>> LAURA PACE: Hi, good afternoon. My name is Laura Pace and I'm your Moderator for this next one hour. I think we should just start. Good?
Okay. So first of all, I wanted to thank the IGF Secretary for accepting our proposal and the Government of Brazil for hosting this IGF. I am responsible for external roles at the Global Cyber Security Capacity Centre and my role is sort of like a knowledge exchange. I want to set the context of this workshop and then I will handle two colleagues that have an intervention and then we'll open the floor to many, many new questions.
So The Centre was set up in 2013, and this is just to basically introduce you to what we are doing. We have been set up to become a global knowledge resource on effective Cyber Security Capacity Building. And really what we are trying to do is in collaboration with a number of International organizations, and also Governments, gather as much experience on Cyber Security Capacity so that we can really understand what is working and what is not working. And obviously, we sit at the University of Oxford, the Oxford Martin school, which is set up to address 21st Century challenges. And the thinking of the Centre is led by Professor Sadie Creese, in collaboration with a number of other academics, drawn both from across Oxford and also across the world. And in the first 18 months of establishment, they developed a model to measure, or not really measure, but really understand the maturity of Cyber Security Capacity based on the maturity and models of the 1980s, the software models. They developed this model that addresses Cyber Security Capacity across five dimensions. And Taylor, who is our academic in the room, or academic on the panel, will be running you through the detail of that model and how we have been deploying it across the world.
The other thing that I wanted to just mention before we start is, in terms of objectives of this workshop, we are trying to build as global understanding of what effective capacity really, really means. And we are looking at it through currently a number of considerations. We have 48 indicators in our model. We are inclusive and we work with everybody. We also have our own human resource limitations, so it would be foolish for us to work independently. So we work with a number of International organizations. And to my right we have the Organisation of American States represented by Barbara. And online, we have the World Bank represented by Natalija, and they will be making an intervention of their experience working with the model across their programs of work. And we also have Ryan who will be able to give us a perspective from Latin America through his work.
We are holding a number of conversations with a number of other International organizations and we are also in conversation with direct Governments, because what we are trying to do is encourage as many people to be working off a similar set of considerations when we are looking at the maturity of Cyber Security Capacity, because A, it enables us to be working off the same kind of page, and B, we are trying to bring this meaningful ‑‑ a new meaning to International cooperation by engaging in one debate.
So, I think I'm just going to hand over to Taylor so he can run you through the detail of the model and then we'll move on from there. Thank you.
>> TAYLOR ROBERTS: Hello, everyone. Thank you for coming. My name is Taylor Roberts. I'm, as Laura said, an academic and one of the researchers at the Global Cyber Security Capacity Centre. So I want to tell you about where this came from and how we developed this model and then I'll tell you about how it was applied as well, without stepping on too many toes from some of our other panelists.
The idea was we didn't want to reinvent the wheel with this maturity model. This is a lot of different and segmented expertise in Cyber Security Capacity that we wanted to make sure we utilized. We look at Cyber Security Capacity very broadly and broadly across five different dimensions. We look at Cyber Security Policy and Strategy, which looks more at the national level policy, looking at what sort of incident response capacity you have and do you have anything set up? We look at whether or not there is a critical infrastructure engagement plan that they have developed. Another dimension looks at the cultural and social aspects of Cyber Security Capacity. Are there programs to develop awareness? And what sort of trust and confidence‑building measures are there to try to raise that aspect of Cyber Security Capacity? Another dimension looks at education training and how are we developing skills so we can have on‑the‑ground expertise in Cyber Security?
Another dimension looks at the legal and regulatory frameworks around Cyber Security, and the final dimension looks at the more technical aspects that we are all associated with Cyber Security.
And so, we developed this model in consultation with a broad array of experts, not just academics like myself. But these are also government experts, private sector experts, who have a niche area of what Cyber Security is. And so the idea is to say that all of this is represented in a very all encompassing model that sort of seeks to say, okay, this is ‑‑ we have five stages of maturity in this model ranging from an initial stage where we are just starting to think about Cyber Security Capacity, then sort of you have an established stage in the middle where it's like we have something but we don't check to see if it is being assessed. We don't check to see if it is being implemented properly, but we just kind of have it. And then ranging on to the sort of dynamic level where you're not just taking into the ‑‑ and re‑evaluating your initiatives, but you're also doing it in realtime. You're able to adapt to the evolving threat environment, and this is really the sort of idealized stage of maturity we want to be at.
And I would also say that there is probably no country in the world that would be at a dynamic stage in all aspects of Cyber Security Capacity; Because you can not be static in any of these initiatives. You have to be continuing to assess your performance.
So what we have done is we have taken the maturity model that we developed last year ‑‑ and again I should also say, this model is an ongoing process. We take the lessons we learned applying this model and we are looking to make another iteration of it so the nuances we capture aren't going to waste but feeding back to the knowledge resource. We established a series of partnerships, one of which is the Organisation of American States. We worked closely with the World Bank, with the Commonwealth Telecommunications Organizations and some individual governments as well. This is really to support their projects, because really, like Laura said, we don't have the human capacity to go everywhere and do everything. What we want to do is say, okay, if you're, for example, trying to build capacity in your own organization to understand Cyber Security so you can make strategic investments, we'll work with you in your project countries so that you can take the model yourself in the future and deploy it in your projects. So we have done that in 10 countries thus far. We are in the process of 10. Some of our colleagues are in Fiji right now. They are in Fiji and we are in Brazil. Neither of us got a terrible deal out of this whole thing. And so, really, we are also taking that and taking the lessons learned and putting it back into the model.
So that is just one of our main outputs. Some of the lessons we gained so far are very, very interesting. We have been to countries that are sort of just starting to think about Cyber Security Capacity. Where do we want to go from Ground‑Zero? To countries that are very quite dynamic in their approach and looking at it on a sort of spectrum. It's fascinating to see those sort of nuances. And I'm happy to respond to any questions you have about that, those areas in particular. And I think before I hog up anymore time, I'll turn to Barbara so she can ‑‑ I'll turn it to Laura then.
>> LAURA PACE: Thank you, Taylor. I hope there will be a lot of questions. We have a remote panelist. Our colleague Natalija Gelvanovska from the World Bank should be joining us. Natalija, are you there?
>> NATALIJA GELVANOVSKA: I'm here.
>> LAURA PACE: I can hear you. But probably we need to up the volume a little bit. Still very faint. The volume needs to go up. I can see you.
>> NATALIJA GELVANOVSKA: Hi, Laura nice to see you again. Hi, Taylor, and hi, everyone. So thank you very much for bringing the World Bank in. Good day to everyone. And big compliments to the hosting country, Brazil, on organizing the IGF.
To start with, the Cyber Security Capacity ‑‑ it is the Cyber Security issues that is the key leading program and high awareness on all levels of this society, in public sector, in private sector, in academia, is a motivation that will lead to strengthening Cyber Security environment in the country as a whole.
And good awareness and good capacity of National Cyber Security situation is not just one person knowing how the situation in the country is. It's not just about having the strategies adapted. Moreover, it's about everybody being on the same informational field.
It is about coordination, about everybody. And it's about focus on priorities. So, we did a lot of Oxford capacity models that was presented to you a couple of minutes ago in many countries in Montenegro, Jordan, Armenia, our motivation to partner in these activities is because model is exactly a way to measure the progress and build these kind of awareness on the national level horizontally.
So this is a very comprehensive and interactive approach on how to do that. More than that, for us, development as a World Bank, it supports afterwards implementation of the recommendation, including providing of financial support.
And I see it is important change of paradigms that we can observe currently, is when developing banks are taking very seriously support the development of Digital Economy, including Cyber Security. The fact that the World Bank is getting involved into measuring Cyber Security Capacity was never done before. Inter‑American Development Bank is financing the same subject represented to you by the ‑‑ (Indiscernible) ‑‑ not to mention that the World Development Report being launched by the World Bank is focusing on Internet for department and the measure has to be available, affordable, open, secure, all this support for the development that we're overseeing now.
As a bank, I am sure that we are going to see many interesting development projects financed across the Developing World focusing on improving digital environment infrastructure, skills, digital supporting businesses, and all those will also need to consider a Cyber Security. And we are starting today by increasing the understanding ‑‑ in a very comprehensive manner, in a horizontal manner, on the national level. And as important, seeing that this model is bringing ‑‑ it allows to have a global harmonized approach for understanding the Cyber Security Capacity.
So, with that, I would like to thank you very much and I will be very happy to take any questions when it will be allowed. Thank you.
>> LAURA PACE: Thank you, Natalija, for that. So, one of the strategic relationships was with the World Bank. And the way we approached our relationship with the World Bank was really so that we could work with our colleagues there so that they could be able to consider Cyber Security where they are looking at very, very large ICT investments. Our relationship with the Organisation of American States is a little bit different because among the many things that the Organisation of American States does, they really do drive the development of National Cyber Security Strategy across the region. It was perfect timing when we met because they were just embarking on carrying out this regional mapping of Cyber Security Capacity, and they thought the considerations of the five dimensions would be able to assist in our work. So I'm going to hand it over to Barbara now.
>> BARBARA MARCHIORI de ASSIS: Good afternoon. My name is Barbara. I work in the Cyber Security Program in the Organisation of American States and OAS and the Inter‑American Development Bank on how to better understand the region and how information developing this maturity model. So we worked together and see how we can better understand Latin America and the Caribbean. There is a lot of neutral specifics about regions of the world and about referring to countries, Latin America, the Caribbean not so much.
It was a really comprehensive and sophisticated online survey that it could ask our countries to answer and so we could have information and use the five dimensions that Taylor was explaining, and try to figure out what is the maturity level of each of these countries.
So, it was really a great experience applying this, conducting this application tool, throughout the region. How we do our program. We have what is called national points of contact in each of our member states. So through them we say, okay, let's target relevant actors that could help us answer these questions. It was the first time. The idea is that keep this updated so we will be conducting this survey in the future too. And it was interesting. When we took this, as Laura mentioned, to the countries that were helping draft in the National Cyber Security, that is one of our words. And what we did, we took this online to the application to them to answer. The first roundtable when you're trying to start drafting, discussing, what should be the content of a National Cyber Security Strategy for the country is really challenging. First we need to get information from the country so we can understand and better prepare, facilitate a discussion. Also, countries ‑‑ each sector come with the perspective of their sector. So we need that information but also important to have in mind, to keep in mind, we have to make it a national level, bring in national vision. And that is why I think the tool was really interesting.
The maturity model, when we started answering the applications in the survey, you saw all the dimensions. People from the technical sector think, we have legislation. We have awareness and education, policy, all the other aspects. So it was really interesting to start the development of the discussion of the National Cyber Security Application Tool.
We are preparing our report, together with IDB, then we basically will portray the situation of all countries with the indicated dimensions and metric level. We didn't design it as a ranking. Not the purpose. The purpose is so each country can see and understand what is its maturity level in the dimensions. And we are going to be probably releasing by beginning of next year or end of this year. So consolidating all the information. But it was really interesting seing the program start in 2004, and to see how ‑‑ we saw significant changes in the region. So you have an idea in 2004, only five countries had National Cyber Security Incident Response Teams. Now 19 countries. Of course, in different national levels. Some are just formerly established. Others have more technical development. Others have still struggle with human resources, financial resources. But it was really a great growth in the region. Also the interest of establishing some sort of a national discussion about the topic so we can see this trend. So I think that is it.
>> LAURA PACE: Thank you for that. I think actually Latin America and the Caribbean is the first region to undertake such an in‑depth study on the maturity of Cyber Security Capacity. I know ASPI conducted some of the study, but I think this is the first in‑depth one. It's good to hear you're going to continue to update and review. Because we are so young as a Centre, I haven't even begun to think about reviewing what we are reviewing. So that is really good to hear. And it's brilliant working with partners that are so engaged in their membership.
>> BARBARA MARCHIORI de ASSIS: It's not just a report. We are calling it Observatory, so we can keep track of this, the development, and see. And another thing I wanted to clarify is, we understand the countries have different challenges and needs and sometimes that is a specific topic, it's not a priority, because they have other struggles. So that is my situation. Well, I can't do everything. But can I focus on that? That is what we are trying to see, your priorities. And, of course, we can check the other countries and make partnerships with them because they have been developing similar projects too. Each country is different but we can see a trend in the region and you can work together. I think that is the purpose of The Centre, the World Bank here. And so we can work together and improve Cyber Security in the region.
>> LAURA PACE: Thank you. And listening to you and Natalija speak, I forgot to mention something that is actually quite important. When you're looking at ‑‑ or when you go into or enable countries to hold these reviews, there is a capacity‑building element in just holding the review; Because in order for you to hold that review, you need to bring a number of stakeholders from across governments, across industry, academia, civil society to contribute to the review of capacity in the country. So, the actual deployment of the model in itself is a capacity‑building initiative, or exercise, I would say. And you can obviously see that very evidently when you're looking at countries that are beginning to consider Cyber Security Capacity. In more mature states, we have recently held review of the U.K. and the report is to be published hopefully by the end of the year. I won't say dates.
The level of the discussion and the capacity‑building‑sort‑of discussion across those stakeholders is very different, but it still does drive that debate, which is really interesting. At least I find it interesting.
So I'm going to hand over to Ryan because Ryan and I have had so many conversations about how do we address this? What possibly we think can be more efficient approach to capacity building and Cyber Security. From your perspective, I think it will be really interesting to hear.
>> RYAN JOHNSON: First thank you, Laura, for hosting this panel. Thank you to the Government of Brazil and the IGF Secretary for allowing us to gather here today. My name is Ryan Johnson, a Consultant based in Santiago, Chile, and I worked for half of my life in Latin America mostly related to various elements of Cyber Security matters, and most recently in sort of a political advisory position, or policy advisory position, to several governments in the region on International organizations.
Following up on what Laura foreshadowed a little bit. One of the things that remains a challenge, particularly in the Latin America region, and I would imagine in other regions of the world as well, is a lack of harmonization of standards, or even the context by which two delegations from various states can communicate if they represent, for example, CERTS.
What does that mean in Latin America? If you ask in Columbia, it is part of the Ministry of Defense. In Chile, we kind of have a national one but we also have an academic‑based one, the primary focal point for external inquiries. Being able to coordinate at that level is knowing which ‑‑ because everyone brings a different paradigm to what security means.
One of the key elements that I think the maturity model represents is an ability to standardize and quantify specific measurements across‑the‑board. Again, not to create a ranking but simply speaking on the same things. The remaining challenge, and one that will go on for sometime, is the concept of what do member states in the region want out of a National Cyber Security Strategy? Do they want something simply like a cybercrime legislation? Do they want something more comprehensive? How do we, in terms of promoting development and trade, particularly electronic commerce, how do we devise a strategy that promotes that in a secure way and also will lead to regional integration of e‑Commerce policies? And I that think is something the work of the World Bank here lays out a very clear precedent for something that hopefully we can continue to apply in Latin America. Like in many regions, weak institutions are a challenge for us in Latin America. Even some of the middle‑income countries in the region, cyber security is often driven by a personal or individual or small group of individuals, and hasn't yet reached that point where it becomes an institutional objective, or even an obligation of the state to ensure the security of its Internet borders.
So that is something that we will need to continue to work on, and I think there is several programs going on with that sort of mind set in general, but it is part of the concept of maturity.
One thing that I'll bring up is the role that civil‑society actors have been having in the region, partnering with governments. So you have organizations like the OAS, VITU and the Internet Society, all of which have ‑‑ and several others ‑‑ have really strong policy‑level engagement and have had introduced methods, model laws, harmonization guidelines that will help in the region. But one of the key challenges that remains is awareness on the policymaker and executive agency on behalf of what is available to them.
Even in some South American countries that I worked with, there is not a widespread recognition of ‑‑ for example, if you like to have better e‑Commerce laws ‑‑ can give you model laws that can help with the process of improving your laws, evaluating what needs to be fixed or arranged to provide for a better e‑Commerce solution.
And if you walk into a room with the Minister of Commerce of a country and say, this is great you want to do that but you don't need to reinvent the wheel. I can give you in paperback form right now, or download from the Internet, very good ideas that have already been worked through and put in place and, in fact, will help with regional integration. There is oftentimes surprise.
And so, one of the questions that we are left with is, what is the best way to reach out to policymakers to explain to them what some of the objectives they might want to be interested in doing, and how do we explain to executive agencies how they can ‑‑ what resources are within their reach for very limited cost ‑‑ oftentimes cash flow or human resource restrictions are limiting factor, but oftentimes organizations can provide financial assistance or at least short circuit some of the lengthy processes to bring a solution to the table. And that is something that requires a lot of civil‑society interaction to know what is available and then start bringing it to the governments in the region. That is something we have been working with pretty extensively I'll turn it back to Laura.
>> LAURA PACE: Thank you for that. I believe Natalija wanted to come back in with some comments?
>> NATALIJA GELVANOVSKA: Thank you.
First is observation regarding capacity model implementation and the countries to, say, being an exercise in itself. So that is very much true. And we have seen in many countries where we needed practical sitting with all the stakeholders day after day and then really the exercise itself is organized. It is to bring relevant stakeholders across the table in the same area where they didn't before. This is very important aspect in particular for us, development institutions that work in a difficult environment, a very difficult country with many difficult and emerging concerns. So they may not be able to organize themselves. And this exercise is precisely our roles to do it. Those people usually met each other for the first time and have no idea they are part of the same thing. (Low Audio)
>> LAUARA PACE: One second. We need to pick you back up. One second. We are working with audio here. How are we doing, audio? We lost Natalija. Hopefully she will join us again. I think what Natalija was saying, she was drawing on the point that I raised earlier about the capacity‑building initiative and the exercise. But the first part of this was to focus on the model that we developed when Ryan was talking about measurement, and then what we really mean is considerations. So the outputs from the reviews, the product is never going to be a detailed mapping of Cyber Security Capacity that would possibly put a country at risk. Far from that.
What the model is looking at is, trying to measure the maturity of Cyber Security Capacity based on consideration. So for example, usually the most controversial indicator is when we discuss cyber defense. And it is in there, but the indicator on cyber defense doesn't look to map the cyber defense capability or offensive capability or defensive capability. What it does is, it looks to a government's consideration of cyber defense. Is it having a discussion? Is it holding these discussions? Are these discussions, do they involve varying stakeholders? Is it premised on consultation, et cetera. So I wanted to make that point.
So when we talk about building a global understanding and enabling nations to review this Cyber Security Capacity, it is premised on this model. You would be able to access the actual model on our website. We have a Cyber Security Capacity portal which is a collection of our work, articles, papers, also of many of our colleagues, all the International organizations and a lot of other think tanks and academic institutions and the private sector.
One other thinking is obviously maturing when we are looking at Cyber Security Capacity. We started to look at whether there is even a relationship between quality and quantity of data. And because I'm not the academic, far from it, I'm going to just hand over to Taylor so he can give you a little bit of a brief on what it is we are doing, and then hopefully we will open up the floor for questions and look forward to hopefully answering them.
>> TAYLOR ROBERTS: I know metrics is not the most exciting term for some people. So I'm going to try to keep it brief and at least keep it engaging for everyone. So something that struck my mind is that a lot of policy initiatives are seeking to enhance what everyone is in cyber security. If I have a policy, awareness campaign, education initiatives, if I implement these standards, I will be, my cyber security, will be enhanced.
But that is often very well very different than, say, how the technical community might view cyber security. It has a number of bot nix (sp) gone down. Is there a reduction in the prevalence of incidents? Are software updates being incorporated regularly so that you're being patched for security? There are these divergence, and up to this point, hasn't been an established relationship between these qualitative aspects of Cyber Security Capacity and the more quantitative metrics of indication. So what I'm hoping to do ‑‑ and I have been working very closely with our colleagues at Microsoft who have an understanding of security and use their computer per‑mile and encounter rate to sort of provide an intelligence report on Cyber Security Internationally, and other sources of data as well. So that is what I'll come to in a moment. Can we find relationships between these policy efforts and these indicators that are more quantitative in focus? So, for example, if I was to look at the implementation of an awareness campaign in country X, am I able to see over time, a reduction in these quantitative efforts? Or to put it another way, if I have a maturity level of the established level issues, the third stage of maturity, do I actually see an identifiable lower level of these more quantitative indications of capacity? I want to try to bridge the gap between policymakers and technical communities so that you can be relatively effective with your policy endeavors. And I think that is something that both communities can get behind. And what I want to try to bequeath from you is, if there is good indication of what a quantitative metric for cyber security might be, or any data you are willing to share, I'm interested in that. And I have a paper that outlines the scope of this project and I'm happy to share that with anyone. Thank you.
>> LAURA PACE: Okay. Thank you, Taylor. I think it would be far more interesting for us if we open up the floor. We could take some questions. I think there are microphones in the back. So the floor is yours then if you have any questions. I think you will have to come up to the microphone if you do have any questions. Thank you.
>> AUDIENCE MEMBER: My name is Nabine (sp). I represent Association of TelCom Operators based out of India. I have a question. And before that I would like to lay out a perspective and see if there are any comments. From a capacity building when we talk about Cyber Security it's not only about cyberspace, because according to me, it talks about not only about cyberspace, it talks about technology, security, network security. And I think when we talk about capacity building, I think it really makes sense if the government, worldwide, engaged in industry and try and create a repository of capacity building; because when we talk about cyber security risk, it doesn't help if we have discussions inside a closed room without sharing the risk which are prevalent worldwide. So when we talk about capacity building, it's about to what extent we are trying to share our experience, be it technical, community, academia, industry, government. There has to be some shared knowledge and principles. So with this background. My question is, as part of your analysis, have you created a databank in terms of how different governments approached, in terms of engaging the industry, to build a capacity? Because a Google search talks about the ongoing risk and technology advancement which are posing cyber security risks. Because for example, Government of India, a couple of years ago, opened up the discussion on cyber security by setting up high‑level comments under the Chairmanship of the National Security Advisor where they engaged the industry to try and see how from perspective of securing critical infrastructure and trying to work with the industry and how we can make network secure. Be it is giving directions, or in creation of what is prevalent in the U.S. called the ISACs, or where industry is required to report cyberthreat incidents on a periodical basis. So, this way not only capacity increases awareness about the risks and issues coming and affecting us on the platform. So in case there is any other study or any best practices can share with us as part of the analysis, that is really helpful. Thank you very much.
>> LAURA PACE: Can you answer that and also point to the paper?
>> TAYLOR ROBERTS: Thank you very much for your question, and I think that it really is a crucial point. So the capacity‑building efforts that are going on at the national level, whether that be through cooperation of ISPs of government, or critical infrastructure of government, it is so incredibly important to share those lessons learned so that other countries don't have to reinvent the wheel. And on the basis of that, the Global Cyber Security Capacity Centre has a Cyber Security Capacity portal. It is an online resource where we are trying to collect all the different cyber security capacity‑building initiatives going on around the world and giving them a stage to be on.
So that you don't have to go through Google and try to search for all the different initiatives that are going on in the world. Go to one place and you can find it either by the issue itself, whether that be cybercrime mitigation, or whether that be critical infrastructure involvement with the public sector, and/or what is going on through the GFCE, which is going on at 4:00, I believe. And Carolyn, who is standing in the back, will be able to address that better as she is our Cyber Security Capacity portal lead. They are looking on a mapping initiative of cyber security and initiatives that maps out across the world. You can click on a country and see these sorts of initiatives going on in that country. So there are some cards that are floating around that have the portal's address around, and please do feel free to come to us about that. And one last thing, about best practice.
One of my colleagues is developing a paper on looking at the effectiveness of computer emergency response teams, our Incident Response Teams, and seeing how ‑‑ what metrics are being used, not just number of incidents. That's not necessarily the best indication of effectiveness, but what are the grand scheme of metrics being used to more effectiveness? That is something she will be releasing soon, but I'm happy to fill anyone in on that as well.
>> LAURA PACE: Thank you. And I want to add something because I think if I understood your question correctly, apart from the analysis, are you encouraging engagement for the private sector in terms of developing this capacity? I thought there was an element of that to your question. And I think absolutely the model is premised like the main consideration throughout the model is, one, Human Rights; two, International cooperation; three, multistakeholder collaboration. There is no way that this can be done singularly by one sector as opposed to all of them working together. So I wanted to raise that point.
I think we have a remote participant with a question, and then we have the Secretary General with a second question.
>> REMOTE PARTICPANT: Can you hear me?
>> LAURA PACE: It is very, very faint.
>> REMOTE PARTICIPANT: Can you hear me?
>> LAURA PACE: Hello?
>> TAYLOR ROBERTS: Try again and we'll see if we can hear you now.
>> REMOTE PARTICIPANT: Is it better now? Can everyone hear me?
>> TAYLOR ROBERTS: Better now.
>> REMOTE PARTICIPANT: Sorry, guys. I'm from Nigeria but due to Internet constraint, I wasn't able to connect. But with this discussion I have a few questions to ask. We were talking about cyber security, yes. I'm from Nigeria but I still ‑‑ most of the application we use and facilities we use, most of them are from the western world. Now my question is this. We have a few people ‑‑ we engage in training and we are getting to have development from the world. My question is this, we are talking about cyber security. My question is what model or ‑‑ talking about awareness, and talking about a model. What is the platform? What does the model support? Anything for a country like Nigeria that we have no level of ‑‑ (Low audio) ‑‑ capital resources and have certification or training, adequate training to be able to combat this trend? So I would appreciate if I could have an enlightenment to be able to answer these questions.
>> LAURA PACE: Thank you for your question. Are you going to go for it, Taylor?
>> TAYLOR ROBERTS: To draw attention to the human element, we do throughout the model; but in particular, there is two dimensions that are really focused on that. The first is a cultural and social aspect. That doesn't look necessarily at the sort of becoming a cyber security practitioner but rather how do you raise the awareness and the mind‑set of a country so that across‑the‑board, you don't have to worry as much about the weak link in the chain. As everyone seems to indicate you're only as strong as your weakest link when it comes to security. What is going on to raise the awareness of individuals? That is one key element of maturity.
Another one is the skills aspect, getting the professionals in there. And for that, you need really at least two or three elements. One, you need education. And by education I mean sort of more formalized classroom education. Do your courses offered at the University level reflect the needs of the business society? Do you have courses in Cyber Security or Information Security at all that are available? To what degree is that integrated into primary‑ or post‑graduate education? Another element is training. Do you have local training providers or do you bring in International training providers that allow you to develop the skill set of a country and make sure that you have good, solid cyber security practitioners?
And the third level is the corporate knowledge of cyber security. A lot, from what I come to understand, it's if you don't have that board‑level buy‑in, you're really not going to be able to go as far as you want with Cyber Security Capacity because you're not going to be able to get that investment you need. So what efforts are going on in your country to raise the awareness of the Board so that they can make strategic decisions about risk and strategic decisions about making sure their infrastructure and company is secure against potential cyberthreats? And that's just two elements of the human aspect.
>> LAURA PACE: Thank you. I believe we have a question and then the lady ‑‑
>> AUDIENCE MEMBER: Hi, everyone. Liz from Kenya. This is a comment maybe to government and technical community, or anyone who might be able to chip in. I don't know if it's a question or comment. Now, we have been having governments trying to reach out, companies like Huntington and high‑level companies to hack websites for good cause. Now, I'm trying to ask then, whose role is it to monitor? And whose role is to make sure we have freedom of expression so their users are encouraged to use the Internet you're trying to protect, and the Internet that you want to notice like 10 years ago? So who bears the cost of this maintaining cyber security? And you're talking about collaborating, efforts, then who has the role in what?
>> LAURA PACE: Thank you. Shall we take your question as well and then we'll respond?
>> AUDIENCE MEMBER: Thank you. Mine is just an observation. I really want to commend the Oxford University for the work that they are doing. I come from the CTO, Commonwealth Telecommunications Organizations. We conduct a lot of capacity‑building projects such as Broadband, Regulatory issues, Cyber Security. We administered several governance model last year and what we have been doing is trying to apply that and adapt to several countries. What we found that it was useful for us to collaborate with the Oxford University in the work that we have done so far. Currently as we are speaking, we have a team of consultants, and Oxford University in Fiji, trying to establish the strategy for the governments. And we insist, we insist, that the participation, the elaboration must be from all stakeholders. And that will partly answer the question, which just asked. If you don't have all the stakeholders participate and the policy and strategy and collaboration, you will not get buy‑in. And that is, those taking responsibilities will not take responsibility because they are not convinced. So we put a lot of emphasis in this. Over three weeks ago, we brought in high‑level Board Members, Chairman of Regulatory boards, and we also invited the Oxford University to share their experience. I really want to extend on what you're doing and I hope you can steer efforts and collaborate more with us. Thank you.
>> LAURA PACE: Thank you for your comments. We are delighted to be working with you. And similarly to the way we work with the Organisation of American States on the development of national strategy. The relationship with the partnership with the CTO is pretty much similar, obviously with a different membership or overlapping membership, but when the CTO go in, working with a country to develop the strategy, they deploy the model to get this broad picture of what capacity is on the ground before they then go and do their deep‑dive development strategy work. So Taylor would you like to answer our colleague from Kenya?
>> TAYLOR ROBERTS: I'll try. And sorry if I'm hogging the mic. Anyone else, feel free to steal it from me.
>> LAURA PACE: I was going to ask Ryan and Barbara to answer as well.
>> TAYLOR ROBERTS: It's a very difficult question. The one you have been asked, I have been asked a few times before. Who is the best person to be responsible for cyber security; person, organization, entity, what have you? Point the one out to me and that's who we'll go with. And that's not really possible because you're not able to take in the real complexity of the political environment and economic environment of every country. Even intra‑regionally, which I imagine is the case in Latin America and other regions, there is such a distinct political dynamic where a mandate might lie. Now particularly when it comes to Human Rights and things like this, the ability and capacity to have that debate and discussion is an indication of maturity. There are some places that aren't even able to host this debate about who is responsible for oversight or who is responsible for which implementation. So it is really important that you have that debate, because obviously there is some countries that may have a different perspective about privacy than another. We want to make that your debate alive in the country. And that is one way of looking at maturity.
Ryan, did you want to comment?
>> RYAN JOHNSON: I would add, fundamentally touching on transparency and accountability of government, which is parallel and oftentimes complementary to the concept of overall strategy and it shows the need for a strategy as opposed to simply an element of government that decides to implement some tactic. A strategic overview, and one that has multistakeholder participation, should help, in theory, provide the mechanisms by which we would avoid potential abuses.
>> BARBARA MARCHIORI de ASSIS: Adding to what Taylor said, in my experience in Latin America and the Caribbean, there is a difference. Some countries have a coordinator or focus more on a specific criteria. Some countries we have a National Cyber Security Commission; but at the end, it still is a shared responsibility. And that is something when you're discussing on a national strategy, it has to be quite clear; because everyone has to be somehow involved in this. Like, you're talking about government employees. They have to understand they have certain procedures they must adapt to ensure everything is safe. Citizens, they have to know how to be protected online too. Awareness. So at the end, everyone plays an important role in this. So, it may have some structure of governance, but everyone is somehow involved in this process. It is definitely a shared responsibility at the end.
>> LAURA PACE: Thank you for your comments. On that note, that everybody has a role in this, I think obviously your focus is more an emerging‑economy perspective, and there are also more developed and mature states in your membership. However, I think in trying to understand the ‑‑ going back to the concept of this workshop and looking at the effectiveness of Cyber Security Capacity Building and what does it mean to be mature, I definitely think that everybody has a role in building this understanding. And when we first started out and we were going through this pilot season at the beginning of this year, working with OAS and the World Bank, our focus was emerging economies. And now we are starting to develop, or broaden, our focus on looking at mature states.
It is really looking at both of the experiences. Having this mature capacity and having possibly the start‑up level of capacity really has to inform our global thinking on capacity building going forward. And we also need to look at the community as an International community on how we differ that capacity building, and also need to start to think about how we organize donations to enable the International community to do capacity building. So I think in actually moving towards this better understanding of what works and what doesn't, then we can start to peel back the levels of how we get to that delivery of capacity building. I don't know if I made any sense but it has been keeping me up for a while.
Do we have any other questions? Yes, thank you.
>> AUDIENCE MEMBER: Yes, not a question. It's a contribution after the question asked by Kenya and Nigeria also. I would like to thank you, University of Oxford, for inviting us to that meeting. We are United Nation Economy commission for Africa. The subject of cyber security is very complex in the world, but more so in African country. It's long time to support African country in the cyber security issue.
And because there is three‑dimension of the cyber security of capacity building, the regulatory mechanism is very important. The second is technologic capability, and also the socio‑dimension is the third pillar. We have three pillar. We integrate in capacity building. What has been done in policing and regulatory mechanism? Now a lot of African country has policy in cyber security, not all of them, but there is awareness. And the government now is very keen to put in place the cyber security for several reasons.
You have to say for this ICT and you also have the security issue. I think everybody knows now Africa and you have too many terrorist in the Africa. They use ICT too. Boko Haram, they all use these. And now the government is very involved in all cyber security issue. It's not the hacker from the bunk, but more important thing is that the national security of citizen. And cyber security has a important element to do because they use this to communicate before they going to kill people or to do other things.
For this we developed some policy at a national level but it's not enough. Cyber Security is not a national issue. It is also regional and Continental issue. All regional economy communities, we harmonize as policy at these level. And if you look at now in Africa, East African community, they are harmonize the policy in Cyber Security. But it's not enough. We need to also work at the regional level. All the African Commission to develop this Continental framework guideline for cybercrime and data protection, and now states start to transpose their national legacy to this inter‑continental level.
What we do is not enough. But we need to also to give feedback to the policymaker, to know the several issues on Cyber Security, and we develop the concept called policy brief. It's a 4 or 3 pages to know quickly what are the several issues and challenges on cyber security, what kind of recommendation they put in place.
We organize for the technical capability, we develop what we call ‑‑ academia. We develop some learnings online and African country can have access to this learning tool, on network and information and security.
Also, for the issue of character online. We organize several workshops across the Continent as a national level and also across the Continent to use as African IGF Secretary. We use also this forum to organize several events on cyber security.
And now we, for this year, we don't organize meeting. But we use the review for Africa to put the issue of cyber security, to emphasize cyber security issue. And we develop the review for Africa for the 10 years and now there is important issue of cyber security. I think we need to look at cooperation of everybody for cyber security. It's not an issue of government or private sector or civil society or academia. It's an issue for all. We talk about all cyber security if you want to use as a tool to advise this Information Society.
We appreciate this kind of initiative and thank you. I think in Africa we can, if there is indication about the policies and capacity building in Africa, we can answer. Thank you.
>> LAURA PACE: Thank you for your comments. Do we have any other questions from the floor?
>> AUDIENCE MEMBER: You told education is important for good security. The population across the world is increasing so fast. We see serious refugees and immigration, the problem for security. I think it is important investing in education. How is that education to the security?
>> LAURA PACE: Could you introduce yourself, please, sir? Could you say who you're representing and your name?
>> AUDIENCE MEMBER: My name is Robertson. I'm from Brazil. I work in school.
>> LAURA PACE: Thank you.
>> TAYLOR ROBERTS: So thank you very much. And I'm glad you have emphasized the point of education. I think what you're getting at is, what sort of education are we talking about here in cyber security? And I think what is really, really important is that cyber security, what we have seen in some countries it is viewed just as you got cyber security, information security and you have got ‑‑ which is a pretty established field particularly in the universities. But we start to see, as you get before a University level, the primary level, some countries are actually starting to develop your very fundamental awareness of cyber security in the classroom. Even if it is just at the level of, don't post your password on Facebook online. It's very fundamental steps. But if you can engrain that into children at a early age and start building a mind‑set of cyber security where it is habitation. You don't even think about it anymore. Of course I wouldn't do that. That would put me at risk. So if you start to develop in the primary level and invest in simple cyber security steps, that not only not a better mind‑set but also getting people interested in cyber security at a early age, then you can say at the University level we can work with the Ministry of Education to get a curriculum developed around cyber security. Once we start seeing that in some countries it is starting to develop a cadre of professionals, and that is one way of going about developing education around cyber security.
>> BARBARA MARCHIORI de ASSIS: Based on my experience in the region and when you tried to develop National Cyber Security strategies, education, as Taylor mentioned, is all levels. And we have tried to encourage young children because it is happening. Child pornography for instance and also sorts of online behaviors that have damage, negative affect in children, is a trend. So it is important to educate them, and not only them, but also consider the parents and the teachers because all of them are immigrants. So I seen a huge trend of ICT policies. One laptop per child. How to integrate ICT to the school. That includes a security component to that. Okay, you're going to work online? How to make sure that you are doing this but in a safe way.
And then as also we have to move to the high level of education. How to ensure you have some security in the some sort of course or program or some sort of master. So try to work with all the dimensions and all levels. Young child, until you have people trained in the country to deal with cyber security and of course help improve the situation in the country too. All levels.
>> TAYLOR ROBERTS: I'd like to add a last point on the upper end. So, for an example from the U.K. where we are based, the U.K. has 13, I believe 13 at this point, Centers of Excellence in Cyber Security. They have been designated by the government to be key Cyber Security institutions. Additionally, they also have Centre for Doctorial Training in Cyber Security at Oxford and Royal Hollow University. So this sort of real attitude towards making sure that at the University level post‑graduate you really started to get this professionalization, is an example of what that would look like at that level.
>> RYAN JOHNSON: I can only add from regional experience, as we tried to modernize our cyber security perspective and capabilities of our countries. Involving formal long‑term training is probably the ideal thing, but in the interim, we have to do a backwards patch. So you see a lot of the certificates in the region, or universities, offering post‑graduate courses for a six‑month night school, two or three nights a week sort of basis to cover a lot of the fundamentals. The Chileans offer that and it's the primary source of training of the National Cyber Defense Forces. So as opposed to having people who have a Master's degree in Cyber Security, something that doesn't exist in Chile, you have the option to sort of backwards patch in the temporary period.
>> LAURA PACE: Do we have any other questions? Do we have any questions from people online? No? We are good. Okay. The gentleman in the back.
>> AUDIENCE MEMBER: First, I'm from Brazilian Army. I am the risk provider of the entire Brazilian Army. And I'd like to make a question of all of you. We see the newspapers, sometimes governments, they fund the attackers to exploit some vulnerabilities and attack, for example, Sony and Microsoft and some companies. And there is a line between one side we have user‑digital security and the other side national security. Where is this line?
>> LAURA PACE: Thank you. So, panelists? Do you want to start? You need to think about that? Taylor?
>> TAYLOR ROBERTS: I'll give it a go. Probably the easiest answer is, there is no definitive line because that line may differ depending on where you are. For example, one government may take a very unique policy stance saying that this is the threshold which considers a national security response. Another government say that threshold is way too high. We need to bring it back down. For example, being able to respond kinetically to a cyber attack is the approach that some governments take. Other governments would not allow that at all. And so this sort of threshold as to what would be the national level, what would be the sort of more domestic or user response as the way you put it, is not necessarily uniform. It depends on the policy approach.
>> LAURA PACE: Do you want to add something?
>> RYAN JOHNSON: No, I wanted to echo what Taylor said. For example, the Sony hack, obviously motion pictures aren't national security data, but the economic impact of that may cross some line. It's up to states to define for themselves what that threshold is. And maybe eventually we will reach an International consensus, but I think at present it's a blurry, blurry line.
>> TAYLOR ROBERTS: And you're seeing this exact issue being debated on the international scale. For example, whether that be through U.S.‑China dialogue on whether or not critical infrastructure should be considered to be off limits when it comes to offensive action. And there are ongoing debates on what that line is. But I really think that your question points at a core issue and hopefully, we start seeing some International coalescence on what that might be so that there is no misconception about intent. And that is something that is really difficult to consider.
>> AUDIENCE MEMBER: Thank you.
>> BARBARA MARCHIORI de ASSIS: It is interesting when you're thinking, as they mentioned perfectly, it's not clear. And one of the first thing you try to do when you have a national coordination on cyber security is consolidated definitions. Even what is cyber security? Some countries define it differently. It's not clear sometimes. When you have roundtables, what is cyber security or information security? It's ideally to find a common ground. It's fortunate to have a national discussion and consolidate what is the limit? What is the starting definition? None are clear. And also, as Taylor mentioned, at International level there is a lot of discussions about this. And there is importance of keeping those International cooperation, trust, confidence and building logics, and how to better understand; because still it is a blur. No one is clear about the definitions yet.
>> LAURA PACE: Thank you. Are there anymore questions? Taylor has a question.
>> TAYLOR ROBERTS: So obviously coming from an academic institution, I like listening just as much as I like speaking. So I do have a question for anyone in the audience because Cyber Security Capacity transcends whether your a government or civil society or private sector.
This could be posed to anyone. What is the biggest gap that you witnessed in Cyber Security Capacity or what is it? Are you starting to see measures that aren't necessarily achieving their end when it comes to Cyber Security Capacity?
In other words, since this is looking at effectiveness of Cyber Security Capacity Building, have you seen ineffective measures, or measures that could be improved in your own domestic circumstance? Anyone can feel free to answer that question. Thank you.
>> LAURA PACE: Do we have any takers? Panelists? Any takers? Please introduce yourself.
>> AUDIENCE MEMBER: My name is (Indiscernible) from Columbia. I am a member of the organization called Coronado. And I think ‑‑ I'm trying to get an answer to your question. I offer ‑‑ in my organization we offer different trainings about the digital security, especially for societal organizations, even young people or kids. I think the main problem is this question of nothing to hide. Why do I have to be trying to get in a private position? Because most of the people think that Internet is safe by default.
So, I think it is really maybe the worst thing to do is to educate or train the people about how Internet works. How it works but not for the technical point of view, but more from a, what is the business model of those companies? I think it is more important maybe to explain this kind of basic things, and then some people realize how it works or how important it is to get some kind of privacy. Because by default everyone thinks that Internet is safe. Just comments about that.
>> LAURA PACE: Thank you. Do I have anybody going to try and respond to Taylor's questions? No? Okay. So I think we'll just close the floor. And I want to ask Taylor to talk about another piece of work that you're starting to think about, and hopefully just three minutes on this model that you're developing to try and understand cyber harm and the ambition at the Centre, together with the global network of experts that we have and the International community that feeds into our work.
We are hoping with the model to measure the maturity of Cyber Security Capacity, or understand what that capacity is, together with a model to understand cyber harm, we will have this very comprehensive framework for informing strategic investments in that capacity. So hopefully Taylor will be able to explain that a little bit.
>> TAYLOR ROBERTS: You have done a lot of my job for me. That's fine. So, basically, this aroused out of the initiative that, everyone that that talks about cyber harm looks at it primarily with a dollar sign attached to it. The harm to my organization was, I lost this amount of money. Or, having to implement this security cost me this. And we started thinking like, these measurements, depending on who is conducting the measuring, could be a bit biased. For example, you might see that a vendor might inflate the cost and a government may deflate the cost based on their own priorities.
So we say what does harm mean then? It's not just a dollar sign. Our colleague was talking about terrorism and is there a physical harm associated with that. But also there is a psychological harm that cyber security implicates as well. What does the penetration of a network do to a worker losing their job because they clicked on a phishing link they shouldn't have?
There is a comprehensive understanding of what cyber harm could be that hasn't been conducted yet. And that is what we are really hoping to do so when we go to a nation, we can say let's try to identify what your chief harms may be. And so that if we do that in conjunction with the reviewing maturity, you could say, here are my harms, on the one hand, that we have gone through this model to identify, and then here is my existing capacity. So if we are able to connect these harms with these capacities, be strategic about saying, all right, I have a case of minimal maturity in this area and a high harm in this area and we need to make sure we invest in this particular area; because this is going to have impact for us. This is something that is still quite in the early stages, but I think it really could be a benefit to the community. And I think we do have one comment in the back.
>> LAURA PACE: Taylor, thank you for that. Shall we take the comment? I wanted to add to what you were saying. I'm really looking forward to this model of cyber harm because I think together with the maturity model, it really does sync up. And we do see this new approach and how to invest where, how, why, and based on a better understanding, I think. Hopefully we will be able to bring it to the IGF next year.
So, can we take the comment from the remote participant? And ask them if the participant could introduce themselves before they start.
>> REMOTE PARTICIPANT: Thank you for the opportunity. This is Oscar Padilla from Mexico and he asks, could you share with us the government resource of good practices to investigate cybercrime, like a process? Thank you very much.
>> LAURA PACE: I don't think we will point directly to like specific tools and resources. What Taylor mentioned earlier is we have a capacity portal that kind of collects all, or a number of good practices in this area. Obviously there is the intervention on cybercrime that is the global, the big one, of the global instruments that are available. But you can see a number of resources, also many International organizations that work this field. So I think if you just hit the portal and search for cybercrime, you will be able to come up with a number of resources there. Thank you.
>> TAYLOR ROBERTS: If you Google Cyber Security Capacity Centre, you should be able to ‑‑ one of the first results. I don't think there are many other Cyber Security Capacity portals out there.
>> LAURA PACE: Did you just say Google? You did.
I think we have got 5 minutes left and unless there are any other comments ‑‑ Microsoft?
>> AUDIENCE MEMBER: Mark from Microsoft. Microsoft is very enthusiastic about this research. I'll tell you why. About a decade ago, we recognized a need for trustworthy computing that is secure, private, reliable, transparent. And we made major investments in this. And we have also used common methodologies, based in maturity models like the one being used here, not just for trustworthy computing but for all forms of IT maturity. And we have been using our investments in trustworthy computing to participate in law enforcement, to collaborate and partner with law enforcement, all around the world to take down botnets, to stop spam rings and to reduce threats to children.
So right now, we have a huge amount of telemetry we collected, quantitative data, regarding different types of breaches or attempted breaches. And we have been working with this research to share this data and to hopefully allow it to be correlated and combined into the research. And we are also really looking forward to this next stage of harm assessment and, again, sharing our data and our learnings in order to move this forward for the world.
>> LAURA PACE: Thank you, Mark, for your comments.
>> AUDIENCE MEMBER: I have one question about the cyber harm model. Are you able to work with others or just you want to do in your organization?
>> TAYLOR ROBERTS: I will say that most everything that we do could not just be my brain alone because trust me that is not the best model.
We definitely need to have as much input from the experts and people that engage with harm on a daily basis so that this model can be applied. That's one of the beauties of this Centre is that yes, we can collect research. Yes, we can conduct research, but it has to be applicable to the environment. It has to be able to be used. Otherwise we haven't been achieving our goal. So, one of the major ways of achieving that is by collaborating with others, and I would love to engage with you on that in the future. Thank you.
>> LAURA PACE: Thank you. This will be the last one.
>> AUDIENCE MEMBER: Can you hear me? So excited to see Microsoft is here. My name is Magda Johnson and I work with Spider, Swedish program for ICTs and developing regions. And what we do is fund projects and health democracy ‑‑ and actually it's called Transparency and Accountability now, and Education. And the problem we are seeing is that the CSOs we are working with are doing really good work, extremely good work. And Spider is not ‑‑ we don't really have megafunds. We have limited funds. Our partners have a really hard time negotiating with the private sector. So when they receive funds from us, it goes to project activities. But they don't really have the mandate to negotiate with the private sector. So, Mark, from Microsoft, I want to know is it possible to perhaps tap into the corporate Social Responsibility Program to work with organizations on cyber security and can Microsoft do that? Sorry to put you on the spot, but thank you.
>> MARK: I don't have that information. So as much as I'd like to say, yes, I can't say yes or no. However, if you talk to me after the session, we can discuss who we might talk to at Microsoft to get you a better answer. Sorry.
>> LAURA PACE: Well done. Thank you. With that, I think we have just got four minutes left and I want to ask my panel if they have any closing comments ‑‑ panelists if they have any closing comments? And then we will close the session. Ryan?
>> RYAN JOHNSON: Mostly I'd just like to thank everybody here for their interest in the topic and I think it's a very important topic, as we look towards harmonization. It's interesting to hear some of the things being done in Africa, in particular, which I think is an area investing heavily in cyber policy and has very good support going on from the U.N. from the cyber ‑‑ Commonwealth Cybercrime Initiative, CCI, and some other entities. So it is very interesting to hear what is going on in a neighbor region. Thank you.
>> TAYLOR ROBERTS: Just echo Ryan and thanking you all for attending. I think that Cyber Security Capacity Building is thrown around. The term, is thrown around in so many different forums that getting to what it means about effective Cyber Security Capacity Building is one of the things we need to do, and without your interest and input, we wouldn't be able to come to that conclusion. So please do feel free to engage with us. We are very open and, again, thank you.
>> BARBARA MARCHIORI de ASSIS: So I'd like to thank the Capacity Center for working together it's been a great work. And OAS is really open to sectors and our members are here to help our countries in the region. And we are open to discuss private sector and provide trainings for the countries. Civil society can engage. So everyone here, if you're interested and want to learn more about Cyber Security in Latin America or Caribbean, go on our website, OAS Cyber Security program. We are open to discuss with everyone and together to help the region. Thank you.
>> LAURA PACE: Thank you. I understand we don't have Natalija online anymore, but I wanted to double check with our Remote Moderator. No? Okay.
So, my closing comments. I want to thank you all for being here and it's really good for us to be able to discuss this research with you. For any of you that are interested in understanding more detail about the work, myself, Carolin and Taylor will be here until the end of the week. Please do catch us, and we are happy to have a conversation and see how you can participate in this discussion on the development of the work. So I look forward to meeting many of you over the next two days. Thank you very much for your attention and I wish you a very good remainder of the conference. Thank you.