IGF 2021 – Day 4 – OF #64 Global Forum on Cyber Expertise

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 


     >> We all live in a digital world. 
We all need it to be open and safe. 
We all want to trust.
     >> And to be trusted. 
     >> We all despise control.
     >> And desire freedom. 
     >> We are all united. 

     >> ELLIOT MAYHEW: That was a nice intro.  No problem, IGF, thank you for showing the video and kicking off the session.  So my name is Elliot Mayhew.  I'm with the GFCE Secretariat.  I will be in the background, monitoring chat, bringing in questions.  I will also post a link in the chat in a second to a few Mentimeter questions to get a feel for the room.  I want to start the session already and hand over to our moderator to kickoff.  So let's jump in, Moctar Yedaly, over to you. 

     >> MOCTAR YEDALY: Thank you, Manon, and welcome to IGF 2021 and welcome to this Forum 64 Global Forum on Cyber Expertise ‑ GFCE Africa Program. 

     As Elliot mentioned, my name is Moctar Yedaly, and I'm given the honor to oversee the GFCE Africa program.  It is my privilege to be the moderator of this session.  The Global Forum for Cybersecurity Expertise is a multistakeholder platform that
aims to strengthen globally through promoting collaboration, increasing awareness, and reducing duplication of effort.  The capacity building is at the heart of the center of activities of GFCE. 

     Needless to say, ICT is important to all of us.  I wouldn't doubt everybody knows that.  I want to make sure that we understand how important it is for the African continent.  It is important to view those ICT safely with all the benefits.

Capacity building is one of the things that is very important for the African continent specifically in the area of cybersecurity in general.

GFCE has taken several initiatives this year to enhance its presence and to assist the African continent to build capacity and use it with all safety and safeguards.  This is what we will discuss today.  In collaboration with the African Union, the GFCE has taken on initiatives and the project today that will be presented by Martin Koyabe.  But before that, I would like to ask Nnenna, who is actually representing the AU cybersecurity Expert Group.  She's the Vice‑Chair of that Group and associating the African Union on cybersecurity. 

 One of the questions I want to ask Nnenna Ifeanyi‑Ajufo, what are the main buyers to the international and national frameworks at national level specifically.  Over to you.

     >> NNENNA IFEANYI‑AJUFO: Thank you everyone, I feel privileged to have been invited to the GFCE virtual Forum in how to build capacity building.  In regard to your question and the challenges of that.  I want to start off first by saying for capacity building in Africa it is crucial to define it in the various aspects.  Often you find the notion of capacity building has been overly associated with the idea of increasing, or developing skills or competencies, sometimes on the basis of training, this is always on the capacity building ideas of international bodies.

So you find that this has not encouraged African States looking at the national level or other African multistakeholder.  Of course, Martin is here and will go over capacity building.  I look forward to him speaking about this.  Capacity building is a broader concept that should be considered from a more systematic institutional perspective, African citizens, Civil Society, Private Sector, Government institution, of course, the African society in itself.

For that as well we must underscore the social, cultural [phone ringing]
I'm so sorry.  And under the cultural, political, historical perspective. 

In relation to the conversation, when we approach the agenda, because of the nature of cyberspace we must ensure trust.  The most potential partners, when we have discussion of the international, who approach Africa for capacity building are focused on a particular agenda.  They have their independent interest for the desire to build capacity.  Unfortunately some of the mechanisms and approach to capacity building sometimes fall short of what is required in the African reality.  I always say the capacity building needs of Africa can never be the capacity needs of Europe or other Region, not singling out Europe.  There are commonalities, I agree.  That doesn't mean the idea will work in the context of the African Region when we try to transplant it.

So unfortunately, capacity building gaps are also not fueled strategically.  There are different underpinnings related to issues of capacity building as well.

To build trust, transfers of capacity, expertise must be strategized to ensure digital cooperation, which would encourage capacity building must not translate to digital dependence.  Do I still have 10 minutes?

     >> MOCTAR YEDALY: Go ahead.  I have to ask you some specific questions but go ahead.

     >> NNENNA IFEANYI‑AJUFO: Thank you.  All the particular States because you asked about that, apart from the regional level they have their context.  It impacts ideologies, and capacities and will build the capacity for dialogue and negotiations.  Again, in the African context, when you talk about the national level colonialism is a sensitive issue for Africa, whether we like it or not.  It is often at the center stage of interpretation, to western intervention including when styled as cooperation or capacity building.  Sometimes apprehensive States are apprehensive.  There are consents that it will end digital colonization.  You will see African States and other stakeholders have incited that cyber capacity building strategies must increasingly be on the terms of Africa rather than other terms.

They may be right.  One thing to add to this.  For digital cooperation to be the focus of capacity building and not just training.  How about infrastructure development, technology transfer, all of that.

So in approaching capacity building, the measure of equal standards must be the focus, not age, not charity, you know, um, equal standards.  Like I say.

     >> MOCTAR YEDALY: I see that Nnenna.  Nnenna, I appreciate what you have said with regard to the involvement of inch and specifics of the continent.  But one of the concerns of the context of the Internet Governance is the concept of multistakeholder.  How can we make sure that within the African context of the pandemic continent, that it remains multistakeholder?

     >> NNENNA IFEANYI‑AJUFO: You know this very well.  This is a lot of diverse issues for Africa.  Coming from the external and internal, you know, it is even a question of thrust and effort.  First of all, when you talk about multistakeholder approaching Africa, what is the understanding of our leaders.  The awareness of the concept is not even there.  We talk about encouraging, the concept is not there.  I was in a meeting a few months back.  A member of the state security department said how do we work with Civil Society organizations that we do not know who is sponsoring them.

I said if you are a security agent and you cannot vouch for the credibility of a Civil Society organization, then you have failed in your security efforts.  So the understanding and this notion that cybersecurity is thoroughly a national security agenda is in Africa to allow for a multistakeholder approach.  The lack of awareness and education ripples into the involvement of multistakeholders.  So I think from a basis of understanding, Africans need that awareness and education on the necessity.  Again, it is efforts from who we define as multistakeholder.  Sometimes I say in the African context perhaps we need a peculiar African on the stand in the definition of multistakeholder.

Do you want me to stop? 

     >> MOCTAR YEDALY: I love what you are saying.  Go ahead. 

     >> NNENNA IFEANYI‑AJUFO: There are hardly Civil Society organizations, you have so many human rights Civil Society organizations, when you come to cybersecurity, you do not see the involvement of Civil Society organizations awe you want.  If you come to the IGF level, you see so many Civil Society organizations, but the agenda eye was speaking at a conference about three weeks, this gentleman said we have been trying to reach Civil Society organizations to understand, you know what cyber capacity building means for them.  If you come to Academia as well, how many schools are teaching cybersecurity?  There is that gap.

That is why I talked about strategy in terms of capacity building.  When partner organizations come to Africa the focus is on the state.  There are other aspects of society that suffer.  You should focus on the African society and citizens as well.

I must laud the GFCE approach.  It is impressive to reach partners and understand rather than simply coming to Africa and say this is what we want.  That way you don't encourage a multistakeholder.  It is a two‑way approach, externally, internally.  Whether we like it or not, it must come from the national internally as well.  What are African States doing to build capacity, apart from the European Union coming to tell us, are there any capacity building efforts indigenous.  No.  I don't think we understand that.  We need to think of a multistakeholder before.  Charity begins at home. 

     >> MOCTAR YEDALY: That was impressive, all of the notions about the specifics.  Our internal needs, the definition of the needs by Africans for Africans is actually important. 

Also the concept of the multistakeholder to be really taken into consideration the context in which we are defining the multistakeholder, which is actually very important.

Moving out from what we call the general context.  I will go specifically to the presentation.  I mentioned Martin is the senior member of the AU project.  That is looking at capacity building and taken activities related to capacity building in that project.

I want to ask you, Martin, what is the importance of ensuring an evidence‑based approach for capacity building in Africa? 

     >> MARTIN KOYABE: First of all, let me take this opportunity, Moctar Yedaly to thank the IGF community and those listening both online and any way to listen to this recording in the future for this opportunity.  My name is Martin Koyabe, I am heading the project of looking at capacity building cyber enhancement in Africa. 

I will start with the definition of what I call the understanding of capacity building.  I think from what Nnenna has actually described and alluded in terms of the challenges, and the perception, she mentioned two keywords there, which is trust and orienting capacity building based on the recipient countries. 

There is this notion of the understanding of capacity building.  Capacity building before used to be termed as the training or giving people knowledge in some aspect, more or less in a one to many.  But more and more as we advance in terms of development, it is becoming quite important that capacity building is not in cyber, is not just an issue of training people to understand specific concept and so forth.  It is more than that.  So you have to look at it in terms of different layers and at what stage you are engaging.

So you could have national issues that require capacity building.  You could have more or less up to the individual issues that require capacity building.  It could be at the level of governance that require capacity building and even technical.  Coming back to your point in terms of how we can be able to get this evidence‑based type of capacity building, I would reflect back into the project that we are heading.  The project involves a number of issues.  The first thing is that the project aims to enhance cyber capacity building in 54, 55AU Member States.  That is the main aim.  In so doing make sure the Member States can build capacity building resilience and sign resilience in the jurisdictions.

There are three main objectives of the particular project.

The first one is to have what we call an assessment.  The assessment is to look at all Member States and assess their current cyber capacity building status to be able to ascertain what the priorities of this Member States is.  It is important.  As you can imagine with COVID, having ravaged most of the Member States, some of the Member States have changed their priorities or they have ordered their priority is depending on where resources are coming from and where they're spending most of the resource.  We have seen cases where they increased funding for health.  Increased funding for connectivity.  All of this has shifted the focus of cyber capacity building that might have been planned before.  It is important that we assess the level of capacity building.  The second aspect is to build what we call sustainment component and strategy.  How do we sustain the project?  In so doing, we engaged Member States to nominate or select and provide at least three experts from each Member States who will comprise what we call Africa cyber expertise community.  The African cyber experts community.  This community is envisioned to be able to understand the situation in their Member States because as we discussed earlier and Nnenna said earlier, it is important to understand problems from the perspective of Member States.  Because they might and do know more than sometimes what they either donor agency or implementing agency might know around specific issues that are pertinent for the particular companies.  The composition of the three experts we suggested and proposed that you include someone that understands strategy, someone that understands policy at very high‑level in the country.  Also include aid from the Civil Society and Private Sector and have someone who understands the protection of the critical national data protection, CERT or CCERT.  That does not end there.  We encourage States to have a bigger inclusion of other experts who can be able to join in for the purposes of the project.  But in terms of us committing to the countries on the sponsorship of the experts, for meetings, so forth, you are limited to three.  The third objective is to build what we call knowledge modules.  Knowledge modules can be understood as what you call today best practice or good practice.

But the knowledge module that I envision in this particular project go farther than that.  There will be access online and also provide more than just best practice.  A good example is from the assessment that we have done of the countries to know what the priorities are.  Many countries have listed issues such as for example, the development of the CERT.  Or enhancing the understanding of law enforcement officers on specific issues whether it is digital forensic collection of evidence, so forth.  Or enhancing their legal structure.  We're seeing different needs and priorities from the countries. 

The question is how does somebody or recipient country navigate through the challenges of knowing what option to take and how to build and enhance their capacity.  The knowledge models will provide what we call a window where a person can look on to the system, be able to select a specific area.  Talking about five main areas to look at.  The first is the national cybersecurity assessment and cyber norms and cooperation.  The other area we're looking at is the issue of legal instruments and law enforcement in terms of the legislation, regulation, policy.  Then the other focus area is the area of capacity building itself in terms of workforce, skills expertise.  How you enhance that in the countries.

And we also looking at CERC, CCERT critical infrastructure and standards.  That is not the holistic areas we look at.  There are other areas Member States have come up with.  For example, issues to do with funding, with governance that I high in the priority.

Back to the little module, it will be used as a Member State to assess the issues to get a solution or reference to a specific issue they need to look at.  I am sure Katrina on this particular call will be available to expand more on the knowledge modules.  Coming back to the assessment.

It is important to collect evidence through the notion of capacity building.  What has been useful is what we call the monitoring population of the process.  That shouldn't end there.  There should be an impact assessment.  The question of impact assessment is time bound.

You have to make sure that you give time so you can assess what the impact was of that particular capacity building effort that has been put into place.  Let me take you back to the basics.

Many of the Member States are faced with a number of challenges.  One is what Nnenna touched on which is mainly the political cycle.  Member States have four or five or seven years of political Government coming in.  Once the Government changes, they start fresh.  So you find a specific project going on, which could be a cyber capacity building project does not see the end of day because of this change of the political cycle.  Which is a challenge.

The second issue is the issue around the understanding.  Especially when we have individuals put in charge of the particular areas.  I know of a project I dealt with four Ministers in four years.  Maybe that is not a big record, but if you look at each Minister coming in and changing how things work, it affects most of the capacity building particularly at the national level, programs in place.

We talked about the inflexibility of funding, whereby funding given to the projects is only geared to the specificity, instead of being flexible enough to understand whether that country has hired that kind of capacity building exercise already.

A good example is CERT assessment.  Some countries do assessments and want to do the next phase of CERT implementation.  They don't go there because the funding available only requires an assessment.  They're stuck in the first step until when they get funding to go to the next step.  By the time they get that funding they need to go back and do another assessment because things have changed.  We have inflexibility in the funding.  In the capacity building project, there has to be quantitative information and qualitative information.  Qualitative is important because it gives the yardstick of where the country is and going in terms of numbers.  A good case in mind is if you want to know the impact of legislation, putting in cybersecurity laws, let's say some specific enhancement of the data protection privacy, you can look at the rate at which you have convictions, the convictions showing that the law is being applied appropriately.  And they're showing now we can apply the law adequately.  Therefore you can measure how that capacity building or enhancement is reflecting on that.

Other areas like education in curriculum.  It is important to make sure we enhance our curriculum from the primary school, secondary school, University, colleges, so forth.  Building institutions of higher education to absorb and produce experts in cybersecurity.  A country can assess and say do we have enough people with cyber experts or specific degrees or qualifications that are coming out of colleges into the market.  That can give an indication. 

There is a need to collect metrics.  The metrics can help a country to assess where they're going, assess where the gaps are and also able to appropriately fund the specific programs that can be able to create that impact that is expected. 

Coming back to your question.  It is important that we have the metrics.  It is important that we measure them and also try and collect data that is measurable. 

     >> MOCTAR YEDALY: Thank you, Martin.  One thing that always implementers of the CCBs are facing is the issue of the buy‑in and sustainability at the national level specifically.  How can we ensure that that buy in is there and is sustainable? 

     >> MARTIN KOYABE: The issue around sustainability is an important one.  I really want to emphasize on that issue.  That for most of the capacity building projects and even any other project, sustainment is an important component.  Now, there are mistakes that are made in very many of the particular projects, especially when it comes to the strategy or implementation projects.  The people who matter sometimes are never involved at the first.  So therefore, a multistakeholder approach where the people who are relevant are involved from the beginning is helpful.  There is also a need to find out whether there is a buying in from the top level of the country because many of the implementing partners, I know most of them are on this particular call, and attending this particular session or development partners, we go to the countries without necessarily understanding three basic fundamentals.  The first thing is we have to understand the political status and politics in the country.  It is important to understand that.

It is also important to understand the diplomacy angle of how to approach the issues.  But more importantly also is the issue around ‑‑ this is business.  Many of the countries look at it as development of business.  We want the countries to understand that.

In attainment, it is acceptable to get a starting point where they're part of that process.  Important that we interrogate countries before to understand the needs and address the needs as articulated by the countries.  Not how we want them articulated but how we articulate them.
And build, where people can take on options for learning and pass it to next generation, so forth.  That should be enhanced when there is a project of this kind.

That might sustain that.

The last thing here is the issue of funding and project becoming more sustainable.  There is some projects that require specific funding.

For example, many of the countries are building CERT.  When you doctor a CERT it is important to think about that as how will the CERT give you value for money?  The CERT can provide services to the Private Sector who have infrastructure. 

If you build a specific cert, you can find the Private Sector can contribute toward a fee or service you are providing.

That service can fund some of the needs that the CERT would require.

There has to be a model built in the capacity building activities that we have that can generate specific funding levels to make the countries be self‑sustaining, rather than looking for funds every time they want to enhance the CERT.  That could be an example.  There could be others.

Forensics they can build capacity in forensics and offer it as a service. 

     >> MOCTAR YEDALY: Thank you, Martin.  During the presentation you mention knowledge model.  Those are developed by DiploFoundation, that is why we have with us today Katarina Andelkovic.  I would want to ask you one very important question, actually.  It is related to the ‑‑ how so far and where we can improve, make any kind of improvement of developing the knowledge modules as a tool for this specifically. 

     >> KATARINA ANDELKOVIC: Thank you, good morning, good afternoon, good evening everyone.  Because we have participants on‑site and some scattered across the globe like me.  It is good to be here to discuss work on the AU‑GFCE modules.  I can mention we have active involvement in the African policymakers and with whom we held meetings send suggestions we have incorporated or are currently incorporating in our work.

And to this end, we have used a recent ACE meeting to dig even deeper in the modules are shaped based on the inputs we have received.  It is important to stress that we work with our African colleagues in every module because they have an understanding of the pressing needs addressed in the knowledge modules.

Another thing I can mention is that we have looked into various documents, a substantial number of documents that form the basis of our knowledge modules at the very first stage of the journey.  For instance, we map the GFCE knowledge, resources available on the civil platform and knowledge on the cybersecurity and Internet Governance.  We also went over I think around 50 different documents that tackle the issue of cybersecurity capacity building.  We tried to identify points of convergence.  We met them with the needs received from the several AU countries regarding the CCBP. Based on this input we started drafting the knowledge modules and began to address the needs and requirements.  As Martin mentioned we are currently working on eight knowledge modules that tackled the five focus areas of the GFCE.  But they're not limited to these focus areas we have an introductory knowledge module that is providing an overview of the project cybersecurity.  And link it to relevant digital policy issues such as e‑commerce, taxation, development, access to ICTs and other problems that are important to the African Region.

On a rather negative note, the majority of capacity building programs are available in English only.  Many African stakeholders are left behind because of language barrier.  Our plan is to translate the modules into French.  We try to take into account the need to provide a multilingual capacity building support, but then it poses challenges because there are many local languages in Africa we might not be able to take into consideration and translate into the modules.  This is something to take into account in the later stage had when the drafts are ready and some aspect of the little ‑‑ knowledge modules translated. 

I can share my screen and we can have an overview of the knowledge modules.

     >> MOCTAR YEDALY: Go ahead.

     >> KATARINA ANDELKOVIC: I will see if I can share my screen.

     >> MOCTAR YEDALY: While you are doing that, I will think of something for you to ask you.  Is it always tied to education, how the model can be ‑‑ do they really although do they address all the needs?  How can we make them really inclusive enough, if I can say, dealing with the implementation of CCB?  Not only for it but over also.

     >> KATARINA ANDELKOVIC: This is something we constantly have in mind.  Everyone warned us try not to duplicate existing efforts and implement them as much as possible.  We're trying to do that.  The goal is while they address the needs of the countries, and match these with available resources and initiatives in the GFC and wider expert communities.  It is basically to connect the dots.  To this end, we had several meetings with the members of the Working Groups.  Where we discuss the open questions and try to be on the same page. 

They also provided suggestions and inputs, even at the last meeting at the Hague that we are trying to incorporate into modules.
And after the first drafts are ready, we will share them with the expert community so they can comment on them and provide suggestion says we can incorporate when the final versions are ready.

If I may add, there is one more thing that was problematic that we are trying to address in our module.

This is the question that was raised on several occasions.  The problem of training the trainers.  The African countries, a lot of people providing capacity building they lack the proper training.  This is an issue we're trying to raise and address in our modules both module 4 on cyber culture but also skills in the module.  In the sectorial modules because it is a cross‑cutting issue.  Another thing worth mentioning is that there is the issue of gender equality.  And issue of awareness building and communicating.  The cybersecurity effort and these are cross cutting.  They will be tackled mostly by the module because Diplo is online and part of the human rights basket or cluster.  It will be tackled by other knowledge modules.

     >> MOCTAR YEDALY: Thank you.  You mention that you have been constantly in touch with the cyber ‑‑ you said expert Working Group, are you referring to the GFCE or others created? 

     >> KATARINA ANDELKOVIC: Yes, we had meetings with the Working Groups.  With some at least, we'll work with the Working Groups, tackling specific areas once the first drapes are ready and ask them for their input.

     >> MOCTAR YEDALY: Thank you very much.  I think we have really went from the general context to the specific project and to the specific activities related to the knowledge, because we think about capacity building as I said at the half of the nonpartisan action to GFCE to make sure we build capacity in this area.

Elliot, do you have questions from the chat, from the public?  After that we will see if there are any questions from the floor.

     >> ELLIOT MAYHEW: There are no questions in the chat here.  I'm seeing if I can find locations where questions could be posted.  I won't force anybody, but I will say if you have comments or questions, feel free to raise your hand them here post them. 

     >> MOCTAR YEDALY: I see somebody standing on IGF 7, anyone want to ask questions of the panelist? 

     >> ATTENDEE: I would like to ask something.  My name is Dowdy.  I would like to ask if you ever ‑‑ what is your response?  You think responsible frameworks into cybersecurity, if have you ever done that or if you think that is a good application.  And also I want to know if you can give recommendations on the health sector.  For example, robots used for healthcare and like, yeah, how can we improve the cybersecurity in this context?  Thank you. 

     >> MARTIN KOYABE: Anybody able to take these questions ‑‑

     >> MOCTAR YEDALY: Anybody able to take these questions.

     >> MARTIN KOYABE: Can she say the first one.

     >> ATTENDEE: It is framework is something that I have been reading about and is trying to address questions about responsibility in technology.  So and also like responsible innovation research, which is trying to include this in the research.

     >> MOCTAR YEDALY: All right.  Now, I will just pitch in something.  My understanding is the question is raised to the innovations in the area of responsibilities.  Technology responsibilities.  This is probably what I don't understand.

Probably we can classify that if I say in the area of norms and behaviors.  Really in terms of who should be doing what in order to really help the actives within cybersecurity that are responsible for what.

It is not separate that some state sponsored or nonstate sponsors are doing innovative things, are not serving really the population or the people itself.  In that area, I believe you have a lot of things to think.  Start from the area of policy first.

It is part of the strategy.  You know, kind of approach to the cybersecurity and capacity building in the same time also we need to make sure you have in the area of technology you are cooperating, you have responsibility to technical incorporating advanced technology.  Sometimes advancing and innovating to address those bad innovations when they happen.  That is to throw something in the field for you.  The imminent expert.  Anyone want to say I'm wrong?

     >> NNENNA IFEANYI‑AJUFO: Can I add, if you would allow me? 

     >> MOCTAR YEDALY: Go ahead.

     >> NNENNA IFEANYI‑AJUFO: The conversation, particularly in Africa, the responsibility is discourses.  You know in Africa, that is nonexistent.  States are moving more and more.  The responsible behavior, where we are not focusing on responsibility by design.  You are not thinking on responsible innovation, but bringing in tech companies where you have concepts, like human rights by design and responsible design.  From the African perspective, I advise you look at the Digital Transformation agenda, 2020‑30 agenda that looks at innovative and disruptive technologies.

The conversation you have about Africa is cybersecurity and cybersecurity and time comes when Regions are far ahead.

     >> You talk about AI.  Nanotechnology, all of this.  Look at the Digital Transformation agenda.  It is there, in terms of our aspirations to seek Digital Transformation, which should be all‑encompassing rather than focusing on cybersecurity alone. 

     >> MOCTAR YEDALY: You would use it to model cyber responsibility.  Anyone want to say anything about this pertinent and difficult question?  I see somebody moving to the mic.

     >> MARTIN KOYABE: If I might add on the issue of innovation, if I may.  One thing that is clear is what ICT or gives is in equal nature.  That is something to put in our minds.

Coming back to the question asked what is being done about it, we are doing something about it especially looking at emphasizing the strategy for cybersecurity in many countries.  There is a component of innovation.  That tries to address emerging technologies and how to innovative around securing the technologies.  And emphasizing on security by design.

Let's not think about it as a wraparound at the end of the design of a specific project, but think of the cybersecurity in the initial stages.  That helps.  What we need to put in place and I think that is where it is coming in.  Checks and balances.  How do we put it when somebody is able to access something that can be used for a very wrong reason?

For example, we have white hackers, black hackers, people that do it for a profession.  When you are rouge technicians into the wrong hands how do you cut off that.

There are areas, for example, security levels, which you can build in specific recruitment process.  You say, okay if you join in from a civilian to work in a sensitive area, you will have to have security clearance. 

I think for me, checks and balances are important to make sure it is done.  Innovation to make sure that is a responsible use of technology as we say.  That comes with the forms.  How countries should behave, countries behavior.  And how Europe remands, a country ‑‑

     >> MOCTAR YEDALY: Right, thank you.  I see somebody approaching the mic, too.  I see the second lady.  I am glad to see ladies are active in the area of cybersecurity. 

     >> ATTENDEE: Good afternoon everyone.  Thank you, panelists for an insightful conversation.  My name is melody.  I'm a senior legal consultant.  I'm asking about digital cooperation in the space of cybersecurity.  What we needed in South Africa with it comes to a corporation, particularly multistakeholderism, they all have their own CCERT but don't have it at the initial level.  We came together from different organizations, and formed the alliance, which seeks to discuss issues of cybersecurity from all points or different angles.

What I wanted to find out from the panelists is since you have been in this space for some time now.  How can we as a new organization cooperate ‑‑ cooperate or engage with members of the public.  I noticed so many are interested in either learning more about cybersecurity skills or in providing training, but there is no platform available to them to do that.  How can we work with an organization like GFCE to provide training awareness on issues around cybersecurity?  Thank you. 

     >> MOCTAR YEDALY: I think this question is a wonderful question for Nnenna.  I know she will look at it, but however, by mentioning that.  Is GFCE the Group that is planning to have a specific focus on Africa by creating a hub in Africa that is closed with the decisions help address those issues.  This is addressed by talking to the non‑Governmental institutions and help them be involved in at the international and national level and the issues related to the governance and implementation of CCBs in the continent.  Feel free anyone to say what I said as a promotion of my institution.  Go ahead.

     >> NNENNA IFEANYI‑AJUFO: It is good the GFCE Expert Group, one of the things I said was the lack of Civil Society organizations inasmuch as that framework bringing together Civil Society organizations.

For example, the cybercrime Forum, members of Civil Society, there is a PRIDA project as well, which is not just for cost on national actors.  It must be good to see that and impressive to hear such efforts are going on.  Thank you. 

     >> MARTIN KOYABE: If I can chip in.  I know this South Africa issue, I'm glad that question came out.  The issue around ‑‑ I don't want to be specific because I have understood that they're not doing well.  There are challenges to do with silos as the question came in it is important the legal instruments are reviewed.  The way the responsibility is apportioned brings about silos.  Because every institution and sometimes you find one institution has a responsibility for one aspect.  The other has a responsibility for another aspect of cyber both want to stick to the responsibilities.  And it is difficult to put that together.  I believe one way to address this is to look at a cyber strategy review.  And through that review, we could put some recommendations to create a structure to help the alliance to be more effective.  If you have an alliance and it is not supported by law in terms of some of the activities, you might find it difficult to get some of the stakeholders to come to the same room, if you don't have the authority to get them in the room.  While the alliance is useful they may want to look at the review of the strategy, and through that review process with stakeholders involved and everybody giving suggestion, the country can come up with a more broader, more inclusive way of how cyber can be handled.  The sector is advanced in Africa in terms of the CERT.  That might be an issue.  Coming back to the way GFCE might have helped, I believe touched on it, but I believe through an engagement program where awareness is included in data management program.  The default position would be to review the strategy apportion appropriately responsibilities that are inclusive.  Otherwise it is difficult to get the silos.

     >> MOCTAR YEDALY: I don't think we have a lot of time.  There is somebody behind the mic go ahead.

     >> ATTENDEE: I'm the Director of sign crime at Interpol pap and part of members of GFCE.  I'm looking at the points around the multistakeholder approach to all of this.  That is effectively a given within this space.  What we look at is the duplication in this space.  We go from global to national response in operation.  We set up a cybercrime of course, moving it from the centralized, going to decentralized.  It is a project fund that ends in two years.  Instead of the monetary value, looking at enforcement, the officials that are supported on the ground and moving that on.

But again, that comes into the prioritization piece, which is picked up on.  This is not unique to Africa.  This is globally. 

Things are always a priority when something happens.  When something happens it becomes a priority.  When it calms down it stops being a priority.  We look at the Private Sector investment into that.  It needs to be the longer term investment.  I would like to commend the agenda for Africa looking forward and ahead, at 10 years, that is the minimum to look at.

I wanted to make a couple of comments around that and endorse the work of the GFCE in the African Region, we're a part of that.

     >> MOCTAR YEDALY: I love that comment, the GFCE in Africa.  I love that.  To comment on your comment, it is good to do the centralization.  It is also very good to do the deconcentration of things.  Meaning you decentralize the issue of multistakeholder should come in.  You cannot give to one entity to do things.  Rather you have to go through different entities.  This is one of the questions I have been asked.  Everybody needs to configure to that.

Any comments or anyone want to take the mic, if I may say, somebody standing behind the mic? 

     >> ATTENDEE: 80% questions from the turnout.  Get interaction.  I'm working with the Germany cooperation with the GFCE.  I'm working with your predecessor, Moses.  I wonder if you or GFCE in general are working with a Commission.  I understand you are working with the Expert Group, or a link with the Commission so we can connect through that.  If so, what division or person that is?  Thank you. 

     >> MOCTAR YEDALY: If the question is addressed to me, we work with the advisory board for AU, in general in specific through the AU Commission.  We believe we work with the commission.  And the department and the Commission has been invited to be part of the coordination Committee of the Martin project, or AU‑GFCE project.

     They should be really in all have been very glad to see them co‑chairing without AUCE and GFCE and others with that.  Unfortunately I believe the last two minutes I haven't seen them.  But the intention is to have the involvement of the AUC and have action we want to undertake in the content. 

So that is my take to that.  Any other questions from the floor? 
I see nobody standing behind the mic.  How much time do we have left still? 

     >> ELLIOT MAYHEW: Just a couple of minutes.  To finish on time, we should wrap up shortly. 

     >> MOCTAR YEDALY: On behalf of everybody, I want to thank the participants.  Because without you the session would not have been as nice as it is now. 

Second, I would like to thank my panelists the experts.  Martin, Nnenna, Katarina.  It is a pleasure to see you and hear you bring insightful ideas on things that are raised.

I would like to emphasize the fact, for Africa nobody can really define the needs of Africa but Africans.  It is really important for the sustainability to involve everybody at the higher levels.  Buy‑in is important for everybody.

We have factored all of that, and we will continue to improve our knowledge to make sure you are not duplicating anything or copying anything else, but making sure you make the difference and bring something new that are based on the real needs at the national level. 

     We will continue to work with all stakeholders, specifically the AU organizations, and make sure we are cooperating, all of us building the right capacity in the area of cybersecurity in the African continent.  With that, I thank you very much, and wish you a nice trip back home.  Specifically a relaxing weekend to all of us. 

          Happy new year in case I won't see you before that.  See you next year.