaf.  The floor is yours. 

>> OLAF KOLKMAN: Thank you.  Yeah.  This is a small introduction to the public core norm that the Global Commission developed.  I'll be sharing this pleasure with other commissioners.  So let me start a little bit with looking at attacks on the Internet.  They happen.  And they happen with some regularity, if I may say.  There are some examples that we've listed here of attacks that really take benefit or use the Internet infrastructure as a steppingstone for further attacks.  DNSpionage.  This was an attack where the DNS was used to change the entries so that man-in-the-middle attacks could successfully be taken.  Advanced persistent threat actors that undertook this work, they used the DNS and then changed ‑‑ were able to get secure credentials to validate web resources. 

  Another attack, Netnod, was sort of a man‑in‑the‑middle attack of infrastructure of Netnod.  Netnod is a provider of DNS services, a registrar, and their registrar business was attacked in order to change pointers in the DNS, which then were used as a steppingstone for further attacks against third parties.  Google, Facebook, Microsoft, Apple targeted through an accidental BGP error.  BGP errors happen all the time, misconfigurations.  But some of these are suspected to be of a malicious source.  That's not always easy to prove.  But in this case, this example, there are strong suspicions. 

  And then something that we've seen a couple of times, for instance, in October in 2016, Massive DDoS effects ‑‑ attacks on the DNS where multiple devices are sending DNS queries, and the DNS is sort of used as an amplifier of traffic and then takes out a subject. 

  A third ‑‑ not a third example ‑‑ a fifth example is cable cuttings.  Cables make up the infrastructure, the life support, so to speak, of the global Internet.  There are cables across the oceans.  And sometimes they are cut, an accidental anchor.  Again, this is where accidents and maliciousness happens. 

  Now, if states and nonstate actors do this, they hurt the availability of the Internet.  They hurt the availability of the network of networks and all the infrastructure that is needed, physical and logical, to connect this all together.  And that's an issue. 

  So that is why the GCSS, the Global Commission for the Stability of Cyber States, defined a norm, a proposed norm, which is about protection of the public core of the Internet.  And it reads "state and non‑state actors should neither conduct nor knowingly allow activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet, and therefore the stability of cyberspace."  

  In the report, in our final report, we are defining what that is, what the public core of the Internet is.  And the public core includes packet routing and forwarding, and that in itself includes, for instance, physical and logical infrastructure.  Routers, switches, and those type of things, but also the configuration and the standards that make up these infrastructures.  Also the logical infrastructure. 

  The naming and numbering systems.  Think of the DNS, but also the infrastructure of the IRRs that hand out the addresses and their back‑end systems.  And, for instance, the PKI system that secures that.  And talking about PKI systems, cryptographic mechanisms of security and identity.  So the web PKI, the things that ‑‑ the infrastructure that makes sure that you can validate a site that starts with HTTPS, so to speak.  And then finally, the physical transmission media such as Trans‑Atlantic cables. 

  If you closely read the proposed norm, you see that it is a call on state and non‑state actors and that it has language that precisely talks about proportionality and such.  So that it is a norm that can actually be adopted by states and still allows them to take out ‑‑ to take limited ‑‑ to take limited defensive actions. 

  So with that introduction, I would like to hand over, Alex, to who?  Esther? 

>> ALEXANDER KLIMBURG: Yeah.  Thanks.  Next is Anriette Esterhuysen, how the norm has been received so far and how it connects to global digital compacts.  Anriette? 

>> ANRIETTE ESTERHUYSEN: Thanks, Alex, and welcome to everyone who is here in the room.  Actually, the numbers are increasing as people walk in and to everyone who's online here.  I’m in Katowice. 

  I think that the careful background work that was done in developing this norm is reflected in the fact that it has received significant support.  If you look at this map, you'll see that the support is reflected.  Firstly, the green countries, those reflect support for the norm via the Paris Call.  The Paris Call, I think, first was in 2018 in Paris where a group of states and other non‑state actors came together to talk about Internet governance and a stable and secure Internet.  And this document expresses and includes a part for the norm under the protection of the public core. 

  The yellow countries are countries that are still discussing it and that are still considering how they stand with regard to the norm.  And in red, there's a country that's indicated that actively doesn't support the norm.  But aside from these national‑level support, this means significant uptake of the norm in various multistakeholder and also in intergovernmental discussions.  And I think as is on this slide, you see the quote there at the bottom, "we should all be determined to protect the core of the Internet as a global public good."   And I think the sentiment reflected there in Chancellor Merkel's ‑‑ or ex‑Chancellor Merkel's remark links us to the current discussion we are having about the potential of a global digital compact that has been mentioned in the U.N. Secretary‑General's document outcome and agenda. 

  And I think why that is so significant ‑‑ and I think why the public core norm is so significant is that as Internet governance diversifies and is increasing –- distributed on the one end and specialized with specialized institutions from cybersecurity sector, to intellectual property, to market regulation, as the processes of Internet policy and regulation and the institutions that deal with them become more diversified, the more important it is to have some common principles that can underpin this growing ecosystem of Internet‑related policy and regulation.  And I think that's historically why this norm is so important.  And I think if it can take us closer to this recognition that Chancellor Merkel states here on the core of the Internet as a global public good, I think the more solid will be the foundation for Internet governance.  Back to you, Alex. 

>> ALEXANDER KLIMBURG: Thank you, Anriette.  Next I'd like to invite Wolfgang Kleinwachter to comment a little bit on what is and what is not the correct interpretation of the public core norm.  We've seen it in circulation.  It has a rather good uptake, and now we come to the exciting topic of interpreting the public core norm.  So over to you, Wolfgang. 

>> WOLFGANG KLEINWACHTER: Okay.  Thank you, Alex.  It's really a pity that we are unable to meet in person in Poland and hope that the next IGF will be an in‑person opportunity because the issue will remain on the table for the coming years.  And, you know, what I see after two years of discussion of the public core norm, there are two issues, you know, which needs further clarification.  One is really the understanding what it means by the norm.  It's the interpretation question, and the other question is what to do.  Olaf has outlined, you know, the various attacks against the public core, and so the question is what to do ‑‑ how to react to these threats. 

  You know, as far as the interpretation is concerned, so I think it's important to remember the discussion in the last 15 years about the whole Internet governance ecosystem where the Tunis agenda which was the founding document also for the multistakeholder approach differentiated between the development and the use of the Internet.  I think this is really a very important differentiation because, you know, the development of the Internet, these are more the technical aspects where you deal with the resources and the public core of the Internet, as Olaf has said, you know, includes all this.  Domain name system, IP addresses, and routing system and all this, you know.  This is the core of the Internet which is related to the technical functioning of the Internet.  And which Goran Marby, the COO of ICANN, now has coined as the technical Internet governance.  The use of the Internet, this is more of the public policy issues.  And this creates the majority of the problems also discussed in the IGF.  These are issues like general cybersecurity, Digital Economy, human rights, and other issues.  And both layers are interlinked, but these are separate issues. 

  And I often compare the core of the Internet that means the technical neutral resources like the air.  So it means this can be – this is a neutral resource that can be used by everybody.  And if you open the window, then air comes in.  There is no Chinese air or Russian air or American air or European air, so the air is for everybody.  And this is also ‑‑ this is the public core of the Internet.  Domain name system, IP address system.  These are neutral resources which, you know, keeps the whole system functioning.  And I think this is really important to stress, that one of the risks next to the criminal attacks against the public core is if you politicize, let's say, these neutral resources, then you add an additional threat to the functioning of the Internet. 

  There was a debate in the business process that, you know, whether the responsibility should go to the management of these resources, to ICANN, and to the Technical Community.  I think over the years the Technical Community which is called now ‑‑  this is called empowered community after the (?) has demonstrated that the whole system is functioning. 

  And, you know, the pandemic was more or less a stress test, an unbelievable stress test, for the functioning of the Internet.  Because during this time it became very clear that the Internet is so important, you know, for the national economy for our daily life, and there were no problems getting an email address, getting an IP address number, and domain name, so that means the whole system in the background worked.  And it worked because it's a distributed system with very clear and shared responsibility among the various partners. 

  So the misunderstanding what I see is that some people say, okay, if there are threats, and this is now the new question, what to do if there are threats against the public core, what should we do?  And, you know, some governments have the idea we need governmental oversight.  So this exactly would be like pollution of the air.  This would, you know, undermine because if you bring geopolitical conflicts to the management of the technical resources, then you undermine the stability of the system.  So that means if governments want to do something, in my eyes they have two options.  One is they can use the governmental advisory committee in ICANN or the consultations which are established between the IARs and other technical Internet bodies which they have established with these governments, and the other channel is they can more or less declare that, say, do not interfere into the day‑to‑day operation of the management of the critical Internet resources.  So that means the best thing for the stability of the public core of the Internet is the non‑interference of governments into this and not, you know, to control it or to try to overtake management functions. 

  I think for years there was a debate because the U.S. Department of Commerce, which never interfered into the management, had an oversight role over the root service system and (?).  So this argument is won.  Now all governments are equal, so there is no privileged role for one government, and so far it would be best, you know, if the government would respect the functioning of the public core, as they have recognized in a certain degree in the Tunis agenda that this is in safe hands in the so‑called empowered community. 

  Thirdly, you know, if there are criminal attacks, then something has to be done.  This has to be first specified.  The whole thing is too important and too risky just to cross your arms.  One has to discuss what can be done, but it needs a trust in what people call the technical Internet governance mechanism that can, say, react adequately.  So I'll stop here, and I look forward to your comments.  Thank you very much. 

>> ALEXANDER KLIMBURG: Thank you, Wolfgang.  So as mentioned, we're going to first turn to some ‑‑ to four expert briefers to provide – outside expert briefers to provide their respective perspectives on the public core before turning to the audience for a group discussion.  But just to follow up on Wolfgang's point, I just wanted to draw attention to the chat box where I've put a link on statements released by the Global Commission on interpretation of the norm on non‑interference in the public core that we issued in September 2021.  So that provides a bit more additional (audio fading in and out) (silence) expert commentators.  First up is Ingmar Snabilie.  He is a Senior Policy (audio fading in and out) (silence).

>> LOUK FAESEN: Alexander, I think you ‑‑

>> ALEXANDER KLIMBURG: -- Ministry of (audio fading in and out).

>> LOUK FAESEN: Sorry, we're having some audio problems with you currently, Alexander.  There's a little bit of a lag.  But maybe let's hand it over to Ingmar, and then maybe you can fix it in the meantime. 

>> ALEXANDER KLIMBURG: Yeah.  Ingmar, please, pick up.  Thank you. 

>> INGMAR SNABILIE: Thank you.  Can you maybe just confirm whether you can hear me, see me?  Yeah?  Okay.  Great.  Well, first of all, thank you so much for inviting me to speak on this panel.  My name is Ingmar Snabilie.  I work at Cyber Task Force of Ministry of Foreign Affairs of the Netherlands.  I'm working mostly on the sort of first committee processes, currently the open‑ended working group on cyber, and previously I worked at the U.N. Office For Disarmament Affairs where I also supported the two previous negotiation processes on international cybersecurity.  And it's great that you're organizing this event at IGF which I think is a very useful format and also a great way to make the link to the new open‑ended working group that will start its discussions ‑‑ its substantive discussions next week.  So for me, this is also a great opportunity to learn from some of the technical experts and follow the discussion. 

  And I want to sort of zoom in a little bit in my intervention, and not being a technical expert at all, about some of the uptake of the norm particularly in the U.N. context.  And Anriette also already alluded to this.  And I'll zoom in a bit on the open‑ended working group and how to also take forward the public core of the Internet and the protection of the public core of the Internet in this new process. 

  So maybe just to start with how some of the threats or the challenges that we see I think, like, Olaf mentioned some of the techs and threats to the public core of the Internet.  Those, I think, are very ‑‑ of a lot of concern, especially as they impact large populations.  I think that is also very important to note.  Also, the sort of undermining of trust.  I think people's trust in the Internet and the functioning of the Internet in their use, both privately but also for organizations I think is also a crucial element and really a reason that protection is so important.  And this, I think, you know, is also what Wolfgang mentioned, really crucial ‑‑ this was really tested and really deemed critical and shown as critical during the COVID crisis that, of course, we're still in and are resorting to digital technologies and the Internet is like never before. 

  For us, it also relates to human rights because think about, for example, Internet shutdowns or other attacks against the availability of the Internet can really undermine right to freedom of expression, right to freedom of assembly.  So we see this as a part of a broader sort of agenda of promoting cybersecurity but also really promoting digital trust in human rights. 

  And another element that we see as a trend that I think is important to address is that states are increasingly facing questions around sort of policy and regulation of the Internet.  And I think Anriette also has spoke about this and brought this up where, of course, it's becoming more complex.  The model for the Internet, as it was first conceived, of course, is now looked at from a perspective that the interests in the Internet that states have is huge.  So they have that ‑‑ there is a tendency to look at regulation, and for us, for the Netherlands, it is really important to preserve the multistakeholder model that is used for Internet governance currently and that really sort of guarantees that free flow of ideas and has really been vital to socioeconomic progress until today.  So I think that's really important, both this element of threats to the public core but also looking at broader Internet policy into governance and how to preserve that multistakeholder model. 

  So maybe to zoom in on the report.  So the GTE and the open‑ended working group -- and some of you might be more familiar with this than others -- but these were two U.N. negotiation processes on international cybersecurity, and they both reached a consensus and came with their final reports around this spring, summer this year.  And they both addressed the public core of the Internet, be it in different wording.  And here I would sort of stress that the technical experts often don't like ‑‑ you know, they don't like the definitions or the jargon used in some of these reports, but that's really because that's the way consensus is found, and sometimes different wording is used in there.  The public core is really often referred to in these reports as the availability and integrity of the Internet or the technical infrastructure essential to the availability of the Internet.  So when I refer to public core, you usually see it in that kind of wording. 

  So both these reports, the GGE and the open working group report, recognized the public core in different wording under threats, saying that threats – malicious ICT activity affecting the technical availability or integrity of the Internet are a specific concern.  I think that was an important step.  The GGE also recognized the public core of the Internet under critical infrastructure.  There's a norm in the report -- it's been adopted before -- but on critical infrastructure protection.  And that's ‑‑ so that means that the public core in that sense was not adopted as a separate norm, but it was sort of -- it became part of another norm and a norm on protecting critical infrastructure is key there, but also on the norm that says that states should not conduct or knowingly support ICT activity that intentionally damages or impairs the use and operation of such infrastructure.  So I think that is also a very clear protection and sort of endorsement of the importance of the public core of the Internet and the protection thereof. 

  And it's also linked in the GGE report to the functioning of international trade, financial markets, global transport, communications, health, et cetera.  So I think that's also an important link.  And to supply chain security where the importance of protecting supply chains against harmful hidden functions and exploitation of vulnerability and ICT products may compromise the confidentiality, integrity, and availability of systems and networks.  So there's not directly a link to the public core, but I also think it's quite relevant to that. 

  And then finally in the open‑ended working group report, it is also stressed that this type of infrastructure, again, referring to the general availability and integrity of the Internet, is often owned, managed or operated by the private sector and may be shared or networked with another state or operated across different states.  So this cross‑border element and the multistakeholder element are things that we see as very important, and the Netherlands has been very active in promoting these links and fitting the public core of the Internet under the appropriate normative framework.  Maybe just ‑‑

>> ALEXANDER KLIMBURG: Okay.  Thanks.  I think we have to move on. 

>> INGMAR SNABILIE: Okay.  Yeah. 

>> ALEXANDER KLIMBURG: But thanks very much.  The Dutch government was an early supporter of the public core norm and was very, very important in trying to drive the discussion in the OEWG and GGE.  Unfortunately from some of our perspectives, the term “critical information infrastructure” was used in the OEWG instead of the term “public core,” which has possibly repercussions we can talk about next.  But the open‑ended working group itself was a very interesting process, and in particular because it included nonstate actors, at least in the consultative function.  And one of those non‑state actors that was involved was Sheetal Kumar, our next adviser.  Sheetal is a Senior Program Lead at the Global Partners Digital and has been following the public core debate from a Civil Society perspective.  Sheetal, 4 minutes, please.  The floor is yours. 

>> SHEETAL KUMAR: Thanks so much, Alex, and thank you for this opportunity.  It's great to be here.  I thought I would cover why public core norm is so important in the digital age.  And from just speaking from one Civil Society perspective, what Civil Society can do to support it, and indeed what it's already doing in many ways.  And to begin with, I’d say that the public core, the way it's defined, is really at its heart refers to what the Internet is to many people, whether they're in these discussions or not.  And to the characteristics that define it in terms of what makes it, what we use to share information quickly, to share it safely, and to buy things, to trade things, to create things online and to do all of this safely, it's really essential, the different elements that are covered under the definition to an open interoperable Internet that we all value so much. 

  And as a human rights defender, we need – as Ingmar was saying there -- an open and interoperable Internet to be able to exercise our rights, to be able to access information, exercise our rights to freedom of expression and privacy among many others, indeed all human rights.  And you've already mentioned how the norm is reflected in many different spaces and papers, reports, and instruments, even.  Whether it's the OEWG or the Paris Call or EU legislation. 

  I think what's important about the OEWG report that Ingmar has just discussed is it's a report that has been adopted by all U.N. member states.  And so in that sense it's a really key tool, in fact.  And I think, you know, really the next step there, because when you have these references and you have text, is to move forward with implementation and monitoring adherence.  That, I think, is really key.  And that's where Civil Society can play a really important role.  Indeed, it's already playing that role, and I'm going to give some examples. 

  So monitoring compliance, explaining and raising awareness of the norm and what it means, and the role as well in developing protocols and systems that are referred to in the norm in different multistakeholder spaces is also very important. 

  So I wanted to do just as an example, because I don't have much time, one aspect of the norm, which is cryptographic mechanisms.  These are under threat around the world.  And you can take a look at the news page of the Global Encryption Coalition, which is a coalition of groups that was founded last year to promote and defend encryption wherever it's under threat, just to give you an example of the various threats to cryptographic mechanisms that are ‑‑ that are currently under way. 

  And the Coalition has played a really important monitoring role following these threats and pushing back against them,  publishing research to show the impacts of undermining encryption or cryptographic mechanisms on the Internet and has done this by engaging with policymakers and convening with others.  And these are really key roles, I think, and they've had really ‑‑ we've had really great successes in the past year in pushing back against some of these threats. 

  As an example, one of our members recently published a paper and had some proposals for the EU's digital identity framework could undermine public ‑‑ or undermine trust in the global public key infrastructure and in website security and authentication.  And I can put some resources in the chat.  But I think this is going to my next point and really my next final point, which is where we need to be able to point to examples of where the public core norm is being undermined or could be undermined and make that link there between the norm and the actions that are being undertaken by governments or by other actors. 

  And so that linking between what is on paper and where, how and what it applies to and what is happening in the real world or out there in policy‑making spaces and in terms of actions that are being taken, I think, is really, really important, and there's much more opportunity to do that. 

  And we heard another example from Ingmar as well about shutdowns and how those impact the general availability and integrity of the Internet.  I think there's a lot more opportunity to dig down into the impact of shutdowns on people, on the systems, whether it's autonomous systems or others that are impacted when shutdowns are ordered. 

  There's also the fragmentation at the protocol layer as well, which is a continuing threat that we're seeing, and we're seeing attempts at standards bodies to do that, so I think we need to be referring to these and linking it to the norm and the undermining of the norm. 

  So going forward, I think linking actual actions that we're seeing including by governments and other actors to undermining the public or in showing their impact on people is really key.  And that's where Civil Society has a continued role to play.  So I hope that that hasn't gone over my time and given us some food for thought.  Thanks so much. 

>> ALEXANDER KLIMBURG: Thank you, Sheetal.  Perfectly on time and very pertinent points.  You mentioned, of course, responsibility to protect and safeguard the public core.  Actually, that is also something that has been cast into legislation in the EU Cybersecurity Act, which is the new mandate of the European Network Information Security Agency.  There's a clear reference to the global ‑‑ to the public core of the open Internet.  So I'd like to next turn to Marnix Dekker who is Coordinator for the Network Information Security Directive at ENISA for some comments.  Marnix? 

>> MARNIX DEKKER: Hi, Alex.  I hope you hear and see me well.  Thank you for organizing this, and thanks for inviting us.  So we are a technical system security agency or network security agency.  So, you know, to speak about, you know, what nation states should and shouldn't do is a little bit out of our mandate, but I would like to bring a little bit more of a technical view into the discussion.  I mean, we would rather see protocols and standards being in place and encryption being used so that it is not up to the good will of individual actors to, you know, to behave, but that the protocols and the systems make sure that the Internet is secure and open. 

  And so just going back a little bit on the history of legislation in Europe.  So I work in the EU Cybersecurity Agency.  What we do is we help EU members implement policy, and historically the focus has been a lot on the telecom providers and the telecom operators, and the focus of the telecom regulators has been a lot on the last mile, so to speak, the nexus network, much less on the core and on the interconnections.  And, yeah, what we see now is that in that area, there is a lot of things that can be improved.  We still see that there are issues around border guard gateway, protocol routing, interconnection providers where it's a bit of a gray area.  There's not a clear authority to take care of those things.  And then there's the entire area of Internet exchange points, content delivery networks and so on which historically has not been regulated or supervised by member states or by national authorities but has been kind of, you know, bottom‑up developed, almost industry governance or self‑governance. 

  Now, this has worked really well.  We have not had major outages, major issues.  I think 20 years ago we were afraid that there would be viruses and malware, and it would cause major blackouts.  But we have to be honesty and see the redundancy and resilience that has been built into those protocols, you know, has really worked really well.  It also means there's a little bit less control about where traffic goes.  But traffic finds its way.  So that is really, really good.  So, so far I think we can say that the industry has really delivered and has created an Internet that is resilient and global and connecting and so on.  And it's great that the Internet Governance Forum works so keep it that way.  There are still some issues. 

  And so if you look at the core Internet, the naming issue, the domain name system is quite vulnerable.  A few years ago we had the Mirai botnet that exploited issues in the DNS protocol.  It was easy to do reflection and amplification attacks.  It's really hard for especially smaller organizations, also human rights organizations, to protect themselves from these kind of DDoS attacks, so I think really that we need to improve the DNS ecosystem there because there's too many ways to exploit it. 

  And on the routing we continue to see big issues with border gateway protocol implementations.  And although some of the bigger players in Europe have been implementing security extensions of BGP and (?) for example, there are still players that don't, and there's still mistakes, and just a year or two ago, the bulk of the mobile Internet traffic in Europe was routed through China.  So these are serious issues that we need to address. 

  So how do we move forward?  From a technical perspective, perhaps we need to take an example from the way, for example, the French regulator is trying to speed up the uptake of IPv6.  So they have basically had to have a name and shame list where they, you know, spell out who is implementing certain protocols, and who is not?  Because otherwise I think, you know, at a high level, everything is secure and risk‑based and whatnot.  But in a practical level, we also need to see which operators are not implementing certain extensions, you know, which domain name ‑‑ sorry, top‑level domains do not implement DNSSEC and so on.  So perhaps that could be an interesting addition to the discussion, like how do we move forward on standards, and how can we make that more transparent to government but also to citizens?  And with that ‑‑

>> ALEXANDER KLIMBURG: Thank you, Marnix.  I think you highlighted a couple of interesting points.  One point in particular that government regulation or involvement in this area could maybe also concentrate on furthering the community's own response mechanisms rather than developing standard laws and regulations, and your example of what French (?) is doing in trying to support IPv6 adoption and could be adopted in a number of different areas including, for instance, also the deployment of best common practice, BCP38, and other issues that are routinely discussed in the Internet Governance Forum by the people who actually create the Internet which isn’t usually the industry which, of course, owns it but actually Civil Society and the Technical Community which, of course, are largely responsible for setting the open standards that we all depend upon, but also doing defense. 

  So with that I want to turn to our last expert briefer, Chris Gibson is the Executive Director of the Forum For Incident Responders and Security Team.  The team sometimes described as the union of CERTs and therefore has a firsthand view of how this issue plays out in his community.  Chris, 4 minutes, please.  The floor is yours. 

>> CHRIS GIBSON: Thank you, Alexander.  Again, thank you very much for inviting me.  It's a real pleasure to be asked to speak at this and put some points across.  As mentioned, FIRST.  FIRST is a globally super‑inclusive, we take no political points, we do not have axes to grind.  We are often referred to as the firefighters on the Internet.  So we are interested in fixing problems, not really looking at where they're coming from, but that's very much something that in the longer term we want to get to. 

  So when I say stuff, I'm not pointing fingers at anyone.  We are just looking at issues that we see on the Internet that affect our ability as a group of 99 countries at the moment, hopefully more, trying to resolve issues together to fix them, to make the Internet a better place.  Absolutely believe in this norm.  This is absolutely the right thing to do.  You know, we see the Internet as a huge public good.  We see it as something that we want to keep very much open and available for everyone.  And we see that public coursing as part of the public trust in the Internet. 

  So I think there's four major challenges with where we're going on this.  The nation state capability ‑‑ building capability to essentially run their own Internet, so to speak, is an interesting one where people can divorce their Internet from the world and run their own.  While that, in and of itself, I don't see as a challenge, you know, what is the intent behind that?  And if the intent behind that is to protect themselves, that employs they either see a threat or they see a challenge.  That is divorcing us from this public call.  We're giving, you know, national sovereignty over pieces of the Internet that we as an organization don't see as the right way forward.  So often we know when someone builds a club, there are people excluded from a club, and that's where we see that one as being a very bad thing. 

  We’re also ‑‑ the second point, we say the public core, but increasingly this is run by private sector, by private entities, or operated by them.  In many cases regions, countries obviously, you know, they want to build capability.  They put that out to a competitive operation, RFP.  People bid for it.  You can see that over time this could end up with a very large amount of the Internet being controlled by very small number of multinational organizations, as people have mentioned already. 

  There are two challenges with that, I think.  One is there's a limited competition, and competition is what's made the Internet really great and really improved it by people bringing new products to the table, putting them out there in open source, making them available to everyone.  By doing ‑‑ by building it down to sort of three, you know, however many big corporate running significant chunks, I see those as a challenge. 

  And then there's the distrust potential of that.  Let’s face it.  You know, the organizations we're talking about are primarily, you know, enormous American corporations.  That's just the way the world is.  Does that, then, lead to distrust across the world with, you know, the Internet is being run by people in country "A," and I'm in country "B," and I don't like that.  So we worry about that.  That we see as a real challenge.  We want to see it as public.  We want to see it as open.  We want to see it being run by, you know, Civil Society and corporations and governments and everybody in conjunction, not limited down to a smaller number of major organizations. 

  I think the point that governments may think they have a monopoly on using force and so on in the Internet is a really good one.  They cannot control it.  We've seen demonstrably over the last 20 years that they can't control it.  So we need to improve our ability to do that, but that means, again, working in partnership.  It means working together.  It means working globally together rather than regional groupings and/or country groupings and/or organization groupings.  So, you know, that's where it first comes in with this nonprofit, nongovernment international global inclusive, but we're a very small part on the Internet.  You know we're not enough teams.  We're not enough people in doing this with us.  So we're very keen to help governments understand that.  And one of our mission statements is talking about educating -- and this is part of the reason we really appreciate the invitation here -- talking to regulators and policymakers about how we can improve some of this. 

  And I think finally, my fourth point, when we talk about the public core being available and ready for use, that really essentially is saying that the public can trust that it's there, that they can trust that corp, that Internet to be, you know, whole and sane and doing the right things and secure.  I think sometimes when we see some of the major, major, major massive hacking attacks that we see, the sort of spray attacks that we see across vast swaths of the Internet, that by ‑‑ these have been attributed -- again, we don't get attribution.  We are really interested in the problems they cause, the problems they cause,  and I refer specifically to something like Hafnium attacks is that they remove that trust from public from the Internet, which enables governments to say we should build our own Internet or we should have more control over the Internet, or we should be the ones that allow people on or off the Internet, and we worry that, you know, in a significant way.  So some of those huge attacks that really demonstrate to people -- they get into your email.  They destroy your personal trust in the Internet that you are using.  It's not core Internet, but it is destroying users' trust in that.  We see that as a really, really, really important thing that I would very much like people to stop doing.  That's not an easy thing to say, but those are not good at all.  That's it.  Thank you. 

>> ALEXANDER KLIMBURG: All right.  Thank you.  Thank you, Chris.  I'd like to turn to a wider discussion now.  So I have early hands raised by Amir Mokabberi, who has also posted a comment in the chat.  I'd first like to give Amir the chance to speak himself.  Amir, do you hear us? 

>> Hello.  Can you hear me well? 

>> ALEXANDER KLIMBURG: Sure.  Go ahead, please. 

>> Thank you.  Hello, everyone, and hello to distinguished panelists.  Thank you very much for giving me the floor.  My question is that don't you think that a norm on non‑interference in the public core is a subset of the state sovereignty and non‑intervention and not efforts of other states like, like, for example, in domestic, social, political and economic systems of other nations that should be protected and ensured in cyber domain and should be addressed in a new OEWG process?  Yes. 

  And other issue that I would like to mention here is that I started to believe that sovereignty of all states should be protected and respected in Internet and cyberspace in terms of data, infrastructure, data governance, and making legislation and combating cyber efforts and so forth and so on. 

  Not only one certain country should have sovereign, we need just an equal sovereignty in cyberspace. 

>> ALEXANDER KLIMBURG: Okay.  All right.

Thank you, Amir.  Thank you.  I'd like to move on to the panelists so we can have ‑‑

>> Yes.  I must finish.  We know that public core under ICANN Corporation has not yet really become international.  And ICANN is run under U.S. jurisdiction. 

>> ALEXANDER KLIMBURG: Okay.  Amir, thank you.  I think we got your point. 

>> Excuse me. 

>> ALEXANDER KLIMBURG: We have a question to put to the panelists, and I have both questions that will go to the panelists. 

>> Thank you. 

>> ALEXANDER KLIMBURG: Thank you for your questions.  So first to reply on the question of is public core not a question of state sovereignty, and a second question that was added on to that was the question of ICANN sovereignty being subordinate to ICANN being effectively in U.S. jurisdiction.  So, Wolfgang, do you want to first reply, and then I think also Anriette addressed some of that issue in the comment.  Wolfgang, please. 

>> WOLFGANG KLEINWACHTER: Yeah.  Thank you very much, Amir, for the question.  I think you are free to differentiate between the public policy issues related to the Internet and the technical day‑to‑day operation, what I said in my first intervention.  So these are two different shoes which are interlinked, but we should not be ‑‑ we should be not mixed.  When you speak about sovereignty, then it's the principle of equal sovereignty as laid down in the charter of the United Nations, and this is very relevant for the public policy issues related to the Internet.  So no doubt about it.  But if it comes to the public core of the Internet, then we have to deal with something like the common heritage of mankind.  I compared it with the air.  And this is not part ‑‑ you know, you cannot say this is our sovereign air and we control the air when we open the window. 

  And this is part of what I called in the chat the borderless space.  It's not the border place where governments have national sovereignty and should avoid to interfere into the border places of other governments.  So I think this differentiation is really important.  And it shows also, you know, that we see a growing sensibility or sensitivity of governments.  In the new security directive, two of the European Commissions.  There was originally the idea, you know, that all servers which operate on the European periphery should be under sovereignty of European governments.  And then they realized that the root server system which is the global system which enables communication, that two of the root servers are in Europe, one in Sweden and one in the Netherlands.  And so they started a discussion whether this would lead to duplication or to conflicts.  And the wisdom now of the European government, at least a discussion is not yet adopted, to have an exception clause and to say, you know, this is part of the management of the global Internet community.  This works.  So if it isn't broken, don't fix it.  We should not pollute this.  And the Internet is based on a division of labor and a shared responsibility.  So that means not everybody has to do everything.  And, you know, to delegate some functions for the management of the public core, to the established community which has demonstrated the last 40 years, that it works and it can deliver.  I think this is one which is important to recognize. 

>> ALEXANDER KLIMBURG: Okay.  All right.  Thank you, Wolfgang. 

>> Can I jump in? 

>> ALEXANDER KLIMBURG: Amir, sorry.  We have others ‑‑ we have other people who would like to speak, too. 

>> Thank you. 

>> ALEXANDER KLIMBURG: First of all, Anriette, do we have comments from the room from your side or questions from your point of view? 

>> ANRIETTE ESTERHUYSEN: Is there anyone in the room who would like to contribute or ask a question? 

>> I would like to. 

>> ANRIETTE ESTERHUYSEN: No.  Sorry, Amir, let me just respond first.  I think you've had your chance.  Alex, I think Wolfgang covered the response.  I think I just want to, based on what I've experienced here at the IGF, stress how important I think this conversation is.  Earlier this week we had the UK government do an open forum on their approach and their thoughts about the future of the Internet.  Later today we'll have the White House, we'll have Tim Wu fresh from the summit on democracy talk about their thoughts, in the U.S. about how governments should or should not approach Internet governance.  I think there's increased concern from states to get involved in the Internet.  Some of that comes from a place of control.  Some of that comes from a place of enabling, innovation, and competition.  But I think we really still do not have a common understanding, and I think that's why the public core norm is such a good starting point for the conversation. 

  But the one thing which I know is not new to those of us on the commission, but it's still an issue, is the concept public.  We still have to find a way of translating what we mean by public and how it's understood in different cultures and different political historical context.  Wolfgang describes it as this borderless space.  I think there are some member states of the U.N. and some governments and industries represented here at the IGF who see public as putting control within national sovereign borders.  So I think one of the key tasks that we have to undertake going forward is translating and finding concepts that have more of a universal -- a meaning and acceptance so that we don't come constantly against this wall of these different perceptions of what public means.  Sorry, Alex, I departed a little bit. 

>> ALEXANDER KLIMBURG: Not at all.  Actually, I think your point about clarifying terms is very important in particular since the whole idea of considering public core subordinate to state sovereignty is exactly the point of the public core, is that it tries to circumvent that entire issue.  I will mention some of that at closing in my final remarks.  But first I want to go to the next question/comment from Yik.  Yik? 

>> Yes.  Thank you.  I think there's a debate, you know, between the public good and also the global common properties can also  apply here.  When we say “global common,” it means something like outer space, you know, or high sea which is beyond the national jurisdiction, so probably in here public core means similar to the global common.  But the Internet itself is not defined as a global ‑‑ I mean, the Internet, whole Internet, cyberspace is not defined as a global government, but it's defined to us global public good.  The global public good itself has a national jurisdiction, you know.  So I think we need to make sure, when we talk about public core, which means global common, but a wide part of the Internet belongs to the public core.  And in some parts are not.  So I think that's a main argument.  For example, the protocol, the domain name belongs to the public core and the global common.  But some infrastructure may not belong to the global common or public core because the states have a (?) infrastructure.  That's my comment.  Thank you. 

>> ALEXANDER KLIMBURG: Thank you.  Just a final comment from Siva Subramanian, please, and then we'll go to one last comment then before I close.  Siva?  Siva, please?

>> Yes.  Siva Subramanian.  I'm a little concerned about the process by which policy-makers and business actors get their advice.  It appears to me that the Internet and the policy‑making process are on different calendars and on different plots that are not synchronized.  In the sense that policy‑making is still a hierarchical process, the advice comes from those that are approximate to government, and those who are proximate to government are traditionally the ones who have been proximate. 

>> ALEXANDER KLIMBURG: Okay. 

>> So are governments giving proper advice, and what is the community doing to make sure that fair and balanced advice aids policymakers and business leaders?  Thank you. 

>> ALEXANDER KLIMBURG: Okay.  All right.  I think we are unfortunately already out of time.  I wanted to just mention that the public core discussion is a continuation of the discussion of all of the Internet itself.  It's a question of to what extent Internet is a global public good or even a global public resource.  Under Alstrom, there is a big difference between what is a global public good and global public resource.  Global public resource requires state intervention to manage.  Global public good does not necessarily require state intervention. 

  Also because high seas have been mentioned, the global public good -- concept of the public core is the public core effectively is that part of Internet which is a global public good, from our point of view, from the Global Commission's point of view.  And that basically puts the public core in a legal zone somewhere in between the high seas and the number of entities that are sometimes covered by the common heritage of mankind international law.  That's not the same as the high seas, but that includes the deep seabed, Antarctica, outer space and the moon.  So this is a wide‑ranging discussion with implications for international law as well.  I look forward to continuing the discussion with you.  And last slide, please.  Can we go back to the presentation, the last slide? 

  I'd like to do a shameless also self‑plug, the Global Commission Cyberstability Cyberspace Secretariat is also just now launching the Cyberstability Paper Series.  New Conditions and Constellations in Cyber.  It features 16 authors including two of them who spoke today.  And I think it provides additional insight into what the definition of cyberstability can include.  I think there will be something there for everyone.  I hope you can access it.  It's for free.  And I wish you a good IGF.  But first join me all, please, in thanking the panelists and expert commentators with a round of applause.  Thank you. 

>> WOLFGANG KLEINWACHTER: Bye‑bye. 

>> ALEXANDER KLIMBURG: Thanks.  Bye‑bye.