IGF 2021 - Day 3 - WS #260 Internet resilience towards a renewed resilience for society

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> We all live in a digital world.  We all need it to be open and safe.  We all want to trust.

>> And to be trusted.

>> We all despise control.

>> And desire freedom.

>> We are all united.

>> SAMIH SOUISSI: Hello, everyone.  And welcome to the workshop Internet Resilience Towards a Renewed Resilience for Society.  I'm Samih Souissi, the French Telecom Regulator.  And I will be moderating this session online.  I Will be helped by Lucien Castex, who is present physically in Katowice.  Lucien, can you hear us from there?

>> LUCIEN CASTEX: Perfectly.  Welcome online.

>> SAMIH SOUISSI: We will introduce this workshop while waiting for people to come to the session, either virtually or physically.

So, Lucien, he will be collecting questions on site.  And I will ask the virtual people to ask questions as we will have the Q&A session after the panel discussion. 

Our topic today is internet resilience, which is quite broad topic.  It can be analyzed from (?) perspective when talking about, for example, infrastructure connectivity, and it also can be tackled from a cybersecurity angle. 

The actual COVID-19 pandemic has shown the essential role that the internet has in our daily life, and despite the increase in traffic that happened during the first lockdown last year, networks have held up and the internet has proven to be resilient.  And the internet has above all, been shown to be a key to continue our social, professional and academic life.

However, the internet is constantly evolving with more traffic from particular actors, new technologies, new threats, et cetera.  So, internet should take into consideration new paradigms in order to guarantee the resilience, security and sovereignty over these technologies.  And the guaranteeing this resilience of the internet is a collective responsibility.  And the mobilization of the different players in this ecosystem is necessary to preserve the internet and its core values.

>> LUCIEN CASTEX: Now, in order to identify the issues and challenges facing us, we are pleased to have today in our panel four experts from different backgrounds that will provide us with interesting insights, I'm sure.  So, in a nutshell, the first panelist is Ghislain Salins, is a senior policy expert specialized in cybersecurity, policy and trust in the digital economy at the OCDE.  He has lent analytical work on the digital secretary of products and services, as well as resilience of communications network, including communication infrastructure and DNS.  Before joining OCDE, Ghislain worked for the French Government as a Senior Policy Advisor in charge of international negotiation on the digital economy and internet policy.

The second speaker, Egle Vasiliauskaite, joined the Ministry of National Defense as a policy analyst working managing team of (?) project, cyber rapid response team and mutual assistance in cybersecurity.  Coming from international relation human rights and a load of (?) background, got into the field of cybersecurity and politics and the changing nature of welfare, before coming back to Lithuania at the legal service and international rescue committee.  Bonjour, Egle.

Next speaker is Jean-Jacques Sahel, Asia-Pacific Information Policy Lead at Google since November of 2019, overseeing Google public policy approach in the region for issues including misinformation communication policy and intermediary liability.  Before joining Google, Jean-Jacques was managing director of ICANN office and led the organization's corporate strategy and occupation across the European region.

Last speaker now is Marco Hogewoning.  Marco is public policy and Internet Governance manager for the RIPE, NCC registry for the Middle East and Central Africa, engagement with government stakeholders and policymakers, helping them understand the role of the -- to providing, naming, addressing and the rooting from the core of neutral secure and fragmented internet.  As such, he has participated in a number of national, regional and global IGFs, as well as ICANN and IETF.

So, with such great panelists comes the time of first question.  And the first question I will ask it to Ghislain.  What in the work of OTC when it comes to cybersecurity and what are your recommendations in order to improve internet security and resilience.  The floor is yours.

>> We are happy to be on this panel and to see all of you familiar faces like Jean-Jacques and Marco.  I will briefly share with you some insight of recent OECD work.  We are an organization for economy corporation and development.  And our goal is to promote better policies for better lives.  We have an economic and social focus.  We are mostly an intern governmental organization.  We gather delegates from 38 member countries but also multi-stakeholder organization, civil society, technical community, businesses participate in our work through dedicated advisory committees.

We are not a technical standard setter of the OECD, but we are a policy standard setter.  We provide advice to our member countries.  We help policymakers come together, discuss, and we develop international guidelines, as well as recommendations, OECD recommendations are the highest level of our (?).  They are legal instruments and even though they are not binding, they are usually, they have the commitment of the countries (?) to implement them.

I know there are a lot of committees around OECD, 300, and within the 300 there is one committee that works on digital economic policy, that's a committee that I support.  And within CDEP there is a working security in digital economy with work in cybersecurity, and I'm going to share recent insights we have from work developed at SDE.  It's a very broad topic, internet resilience.  It's hard to try to know where to start.  But maybe we should start with the definition of cyber incidence. 

Cyber incidents are any event that affect the ability, integrity or confidentiality in the AIC trial of networks and data.  Simple definition because historically in the telecom industries been a lot of (?) on the issues.  The network is down, users cannot correct anymore.  But confidentiality issues very important and can be impactful should we should not forgot about them.

What do we mean about resilience?  Resilience is not the absence of cyber incidents.  Cyber incidents are a bit like there are to cyber space, what storms are to the ocean.  You cannot avoid them, ready for them, they will always be there.  But you can adapt to them.  So resilience is our ability to anticipate and to recover from cyber incidents.

I propose a (?) layer approach.  You mentioned infrastructure, I think it's an important topic, the resilience of fiber, fixed network is important.  The resilience of protocols is important, on top of the infrastructure.  And the infrastructure and the products enable end users to use products and services, whether it's software or IoT devices, increasingly the internet is becoming the internet of things.

Infrastructure resilience and a few words about resilience of products and services, as I don't have much time I want to talk about the protocol but maybe we will get to talk about that a bit later.

So, if we look at the resilience of communication infrastructure, what's really key to understand is that our communication networks are undergoing a dramatic change.  Changing, very different from what they were 10 years ago and this change is (?) and it's mostly shaped by four trends that are impacting the resilience of communication networks.  The first of them is increased criticality of networks.  We have seen it with current pandemic.  We rely on networks for our daily life, daily working but also for more critical activities like hospitals or electric grid.  So increasing they are critical to our society and economy.

They also becoming more and more virtualized and they rely on cloud services.  There's a convergence between communication networks and cloud providers.  And there's also an evolution in the network towards more openness, for instance, through what we call open run architectures.  And increasingly the use of AI.  And taken all together the trends have a huge impact on the resilience of networks.  And, basically, bottom line is that business as usual isn't an option anymore to ensure the resilience because it's changing automatically.

These trends bring many benefits to increase the transparency of communication networks, more automation of fraud detection and experience.  And stabilize attacks across the network.  You may have heard of slicing (?) which enables more containerization.  Most importantly, they bring significant challenges and the first of them is that attacks of communication network is expanding significantly to unprecedented level.  The supply chain of communication network parameters is getting broader and more complex.  More and more the networks are a target of attacks of sophisticated threat actors like APTs, advanced persistent threats which have persistent and have almost unlimited resources.

To address these challenges there is a need for corporations to move away from compliance mindset and to adopt comprehensive rich management frameworks and here's what we call the zero trust model is, sort of, of interesting, maybe we will talk about that a bit later.

Now we talked about the infrastructure.  If we look at the other side of the spectrum, at the products and services we use on top of infrastructure, at OECD we published a year ago in February 2021, two reports on this topic.  And the main lesson learned from this report is, actually, security, the resilience of products and services is not only technical issue.  It's very much so an economic and social challenge.  So, typically if you look at the market for IoT, for instance, or the software market, you will see there are misaligned market incentives.  It means that the software operators or the IoT manufacturers they often prioritize (?) market or cost-effectiveness over security.  And even if a users want products that are secure, it's very hard for them to assess the level of security of the products they use because of information asymmetries (?) (?) for instance if you want to buy an IoT device it's impossible for you to understand whether or not it's secure enough and what is the level of security and resilience of the product.

In addition, there are many (?) the value chains of these products are complex and global.  So if you buy software, it's made of hundreds of software libraries which can be an open source.  It's very complex and it makes allocation of responsibility very difficult.  All of this relates to a market failure.  Market dynamics on their own are not likely to bring us an optimal level of resilience and that's why we need policymakers to step in and try to realign market incentives.

What can they do?  Propose six high-level principles that could help policymakers intervene, if you will, in the resiliency.  One of them is transparency and information sharing is very important to address information asymmetry as I mentioned.  Today if you buy a product, it's like a black box, it's very hard to know what's inside.  It's very important to increase the trustability of components and there are very interesting initiatives at this level.  It's called software bill of material as BOH, pushed by governments in the U.S. but also by some companies like (?) the Russian security (?) has developed their own asymmetry.  Another important principle is the one of responsibility and duty of care.  Until now the responsibility of resilience has been put a lot on the users and not so much on the providers of products and services.  There is a need to rebalance this relationship.  So the duty of care it's actually the responsibility of the providers of products and services.  It starts with making products that are secure by design, secure by default, but also by having policies of responsible end of life to try to minimize the gap between the end of life and the end of use.  You may remember when (?) in 2017 it was very much an issue of end of life, meaning users were continuing using a product that was no longer supported by the software provider.

Cooperation is also very important between stakeholder groups across the governments and at international level, maybe we will have time to go back to that later.

So the six principles they are about web government to do but not really how they can do things in practice.  And to help them be more practical with designer policy toolkits.  And the idea here is to move away from the traditional dichotomy between (?) on one side and hard core regulation on other side.  And what we want to say with this slide is there are many policy tools that are available to governments and use multiple tools.  Should start with the bottom of the pyramid, which is really the less corrosive tools if you will.  So everybody agrees we should raise awareness, it's very important.  We also agree that raising awareness is not enough to address the issues I mentioned.

And as you can see, governments have started to take action.  So, for instance, the support of the (?) technical standards for IoT security adopted by HC and by NIST last year.  Some governments have launched digital security labels last year like Finland, Japan, Singapore, which are proving to be quite effective.  And some other governments are looking into draft regulation, cyber regulations to improve IoT security in Japan and UK, for instance. 

The bottom line here is there are many policy tools government should try to pick and use the ones most effective.  But there is no silver bullet.  So, just having one tool will not solve the issues I mentioned before, what you need is a strategy and the use of multiple policy tools.

And of course what's really important as well is the international cooperation because if many governments adopt different tools, there is a risk of fragmentation, legal fragmentation in the coming years and to avoid fragmentation we need international cooperation.

I'm going to stop here.  All of our analytical work is available at OE.CD/security.  And you can contact me if you are interested for more.  Thank you.

>> SAMIH SOUISSI: Thank you very much, Ghislain, for this wonderful presenting. 

Now I give the floor to Egle.  What is done in order to improve internet resilience and increase the level of cybersecurity?  It would be nice for the audience to see the example of Lithuania.

>> EGLE VASILIAUSKAITE: Thank you very much, Samih.  Thank you, everyone, it's an honor to be here.  So I will also share my screen in just one minute.  Perfect.

So, this will be very interesting conversation.  It was very insightful to hear from Ghislain from the OECD perspectives and some of the principles and tips for the governments, so here now I am bringing more of a policy side of things, national perspective and also insights that I have noticed working in the field of cybersecurity throughout different EU initiatives and mechanisms.

So, here we go.  My presentation will focus first, basically, what is existing already, right?  So what are the policies and mechanisms that already here and, you know, what's the value of them.

Then second of all, basically, what is missing.  And then third of all, what we can do about it, also bringing as Samih, you mentioned, the Lithuanian perspective.

So, status quo, nothing ground breaking, we all know this and I'm glad that, basically, now we have reached this common understanding through the implementation of the very first directive and various practices and in public section, private sector in various institutions.  First identify what is more critical for you as an organization, whether it is an institution or a country on a national level.  What are your assets and what you need to protect.

Then, of course, risk management, requirements, measures, basically, it can be organizational.  It can be technical, such as business continuity plan, recover from incidents and so on.  And then, of course, incident notification, and not just when you have to notify the national institution if you receive -- if you are affected by the incident.  But also how you proceed, how you recover from it, how you can prevent it.  And to the point where every single employee of your organization knows what to do, when, for what purpose, who to report and so on, including the communication company as well.

Then national strategies, as Ghislain mentioned, we have to have the holistic, strategic overview of what we want to achieve.  So the Member States of EU already do that with the (?) direct implementation.  And then international cooperation, again, which was mentioned beforehand.  We have to share the information that we have.  We have to cooperate with each other.  And already within this first we have established sensor network on the technical level, which has the threats, near misses, incidents, indicators of compromise and so on, on the technical level between (?) of the Member States and then on the political level, (?) cooperation group for the purposes of strategies, best practices, lessons identified after exercise and so on.

What is more new and more recent, recently, given the lessons identified and recent cyberattacks?  More and more we realize that we need cooperation with one another on a national and international level, basically, empowering each other.  It's not about just, you know, you're the government, that's your purpose.  You are the private sector, that's your purpose.  Each and every one individual can contribute to increased cybersecurity.  And one of the examples coordinated disclosure.  First of all it was an old-fashioned mindset which led to two scenarios, either full disclosure where the vulnerable is disclosed openly, let's say, to the press and the vendor does not have enough time to react to patch -- to become more secure.  And then, of course, users are not secured either.

Or nondisclosure at all, where, of course, vulnerabilities there, but in event user knows about it, but, of course, it can be exploited.  Now and more we have the tendency of, basically, empowering even individuals, being a part of the society, when you can notice, if you notice, let's see there is a vulnerability.  You can report it, report to the institution, to the vendor that has the vulnerability, and also the national cybersecurity center.  And in this way you can make it more secure.

So, various number of states have now started doing, basically, including this coordinated vulnerability disclosure among their policies in their national strategies, one of the examples is that Netherlands, another example is Lithuania.  To not penalize those individuals that are responsible and those -- that want to report those vulnerabilities.

Then also another point is, of course, supply chain security.  As we know, as the supply chain becomes more and more globalized and the more vendors, the more suppliers they have, that increases the surface of attack, right?  We have seen it already in 2013 with a target example where the hackers were able to access the payment details and personal information of the buyers through the cooling and heating system.  We have seen it in SolarWinds, for example, as well.  Now more and more we have seen now with the NIS, too, with the NIS provision, proposal to include international strategies to have it as part of the -- each company's policies to secure supply chain, as well on the political, even EU level, basically, to cooperate together, to assess ICT project services, systems, risks and seek for best practices as this was done in 5G example toolbox in EU level.

Situational awareness.  We have created already certain cooperation mechanisms as I mentioned on the technical and political level but we want to enhance more of a situational awareness between those different communities, so between the technical, between political, intelligence, between diplomatic and we also want to make sure that the political level, those decisionmakers, when the time comes, when there's large scale incident and crisis going on, that the well-informed, how to handle such crisis within every -- basically all the information that they have to have at hand and not just information from the national perspective, but information from other Member States, where, let's say, something might be happening at hand but this might be not (?) for your (?) but tomorrow so you can be better prepared for that.

So, what is missing?  Four points.  What I have observed over the past few years working in the field of cybersecurity.  Yes, we talk about raising awareness a lot, but still, I see that cybersecurity culture is lacking.  Still more oftentimes we see cybersecurity as an issue of IT, as opposed to cybersecurity that has to be a culture of mindsets, that it's everyone's responsibility, whether you're an individual, whether you're a citizen, whether you're an employee, whether you are CEO, whether you are part of the prime minister, part of the government, it is each and everyone's responsibility, because once I also reiterate what was reflected previously.  It's not just about the technical aspects but it's, of course, about the social aspects as well and human factor quite oftentimes is the weak link when it comes to cybersecurity attacks, such as mostly recent Colonial Pipeline attack.  How, why it happened, why it was possible to happen, because the password was found in the dark web on the employee and the same password was used for critical infrastructure and there was no two factorial confirmation.  So essentially it was a human factor mistake at that point at the very beginning that enabled the attack to take place.

So, we have to raise cybersecurity culture from bottom up to top.

Then second of all human resources which we all know, this is probably one of the biggest challenges that everyone is facing in cybersecurity.  It doesn't matter if you are a business or government.  Regardless of your state of origin.

Then trust.  Although we have created those different mechanisms of cooperation on different levels, on technical, operational and political level, still to have -- to take a full advantage of those mechanisms, we have to better trust each other to share the information, which does not take place always these days still.  There is a lot of suspicion, and therefore lack of cooperation.

And then finally mutual assistance.  Besides information sharing, we have to be prepared, as I mentioned before, for large-scale incidents and also crises.  And more often here we see the tendency again, they are cross border, cross sector as well, and we have to seek ways how we can help each other, assist each other in the field of cybersecurity.  So, this aspect now is being mentioned a few times, but we still, basically, are looking for the best approaches, how we can deal with that:  One of the potentially in the future mechanisms could be potentially joint (?) unit to tackle that, to be better prepared as let's say, for example, European Union as a whole, as an actor.

And then addressing those challenges, what westbound done about it and what Lithuania from the political side and national perspective is doing.  I'm not claiming that we have all the questions answered and we have the silver bullet, but at least some of the examples that help achieve, help overcome, basically, those challenges.

So, very quickly, in Lithuania, basically, we have had national consolidation.  So on the political level everything is under one roof of the Minister of National Defense.  Then on the technical level, it is National Cybersecurity Center.  So whether it is private, public, military, civil, we have those resources consolidated.

So, what the minister of defense and national cybersecurity has been doing over the past few years.  So, a lot of public communication campaigns to various parts of society, whether you are a teenager, whether you are elderly person, whether you are a person with a disability, whether you are working particularly in the private sector and so on.  There is public communication campaigns about different threats, risks and specific actions that everyone can take to make them more resilient as individuals, as businesses, as institutions as well.

We have also published manuals specifically targeting small and medium enterprises as well.  We know oftentimes those human resources, lack of human resources, that's a challenge for them as well.  And, of course, you know, we do not want to go approach of only regulation and requirements.  We want to educate people why it is necessary to do certain measures.

And training specifically of civil servants, as we have noticed, increase -- significant increase in phishing campaigns, and, as I mentioned, human factor oftentimes is the one that is the weak link that enables the cyberattacks to take place.  So, we have training -- we have now started training civil servants now for two years.  This has been ongoing.  And there are specific tests as well for people to enter the civil Service in Lithuania as a basic knowledge of cybersecurity that everyone also to know.

And then on the national policy making site, we consult with private sector, with academia, with civil society, with various institutions nationally, as minister of defense, through the cybersecurity council.  We try to get involved as many different stakeholders as possible to have a holistic approach.  To, again, you know, to enable not just that cybersecurity culture, but also trust between different institutions and actors nationally.  So, we consult with them and we share the information ad hoc.  And then, of course, national cybersecurity exercises where we invite members, basically, of -- operators of essential services, critical infrastructure, but also partners, again, those players can be public or private sector.

And we, basically, in those exercises, it's not just about knowledge and skills, but also being ready for different scenarios.  That's our relevant and adopted based on recent cyberattacks and trends and threats.  Again, about -- it's about trust as well, enabling that between ourselves.

Then when it comes to human resources on how we can attract more people to the field of cybersecurity and in general to public sector, we have initiatives such as initiatives targeting women specifically because this sector still where oftentimes women are under-represented.  So, we have programs such as women go tech and women go cyber.  And then specific programs to attract people who have studied and lived abroad and gained expertise in international organizations and institutions to attract them to public sector through project management, seeking very specific results and (?) of one year.

So, and, basically, also countering the challenges of trust, the lack of human resources and how we can mutually assist each other.  The Lithuanian led project of cyber rapid response teams developed in the framework of (?) in security and defense.  And essentially the idea is that, basically, new Member States can delegate their cyber experts, basically, in other words, share their strengths so choosing what kind of profile of cyber expert they want to delegate.  Is it malware analyst, security monitor, so on.  And that cybersecurity team, basically, has common procedures, trains together, has common tool set and that is, basically, commonly developed cybersecurity capacity capability that can be easily deployed to various locations and can respond to cyber incidents but also act preventively through vulnerability assessments and also election monitoring.

And one of the examples we had last year was before the Lithuanian parliamentary elections we had partners from the Netherlands that, basically, tested the electoral commissions vulnerability before the elections took place.  And we were able to patch, basically, to make the election much more secure and resilient to any external interference.

So, that would be it in a nutshell.  And, of course, looking forward to our discussion.  Thank you so much for the floor.

>> SAMIH SOUISSI: Thank you, Egle, for your fruitful insights.

Now I turn towards Jean-Jacques Sahel, you're the representative of private sector on this panel.  So, my question for you is how can a private actor like Google guarantee the resilience of its infrastructure and be an active player in ensuring global internet resilience?

>> JEAN-JACQUES SAHEL: Thank you very much, Samih.  And before I start, many thanks again to our staff in AFNIC and yourself very much, Lucien Castex, for organizing this.  And I hope this is one of many such discussions.  And it's also really nice to be with panelists that I know and also with an audience where I recognize many names and people dedicated to this for many years and for which should be thanked.

Having resilience in internet, I think it's -- what I took over here is catch on some of what Ghislain and (?) already talked about.  But try to think about resilience also in a broader understanding of the world, thinking also about how the internet is used.

And, you know, as we start to emerge from the pandemic, it's quite clear that we are using technology tools as never before, and we have seen a historic acceleration of technology adoption.  And that has put a spotlight on ensuring resilience of the internet and of its uses.

Those of us, I think, here in this room have known for a long time that connectivity to the internet is crucial, but I think now it's obvious to anyone if they didn't know that before, without it, our economies, our livelihoods, our social interactions would just have been near extinguished, certainly.  Nothing like what we have been able to enjoy in a limited way over the past year and a half or so.

As you mentioned, if this had been just 100 years ago when we had this Spanish flu hitting many parts of the world after World War I, imagine 18 months without Zoom, without email, without digitally enabled value chain and logistics, without the satellite navigation systems, et cetera, et cetera.  It would have been a very different experience.  And I think all of that should make us think about the importance of ensuring the resilience and of this whole infrastructure and connectivity generally.

But, of course, even with all that we have today, it has not been perfect.  And it's still not perfect in terms of overall resilience.  Let me share a few slides.  Just a few.

(Audio difficulty)

>> JEAN-JACQUES SAHEL: Just a few thoughts.  Sorry.  Just a second.  There we go.  We should remember that we still have an enormous problem with digital divide.  Yet we have close to 5 billion people who are connected to the internet.  But the reality is there's been many countries, rural regions, remote regions, certain communities are still underserved.  The number you have in front of you, 37% of people in rural and tribal communities.  This is not an emerging country or country in development.  This is the United States that we are talking about.  And we have this problem around the world.  We really need to improve connectivity and it's not just -- it's not only basic access of the internet because even once you have basic access to the internet you still need to be able to use it in a proper way.  So these -- this number of 5 billion people, a lot of that is mobile connectivity.  But in mobile advance just a Smartphone, that's already a fantastic start.  That's enabling a lot of people.  But is it enough to run the economic, to be productive, to run a company.  Usually you need more than a Smartphone.  So, there's the, sort of, longer tale, if you want, of connectivity.  And then simple things, unfortunately like simply having electricity.  So resiliency is, obviously, very much a holistic consideration here and digital divide remains something that we need to work very hard at solving.

And then during a pandemic, unfortunately, bad actors take advantage of those moments.  We have got just one stat here about how many spam messages there have been, you know, per day, 214 million.  Hopefully, if you've got a very good email service, you haven't felt it.  But our service, our entire infrastructure behind the scenes has seen that for sure.  And, of course, what people have seen, unfortunately, is a rise in all sorts of things, like attempts at phishing and malware.

Then we have nothing new, but something, perhaps, more marked where in a situation, in a period when we are staying at home more and using the internet more, is the outages that certain services can endure.  And that's as Ghislain was explaining very well earlier, this is going to happen, right?  Like any infrastructure, any technology before, there will be moments where, actually, repair will be needed.  But, obviously, it's got enormous impact these days.  That's another area to think about.  Spikes in demand.  Obviously, more people at home certainly a certain moment of the day and certain moments of the pandemic, there have been spikes in demand, and as mentioned before, we have been lucky in a way that the network has been coping very well.  That, obviously, requires a lot of work under the hood and that's the sort of thing we need to think about in terms of resilience.

We are in an extension from that from a usage perspective, what is quite troublesome is if you believe the freedom house report for the past year, there's been over 20 governments that have operated shutdowns of the internet either for certain regions of their country or entire -- or for the entire nation.  That still happens.  That governance for usually political reasons decide to shut off the whole of the internet.  That is a resilience issue as well.  We need to think about that.  This is about how our economies and how our societies are able to constant live.  The internet is integral to that.  A shout down, shuts down not all -- that needs to be tackled as well as part of a broader holistic approach to resilience.

Now, moving on to just an example and Samih was asking what companies can do or does to tackle some of the issues of resilience.  So, let me talk a little bit about Google's work in this area.  And trying to be fairly holistic about it.  Starting with network infrastructure.  And Google is one of the internet companies that has for many years now invested in network infrastructure to support the growth of internet and usage of the internet by companies and people.  We are one of the companies that's been at the -- very active, basically, in ruling out submarine cables either on our own as a consortium.  Nowadays submarine cables remain crucial for the internet, 98% of the internet traffic and we are trying to improve that basically connectivity that links countries and continents together.

Added to that, international bandwidth and capacity from local carriers, from local fiber network providers.  In the region I'm in we have got points of presence in a number of cities.  So that's, basically, saying our own network on top of the local network operators who are -- which are based in those countries, of those regions.

And then we have got a number of caching locates around the region, hundreds of them.  The idea easier the content easier which is in itself ensures that or contributes to get the resilience.

Other things beyond network infrastructure that are worth mentioning perhaps if we think about resilience in a broader perspective, is when we do have spikes in demand, how do we tackle that?  One of the things that we did when the pandemic hit was that on YouTube the streaming quality was set by default to standard rather than high definition.  Obviously, the user can choose to go high definition but what it meant is that, you know, in an automated way we were able to make sure that the spikes were mitigated.

Then moving on to some of the aspects that Ghislain touched on in particular were things like IoT, for instance, increasingly and I think for the industry the general trend and something that the world has been doing for years.  We tried to build in safety and security in our -- in the design of our products, in the design of our services so it's not enough to (?) it's not a patch.  It's very much a step in the development process that we are building features designed to ensure safety of users or security (?) of the network or the feature of the two.

Another important aspect of resilience, I have touched on the bad actors.  With very rapidly updated our usage policies during COVID in order to tackle misinformation of COVID, whether it was misinformation on potential cures for COVID or more recently there's been a lot of misinformation about vaccines.  So, our teams have been very hard at work at this.  And this is about user resilience.  I like the term user resilience.  And then those (?) resilience if you want obviously much bigger (?) we have tried to help, for instance, (?) for instance with the exposure of (?) app that we developed in cooperation with Apple.  And which was rolled out in our number of countries around the world in frankly record time.  Obviously what was interesting there is the number of privacy considerations that came into the picture and that's also why it's really important to our discussions like today where we can, actually, both talk about resilience but also talk about making sure that we have a comprehensive approach to entering rights and freedoms are respected.

Now summing it up in terms of the positive impact for what companies like ours can have through measures to ensure resilience at various levels.  If you want to go down the value chain.  Obviously, if you have better network infrastructure, things like submarine cables, we can reduce the price of connectivity, making internet more affordable to end users.  We are reduce internet latency.  Users get better speeds and with greater capacity you get reliability.  And the indirect effects for social site are fairly massive.  Already A PAC it's been estimated that thanks to the network infrastructure investments we have made we have supported 1.1 million extra jobs and, you know, $430 billion U.S. derived from that economic activity.  It's looking to increase.  415 billion over the next four or five years.  More jobs.  And then as mentioned before, high bandwidth, lower latency, more traffic, greater people online and more activity supported online.  That's what we can do if we continue to both (?) as a company but also generally with the ecosystem continue to support greater resilience, greater and better development of network infrastructure.

Now, concluding part I would like to offer a few thoughts, especially on three areas of resilience network, user and policy and regulatory resilience.  That's the terms I have used for this particular presentation.  This is my last slide, you will be glad to know.  On network resilience, amongst many other things, and I would very much support what's already been said around the infrastructure, but a few things I would like to highlight.  Thinking about -- let's think about how we can be innovative in how we use infrastructure.  How can we reuse certain bads bands for new technologies or use certain bands more flexibly in order to get countries to connect people.

Rollout of network structure, things like the landing of subsea cables.  Still a number of countries where it's extremely difficult to land subsea cable even with unlock the countries that are going to make productivity massively, a lot of antiquated laws out there that don't understand what subsea cables are and it's usually local laws to do with local infrastructure that really just need to be (?) it's not a massive list but it needs a concerted effort to happen.

And then, of course, we need to future proof our technologies so think about things like IPV6 to make sure that, you know, the internet effectively can cope with the ever increasing number of devices connected to the networks.  And then just generally we need to make sure the internet remains open at the network level.  This would be a subject of much longer presentation but I will have it there.

In terms of what I term user resilience, thinking about usage here.  As I mentioned, digital inclusion remains something crucial.  And that's geographic but that's also in terms of various groups that need to be targeted and supported.  Together with that, skills and literacy.  A lot of work I failed to mention earlier, we do a lot of training and collaboration with NGOs.  Sometimes with governments in terms of (?) literacy, digital literacy.  And, yes, we have talked and done a lot of awareness raising for cybersecurity for a while.  But I think as Egle was mentioning earlier, it's still not enough.  It really needs to be mainstreamed.  All these skills on digital literacy are a must for everyone not just students, not just seniors.  It's everyone at work and we really need to mainstream that across societies and people can really reap the benefits of the internet fully.  And that, in turn, leads to this concept of this cyber safety or cybersecurity that we need to have, both as individuals but also as society, I think that needs to be embedded in every organization out there.  And every individual should be made aware and I think has public-private partnerships, if you will, we should all be concerned, industry shoulders, civil societies, governments, we should really up our game here.

In terms of user -- (?) their choice on the internet:  And then the final section, just sort of summary, if you will, from a policy and regulatory perspective, I think the example of the subsea cable is a good one but there's more to it.  I think generally speaking we have got think about the regulatory framework that supports the growth and adoption of technology of cloud, of online services, either with regulation that's not there yet or with regulation that needs updating or that may be starting simply because of the level of red tape, just extension of old frameworks, new technologies that don't make much sense.

With that another layer, obviously, we need (?) data protection frameworks in the same way there are regions where the data protection frameworks are still very new.  They need to be reinforced.  Needs to be underpinned by goods, privacy, security, regulatory frameworks and balanced frameworks that enable the growth and use of those services but with all the protections that are (?)

When you think about regulation we need to think laterally outside the box, think about newer approaches that will ensure resilience, not just reinventing or extending laws but really thinking afresh about our policies and regulations and through that finding a balance all the time, how it's not just about preserving safety, ensuring security, it's also about preserving freedoms that should all go hand in hand, not be a choice one against the other.  And it's very important when we think about internet shutdowns, for instance, and generally security regulations, for instance, we cannot have security if we do not have freedoms.  And that needs to be inbuilt.  And should be something that a lot of stakeholders are accountable for, a lot of people are pointing the finger at internet companies for things like safety or privacy.  And that's absolutely correct.  But when we see things like internet shutdowns, content regulations that are coming right, left and center which threaten basic human rights, freedom of expression it's not just a job of internet companies to raise the alarm bell, it should be up to states, democratic states as well as civil society and individuals to raise the flag. 

And it should be up to those democratic countries also to lead by example and make sure they have online content regulations which are freedom oriented as well.  It's very important if there's one call to action I would make loudly for this IGF is that we see a plethora of content regulations coming out which are, frankly, very, very worrisome for the future of humanity these days.

To finish, again, underpinning is the open internet.  I think we can achieve a lot of that through multistakeholder approaches at global and local level.  OECDs, ICANN, IETF and others have (?) room to do more and look forward to working with many of you to doing that.  Thank you.

>> SAMIH SOUISSI: Thank you very much for this lovely presentation and for mentioning open internet and IPCs, two topics dear to me.

So before starting the panel discussion and the Q&A session, I give the floor to Marco Hogewoning and I will have one question for you.  We have seen Egle and Jean-Jacques speak about security, culture, et cetera.  My question is how to make the security culture change in order to better handle incidents and improve the process of learning from each other.  Because it's quite necessary when it comes to warrantying the resilience of internet.  The floor is yours.

>> MARCO HOGEWONING: Thank you, Samih.  And hello, everybody.  I (?) decided that with my excellent colleague panelists.  Most of it has been said, if not all, including IPP6.  So I want to repeat myself.  Yeah, I know, I will come to your question. 

But first of all, I'm here as the technical community (?) work, but, in essence, looking at the topic here, security resilience, we are definitely at the front line, of course.  Ghislain talked about incident.  Yeah, we see them (?) basis.  And with that, especially in terms of resilience, we should also be conscious of the technical engineering reality that there is no such thing as zero risk.  Things will go wrong.  And sometimes things break.  And the big important part is what do you do when things go wrong?

And now I'm happy or, well, happy is not the right word.  But if I look back to a couple of high profile, big, global, notable outages and I haven't heard a lot about this week's one, but a few spring to mind in the last few months where we also saw that people really just stepped forward and said, nope, that was just us.  That was just a stupid mistake.  And, of course, as Technical Community those really hurt because as you are an engineer and you break your network and you're going to have a good look at yourself in the mirror and probably a good talk to your boss.  But things happen.

And the reason I point it out is we have to also understand that not every outage is security related.  Things will break.  So no matter what you do on security, eventually we also always have to design for the fact that things go wrong.  Machines will break.  Cables will snap.  And you have to have enough backup and you have to have enough flexibility to provide the (?) to make sure that critical processes remain running or that, indeed, there are the critical process can do without the internet for a bit, because it doesn't work.

That said, as I said, we see incidents, yeah, the continuous stream.  Not even the ones that hit deadline, of course, in the Technical Community.  A lot of other issues, a lot more that doesn't even get noticed by people in the field, by the end users, Egle already mentioned near misses.  We see a lot of those as well.

And what I do notice, when it does come to security incidents, I often see that networks all subject to the same time of factor and I already gave a very nice example.  In the end it was just a (?) that was (?) already.  And that's really important one.  Because it happens over and over again.  Oh, yeah, we got hit by malware because we didn't upgrade to the software.  And while we know there was a coordinated vulnerability disclosure, we know the (?) there, but insisted or not.  And maybe in that sense also something for Technical Community to take into account and probably be a bit firmer and say, yes, if we want to really guarantee (?) and guarantee security, we have to install those updates and maybe put a bit more priority on that compared to other business priorities such as (?) money.

But also means shutting down.  And that's, again, back to resilience.  If I really want to apply security practices, that means that I sometimes have to shut down parts of the network from my internet.  There are ways around it.  I won't bore with you the technical details.  There is an engineering way out.

Yet what happens if it goes wrong and that's, I think, the key point and the work culture was already mentioned and then you just asked me.  I don't think there is -- well, I am going to draw the comparison, it's often very controversial.  But airlines, of course, there is not a lot of comparison there.  It's super regulated.  There is only a handful of suppliers.  It's far less open than the internet, far less flexible as the internet.  Yet I do think when it comes to culture there's still a lot to learn from aviation, but also from other transports, in terms of culture and the way we handle incidents.

Because what I see a lot these days, especially in the legislative side is that there is a lot of attention to reporting.  Incidents must be reported.  Often within a very short time frame.  Sometimes it also says like -- and then we also insist that you will report back postmortems.  What I see less and that's an observation that is often shared within our Technical Community, is aggregate report.  Those reports are often classified, a secret and what it, kind of, lacks is the information for the engineering, the information for the Technical Community to actually be able to learn from our mistakes and be able to identify the root cause and figure out, like, what went wrong.  And there's countless of examples, even governments that deliberately do not share their exploits.  They know of a vulnerability and they don't share it.

Yeah, that's a disaster waiting to happen.  And that's really where I would urge and often urge policymakers is also share it back.  And, again, looking at it, when aviation incidents happen and lucky by now they are very rare, but when incidents happen, the first part of the investigation is very open and look what happens.  What really went wrong here, learn from that.  The question of is there somebody to blame and if so, what should be countermeasures is second.  And what I notice in the current debates around security, that it's often leans towards punitive.  Your data got leaked and you have to report it and now you risk fine.  I think with that approach, we have to be very careful that we don't, sort of, provide the wrong incentives.  It's a real paradox here.  But if you ask people to report in order to learn from mistakes, at the same time risking that there is a lot of litigation and a lot of punitive measures possibly being taken for just reporting it, I think we are on the wrong track.

So, when you are asking what do we need to change and it is something that I think a culture change in all the stakeholders, even in the end user, is to accept things go wrong.  But when things go wrong, don't immediately go look for the culprit.  But really try to understand what happened, learn from those mistakes and eliminate the root cause.

Of course, if you do that and you have a clear understanding of what went wrong the first time, I am all for it that it happens the second time, you should have a really good conversation with that person.  Because then you got to neglect and that's really damaging.  But at first, take the approach that, yes, something happened.  Now let's find out what happened.  If it turns out that it's a well-known cause, yeah, that leave it over to litigation and find out what to do with these cases.  But often root causes are unique and I think that should not be forgotten.

I leave it there and I'm happy to take questions and discuss this with my panelists.

>> LUCIEN CASTEX: Thanks a lot, Marco, for that great speech.  I want to remind audience, if you have questions, you can obviously take the floor by going to the mic, which is in the corner in the room, and as well on the Zoom room, my colleague, Samih, is following the chat.  So, if you have questions, don't hesitate to ask it.

So, now, I wanted to bump in on what you said and ask a question about today, how can cybersecurity culture be increased, education, awareness?  What are your thoughts on that?

>> MARCO HOGEWONING: Yeah.  It is --

>> SAMIH SOUISSI: The question is open to the whole panel.  If you want to intervene, like Egle, Ghislain, Marco, you can, too.

>> MARCO HOGEWONING: In that sense, like you say, there is a lot of awareness.  And we do see a lot of, indeed, and we have examples what I would almost consider chilling mistakes (?) having a password floating around.  Just avoid that and there's definitely a lot of more effort needs to be done also in education and in human capacity building also towards the end user to be aware and don't do anything.

That's really every stakeholder has a role here and that's why it's important to discuss this at the IGF because it's not only the end user, it's not only the (?) and there is also a role there for regulatory oversight and then for the governments to step in where needed.  So, that's really everybody should look at itself and think what can I do to improve the situation and not just simply finger point to another stakeholder to show it.

>> EGLE VASILIAUSKAITE: I absolutely agree.  Sorry.  Yes, I'm not muted.  Great.  You can hear me.  I absolutely agree with Marco, yes.  It's every one of our's responsibility and has to be our mindset it's not just some IT or IT specialist job, you know, or it's a matter of purchasing firewall, but it's fiber hygiene, also actions, what we do, what not to do, as well, you know, what information to disclose and so on.  So, everyday practices as well, not just the tools that we use. 

But also looking.  If we not from the society's perspective or individual's perspective, I think oftentimes, let's say, common argument from organizations, sometimes that is put forward is that lack of resources, which is absolutely, as we know, that's true.  That's a challenge, you know.  But I would like to flip this mindset.  Instead of thinking, oh, how much we will have to pay you for cybersecurity, you know, for either it's technology -- technologywise or human resourceswise, let's look at it from preventive perspective what we will potentially be avoiding, you know, in terms of the cyberattack if we avoid that cyberattack being more secure as a company.

Not only about money, about the information that might be lost or, you know, particular infrastructure as well, and the causes it might have on the economy and society.  So, I think that mindset shift would be very beneficial when, you know, if you are the one who has to pitch asking for more money for CEO of your company, let's say, you can put that argument forward.

So, yes, it's everywhere.  The companies, governments, policymakers, civil society, individuals.  So, each and every one of us.

>> Let me say something.

(Audio difficulty).

>> JEAN-JACQUES SAHEL: Can you hear me?

>> SAMIH SOUISSI: Yes.  There was like a connection issue.  But now it's okay.

>> JEAN-JACQUES SAHEL: Okay.  Thank you.  Yeah, just wanted to (?) Egle, I think she is totally right.  A lot of people think this is going to cost a lot but the cost is much bigger if we don't, if we don't do awareness raising.  And Marco earlier, a lot of (?) we see in this space is punitive.  We should think about public policy not only read in part.

Let me show quickly.

(Audio difficulty).

>> JEAN-JACQUES SAHEL: Basically legislation but also technology progress and awareness raising and that remains true today for cybersecurity.  So, we shouldn't just rush to legislate.  We should think about a holistic public policy approach and a collaborative approach.  And this is why IGF is a wonderful platform and we use it at global level and national level, to try and put people together and organizations together.  And go and roll out all sorts of awareness raising exercises.  We at Google will -- we have got scale but try to use that scale well and we partner all the time with local actors.  We had a workshop today in the Philippines, for instance, the internet also in partnership with local actors.  Why?  Because we are big enough, but partnering with NGOs to reach groups that otherwise would not be exposed to this controversial cybersecurity.  A lot of potential but we need a desire by some actors to do in and perhaps make good use of the dynamic coalitions at an internal way.

>> SAMIH SOUISSI: Thank you very much, Jean-Jacques.  I have another question but more regarding the digital transformation that we are facing today, like we are witnessing this transformation of the society and the support also for companies, administrations, other entities to innovate and set up platforms.  Haven't we become, like, too digitalized?  Is it all worth it?  Like, in other words, are we not creating a digital dependence and irreversibility in case of failure, like here we are talking about resilience, like is it internet, isn't it becoming like a single point of failure for the society?  Like, this is an open question for the whole panelists.  Thank you. 

>> GHISLIAN de SALINS: I want to say a few words about (?).  I agree with all the panelists that have said that it's really whole society issue so we should try together really everyone.  So it's a good point.  I think (?) have taken some steps forward.  I'm thinking about the cybersecurity month happens in October in the European Union and I think it's getting traction.  I think companies, individuals are getting used to some environments like I have seen France.  France has organized games or challenges for cybersecurity.  I think it really helps to raise the level of security culture.  But what governments can do is limited and I think what Jean-Jacques said is very important.  Awareness is also going to come from other stakeholders and there's one awareness tool that I love personally, I'm sure you know, it is (?) pond, it's the website you can go to, tab your address and realize your address and passwords have been used 10 times and having complex passwords is really important.

I think there are many innovative tools out there to raise awareness in ways that we may not think about.  So, it's really important.

The point where I would be a little bit cautious about awareness is that sometimes when we hear awareness, we, kind of, hear it's all about the users.  If only the users didn't click on the wrong link, then we will be safe.  So we cannot also forget the responsibility of the suppliers, of the providers.  And they also have a role in making their products safe and making, for instance, security updates available quickly and easy to install.  For instance there was a study in the UK a few years ago that showed that 90% of IoT manufacturers in the UK or selling products in the UK didn't have a vulnerability policy.  Which ensures you have no way to disclose (?) and be sure the company will react.  Awareness is great but we should also think about the responsibility of the suppliers and we should think about that altogether, if you will.

>> SAMIH SOUISSI: Thank you Ghislain.  And just to remind the audience of the previous question that the transition will be smoother.  Like you were talking about the digital transformation of four society and if we are not creating a certain dependence and irreversibility in case of failure when comes to internet and its resilience.

So, the floor is yours.

>> MARCO HOGEWONING: (?) from the audience will also share their opinion.  But while we maybe wait for that.  I think you mentioned an interesting one in that, yeah, the internet is short of becoming really the foundation everything we do, all our society, all our economy.  And in that sense it might also, in terms of awareness and, again, sort of, stressing the, sort of, engineering wisdom that you should plan for disaster and not automatically taken it for granted and I think that's also something we should probably make people more aware of, is don't just take the internet for granted.  Because it sometimes doesn't work.  And at the same time we saw some great flexibility when the pandemic hit with people switching to home schooling or work franchising home and we, sort of, that the internet mentioned or functioned as a backup.

But at the same time in a lot of cases we don't have backup when internet fails and especially at the retail users.  If you see, sort of, the global mayhem when a very popular, over-the-top app crashes, everybody is, sort of, like, oh, no, I can't talk to anybody.  And we are like, you still have a phone number.  You still can call somebody if you really have to.  And then we have that backup.  And that's also forgotten.  There's also, sort of, maybe rethink a bit in your own ways and, sort of, the noninternet businesses also and noninternet parts of your life and what do you do when, you know, the internet might not be available?

>> EGLE VASILIAUSKAITE: It is a provocative question, Samih, during this discussion, absolutely.  I mean, I would still say it's worth it, and that advantages outweigh the risks.  But, absolutely, I am here with you, Marco, as well on the fact that people have to be aware of what they are doing online, what information they are putting out there, and also what other ways to maybe, if it is an individual, maybe to keep, secure that information elsewhere.  If it is a company, how can you maybe control the systems also manually, not just, you know, through internet in case of a cyberattack.  So, in that way, you could increase your resilience.  Also, of course, disaster recovery and business continuity plans as well as part of the procedures.

So, there are ways you can secure yourself better through the use of internet.  So that would be my answer but it's also very interesting to see how we are moving forward by -- I think by 2050 already we will have higher number of connected devices which will be higher number of population in the world.  And you know, with that number of connected devices, the tech service increases, of course.  So tendencies, absolutely, are interesting.  So, even difficult to predict what it will be like in 30 or 40 years' time.

So, thank you for the question.

>> GHISLIAN de SALINS: Yeah.  I am with Egle, the think the question is not do we want digital transformation.  It brings many benefits.  I think the question I would ask rather is the measures we take to secure or to make the internet more secure or more resilient, are they really worth it or are they limiting the benefits we get from the internet?  You know, we take measures and, for instance, something about, for instance, I love GDPR, I think it's great for my privacy but nowadays go on any website and you have to click on pop-up window that appear everywhere until you accept, do you accept this policy, is it really effective?  John but it can't have definitions or experience as a user because it can get very annoying.  And I have multiple examples of that.

So we take measures, we think it might work and really strengthen your security, but also come with down side, if you will.  So I think my feedback would be when policymakers put in place such matters measure they can review their effective innocence after four or five years and say it didn't bring the level of security we wanted.  What are the downsides and are there many other options we can explore to have the same results or better results with less annoyance on the user side, for instance.

>> SAMIH SOUISSI: Okay.  So, we have one question from the audience.  And I think it probably related to that regulation.  But like what could be the role of transparency in increasing cyber resilience?  Like nowadays we hear more and more about transparency, about data driven regulation, the role that providing the transparency and using the data in regulating with -- like provide an added value.  So, how can this transparency increase the resilience?  And depends on what are we transparent about.  That's for sure.

>> GHISLIAN de SALINS: Say a few words about that because you may have noticed transparency was one of the principles I mentioned as one of the key principles to really enhance resilience.  I think transparency is really key because, well, first it diverses information as I mentioned so it enables users to better understand the products they are buying.  But also it enables stakeholders to hold one another accountable.  Which is very important.  So, typically to be a bit concrete, you know, there's been in some countries like Singapore, Japan, the creation of digital security labels, a little bit like the nutrition labels you see on food or the labels you see on appliances.  And the idea is to try to help users to make better decision, more informed decision when they byproducts and know that the cheapest product may be also very unsecure.  So would encourage them to buy, for example, more secure.

And what we have seen is labels also act good at incentivizing the suppliers to build products that are better.  Because with the labels they know they can use security as a difference as a market differentiator.  In the end it incentivizes both the suppliers and the users to byproducts that are more secure, which means that we are going to have a more resilient internet in the long run.

I think there's also a few things to take into account when you think about transparency.  Some transparency measures are ineffective.  I was talking about, you know, the pop-up windows.  I also think about the terms and services that are 50 pages long that nobody reads because it's just half don't understand.  It's very transparent but uneffective because it's not effective for users.  And I think the issue is shift competition.  If you have transparency in a market that (?) well, you don't have choice anyway.  So it won't really help you to choose different product.  I think transparency is great, but has to be accessible, actionable by the users and has to happen in the context where there is enough competition, if you will.

>> SAMIH SOUISSI: Thank you, Ghislain.  Any other panelists who want to react on this topic?

>> JEAN-JACQUES SAHEL: Just quickly to agree with Ghislain, importance of meaningful transparency so it's not just shutting out a lot of data.  It's presenting it in a way that makes sense.  And also making sure we use the data, the data that we collect is for that particular purpose and actually useful.  So, I think there's exchanges that need to be had on transparency.

Marco made important points earlier as well that we should remember about how to research a community can, sort of, help each other, if you will, and if we can have at least some level of transparency.  So, yeah.  It's -- I think the answer is -- was, yes, transparency can definitely help in increasing (?).  So, as always trade-off but generally speaking transparency, yes it's a good thing, I would say.

>> MARCO HOGEWONING: Yeah.  (?) reiterated, I think from a technical perspective, an engineering perspective, it really is about learning, understanding what happens to be able to eliminate what actually got and sometimes that means the elimination point is educate your user.  Someone writes on the white board from an engineering perspective less to do, we can apply two factor or something like that to make it really hard to get into these things.  But Egle mentioned (?) really interesting topic and I know that there is also -- and similar vein related to that also and whole movement that particularly wants to eliminate password.  Really interesting engineering developments on that side to get rid of passwords.  That sounds crazy but it actually works if you implement it correctly.

Yeah, no.  I think, yeah, like I said, it's really important and you made a good point that those reports are also useful.  It's not only about how many users were affected.  It's also, indeed, sort of, get the engineer indeed out there and measure and even if that has to be -- and the advice that it can be anonymized and then again, you I think aviation there's a really valuable database that is operated by NASA where people can anonymously report incidents and just provide an aggregate and that's really useful in analyzing and seeing what went wrong.  And, again, to reiterate culture changes, what you often see in aviation that it is about the culture.  It is about, sort of, colleagues not working together or hierarchy breaking down or too much of a hierarchy for somebody that indicates a problem is overruled by somebody else, and I think that's also an important factor to recognize and then I mentioned it, sort of, of in my opening intervention as well, is that often the Technical Community knows what to do.  But has to take a back seat because other priorities are deemed more important to business.  If you culture it down to repairs, then, yeah all we can do, technical perspective is we wait for it to break and (?) and that's also something that we really have to get into everybody's mind, is that sometimes you have to take these steps in a preventive way.

But to the point of reporting, yeah, it's really there, just make sure we can confirm it and make ensure that if we know that you can also tap somebody on the shoulder and say, hey, you should have known that.  You know this is a problem.  Why haven't you done something about it.

>> EGLE VASILIAUSKAITE: A lot of really valuable comments by my colleagues.  I would only add that transparency also adds on to trust as well.  And trust, I identified as one of the still challenges that we are facing currently.  So, you know, whether it is about the products or whether or not you were attacked or whether or not you have vulnerabilities, so more and more we see this really good that it is, the tendency, going towards that shift, you know, that we are more openly starting to talk about that, even in exercises, whether it is national or international exercises quite often still, you know, now you see more companies, let's say, or Member States being more inclined to be hypothetically attacked in the scenario and what they do, how they would handle it.  Previously no one would volunteer but it's also learning experience as well to test your procedures, how you would handle that crisis situation.

So, absolutely, I would say trust on the national level between the manufacturers and users or between different stakeholders nationally, but also on the international level as well, which is key.  International corporation here as we depend on each other.

>> SAMIH SOUISSI: Thank you very much for all those insightful ideas.  And we still have, like, just four minutes.  So I think it's time for the conclusion, I guess.  So, I first thank you very much for being here today.  And I just want to ask each panelist to provide us some key takeaway from this workshop.  It can be, like, just 30 seconds, by every panelist, Tweet like message so you can share with the IGF community.  Let's start, like, with Egle, Jean, Ghislain, and Marco.

>> GHISLIAN de SALINS: I will be short.  My first message would be, the internet is changing so much and getting so important that business as usual isn't an option anymore, stakeholders must cooperate to increase resilience.  Number two, cyber space is global t needs to remain global to enable that we need international cooperation to facilitate (?) the technical level but also at a policy level I think it's very important.

>> EGLE VASILIAUSKAITE: Thank you.  So, my key message probably will be reiterating about the cybersecurity culture.  So, if we want to move towards more resilient society, there has to be a mind shift in a culture that it's not just a matter of IT.  It's each and everyone's responsibility.  Thank you.

>> JEAN-JACQUES SAHEL: Thanks.  Plus one to all of that.  I think it's about collaboration between all stakeholders.  I think we need more of these discussions.  But move from the discussions to actions together and I think we should realize that we all want that resilience.  Whether we are governments, industries, civil societies so we should join forces and I think we should use forums like this one, multi-stakeholder forum, multi-stakeholder alliances to progress.  Thank you again.

>> MARCO HOGEWONING: I think the question is not if it breaks.  The question is when it breaks.  And the important bit is that when it breaks, that you can look back and honestly say, this was totally unexpected, this was something we haven't seen before.

>> LUCIEN CASTEX: Thank you.  Thank you all.  We have just under a minute left so that was quite interesting.  You can takeaway.  Indeed it's a question of balance, not too much, not too little responsibility, not too much, not too little knowledge, obviously, nor regulation.  Thank you Ghislain, thank you, Egle, thank you Jean-Jacques, and thank you Marco.  Clearly, multi-stakeholder fora has a key places to discuss such issues and the IGF here in Katowice and also at the local and regional level playing the role.  Thanks, and see you soon.

>> SAMIH SOUISSI: Thank you.  Bye-bye.

>> EGLE VASILIAUSKAITE: Thank you very much.

>> We all live in a digital world.  We all need it to be open and safe.  We all want to trust.

>> And to be trusted.

>> We all despise control.

>> And desire freedom.

>> We are all united.

(Session was concluded at 15:35 UTC)