Cybersecurity: throwing out preconceptions

23 October 2013 - A Workshop on Security in Bali, Indonesia

Internet Governance Forum 2013

Workshop # 106 Report

Cybersecurity: throwing out preconceptions

Organizer Name 

Runnegar Christine

Organizer Entity 

Internet Society

Workshop Theme 

Legal Frameworks and Cyber-crime (Spam, Cyber-security, etc.)

Consise description 

Introduction

The Internet security risk landscape is complex:

  • The challenge of trade-offs: the good and bad are intertwined:
  • Open platform <=> also open for attack and intrusion
  • Permission-free innovation <=> also allows development and deployment of malware
  • Global reach <=> attacks and cyber-crime can be transborder
  • Voluntary coordination <=> can be hard to assign responsibility and prescribe solutions.
  • The security space on the Internet is vast and risks are multi-dimensional, involving different actors - all collectively responsible for the system’s robustness.
Objective

T
his workshop is intended to build on a session at the WSIS+10 Review meeting in February 2013 entitled "Cybersecurity: Searching for a common understanding" [1]. 

The objective is to deepen the discussion on these key questions:

What are the building blocks to manage security risks in the Internet economy in a way that enables innovation, economic and social prosperity, and preserve the fundamental principles of the open Internet? 

What elements need to be put in place to ensure all Internet users (including citizens, companies, government, etc) continue to have confidence in the Internet?

How could we strike a reasonable balance between a nation’s interest in protecting the security of its citizens in “cyberspace” and its citizens’ rights to privacy, freedom of expression, access to information, freedom of association, etc?

Where does the responsibility for addressing cybersecurity lie? How can we most effectively combine efforts from different sectors?

As the title suggests, we are looking for new thinking that will revolutionize work in this area.

[1] Report: http://www.internetsociety.org/sites/default/files/Cybersecurity-%20searching%20for%20a%20common%20understanding_1.pdf). 

 

Agenda 

I: Scene setting (moderator)(3 mins) II: Micro introduction of panellists (3 mins) III: Interactive Q&A among panellists lead by the moderator (40 mins) IV: Questions and statements with in-person and remote participants (40 mins) V: Conclusions and take-aways (4 mins)

Moderator 

Nicolas Seidler, Internet Society

Remote Moderator 

Cintra Sooknanan

Have you organized workshops at previous IGFs?

No

Workshop format 

Panel

Workshop Transcript 

Transcript

Brief substantive summary of the workshop and presentation of the main issues that were raised during the discussions 

Session organized by the Internet Society (Christine Runnegar) and the OECD (Laurent Bernat)

Regarding the usefulness of the term "cybersecurity": It was noted that cyber security is in fact a very broad term and that there are different understandings of what cybersecurity describes. Different agendas and stakeholder groups' perspectives shape conceptions of this landscape. Some of the views expressed: 
  1. -Security is a useful term as it is generally recognised and covers a broad brush of issues
  • -The term cybersecurity is not a useful description of what should be the key focus, which is to manage security risks to ensure network resilience and socio-economic development (security not as an end in itself)
  • -Cybersecurity involves risk management and there cannot be 100% absolute security. A suggestion was made to use “security risk” rather than “security” as the terminology.
  • -The term "cyber" reflects the young history of this issue. "Cyber" might disappear as online security becomes mainstream
Main preconceptions: One of the main preconception concerns the identification of the stakeholders mainly responsible to provide security  solutions. Some of the preconceptions identified: 
-Policymakers think there are silver bullet solutions to address security issues
-Belief that a security issue has either a technical or a policy solution
-Policymakers think issues need technical fix. Technical people think that issues need policy fix; everyone thinks it is someone else's job rather than a shared responsibility
-Belief by CEOs that they have no role to play over security issues (e.g. only few present at IGF)
-Belief that security is an end in itself, and not one one part of the socio-economical puzzle
-Belief that security is "always good"; actually too much security could possibly lead to less privacy, trust and innovation.
On how to restore confidence in the use of the Internet:
-Need more information and transparency
-Need more stakeholders' awareness and democratic oversight
-Need best practices and social norms
-Cooperation is not only public-private partnerships: need to break down silos within governments
-Good cooperation requires a common understanding of the issues
On the responsibility to address Internet security issues and collaboration: Security is often perceived as a technical problem, however there seemed to be a general agreement that there is not one single solution and there is shared responsibility by all stakeholders, including high level leadership, technical and business communities, policy makers and users themselves. 
-Strong emphasis on the notion of shared responsibility
-Security concerns everybody: from grandmother to a CEO
-Need to create a sense of community to address security (analogy with neighbourhood spirit of mutual assistance)
On the balance between a nation’s interest in protecting the security of its citizens and its citizens’ rights to privacy and freedom of expression: views were quite divided on this issue: 
-No balance is needed: both security and privacy can be maximized
-There is always a trade-off: adding a fence will generate less flows
-Technology generates power: any balance should not lock-in power on one side or the other
On drawing analogies and differences between online and offline security:
-People assume that security in the offline world is easier, when it is not.
-Offline and online security are not that different: one exception is attribution
-Criminals are very good at data-sharing; we should learn from them 
-In the online space, the burden of security is on the consumer
-Centralised security solutions/units were generally not seen as effective approaches given the decentralised nature of the Internet, and such approach could potentially undermine innovation and social development. 

 

Conclusions drawn from the workshop and further comments 

 

The session provided a contribution to a better understanding of cybersecurity and of key preconceptions from different stakeholder groups in this area.
Cooperation and shared responsibility among different stakeholder groups were highlighted as key priorities to go forward on this issue. 
Achieving security goals should not be done in a way that undermines socio-economic development. A risk based approach, rather than security as an end-goal, was perceived as a good strategy.
It was also stressed that there is a need for more transparency and users' awareness around security. 

 

Reported by 

Nicolas Seidler & Filiz Yilmaz

Estimate the overall number of women participants present at the session 

About half of the participants were women

To what extent did the session discuss gender equality and/or women's empowerment? 


It was not seen as related to the session theme and was not raised

Discussion affecting gender equality and women's empowerment 

 

Workshops Staticals 
Number of FEMALE participantsNumber of MALE participantsNumber of Young participantsNumber of Developing Countries ParticipantsNumber of Developed Countries ParticipantsNumber of LDCs participantsNumber of TOTAL Participants
0 0 0 0 0 0 0