Security Session

31 October 2006 - A Main Session on Security in Athens, Greece


 Internet Governance Forum 31 October 2006 "Security" Panel

Note: The following is the output of the real-time captioning taken during the
 The Inaugural Meeting of the IGF, in Athens. Although it is
 largely accurate, in some cases it may be incomplete or inaccurate due to
 inaudible passages or transcription errors. It is posted as an aid to
 understanding the proceedings at the session, but should not be treated as an
 authoritative record.

 >>CHAIRMAN TSOUKALAS:  Ladies and gentlemen, the Secretary-General of research
 and technology from the Hellenic Ministry of Development. And as chairman of
 this afternoon's session, I would like to welcome you to the second day of the
 inaugural meeting of the Internet Governance Forum. Allow me to express my
 thanks to the U.N. Secretary-General, who convened this first forum on Internet
 governance following Tunis. And we're very happy that our country has hosted
 this meeting. For the first time, it's allowed the possibility for all of the
 partners involved to express their views on this issue of Internet governance.
 We've seen huge interest from the participants. And that shows that, really,
 this is going to be an exemplary forum for the expression -- or exchange of
 views and constructive ideas. Today, we will be concentrating in this
 afternoon's session on the question of security. And within that framework,
 we're going to look at questions relating to users, messages, the question of
 access, and we will bear in mind more general issues of Internet security. This
 is one of the more fundamental issues related to use of the Internet. And it's
 an essential cornerstone of its functioning. And the -- drawing on the full
 potential of the possibilities it provides for use. At this stage, then, I
 would like to invite the moderator, Mr. Kenneth Cukier from "the economist" to
 please take over in that role as moderator. Go ahead, please.

 >>KEN CUKIER:  Thank you very much. Thank you very much, Mr. Chairman.
 Information security is something that we all rely on. It's probably something
 we all take for granted. But it's probably the most important aspect of the
 information society. Because unless the networks are secure, unless we have
 confidence in it, we don't have an information society. It might be important
 for you all to know that right now you're using a public Wi-Fi access node.
 Probably all of your data is unencrypted. So if anyone had a packet sniffer,
 they could identify what the traffic is, certainly what your password is, if
 you did electronic commerce, some of your personal information, maybe your
 credit card details would potentially be exposed. Of course, if the security of
 the infrastructure is strong, if you're using encryption, and 99% of all Web
 sites that do take your credit cards would be using that encryption, you'd be
 safe. But that 1% probably is intolerable, if you think about crime online, we
 wouldn't expect that -- sorry, offline why would we expect the same sort of
 thing online? If you're connecting to Appollon, then you are probably using the
 hotel's Wi-Fi. But if you're using the free public Wi-Fi or free Internet
 access, this is important, right now in this remove, there are two seemingly
 Wi-Fi nodes that aren't really a Wi-Fi node. You have a system on your
 computer, if it's open, that you would see whether it says the name of the
 hotel or if it says "free Internet access" or "free public Wi-Fi." Those two
 terms are actually computer-to-computer nodes. Someone has malicious code on
 their computer, two people do, presumably, and are broadcasting this. And for
 the unsuspecting user, they could be transmitting data to someone who is then
 passing it on to someone else. This is a good example of the fact that security
 is a big issue and that the security and the hardness of our infrastructure
 needs constant improvement. Luckily, on our panel today, we've got experts who
 are well suited to address this issue. What I'm going to do now is very similar
 to the last two sessions that we've had. The first thing I'm going to do is
 have them introduce themselves, their affiliation, but then also ask them one
 question concerning what is the most important issue facing security in your
 view. They'll all get a chance to say that. I'm then going to turn the mikes on
 to the audience. You can give us feedback. If you think that we're missing
 something, that's great. If you think we just need to amplify something else,
 don't say it.  We probably know it. We want to get a survey in terms of what
 are the key issues to address if we don't mention them here. Then we're going
 to launch into the discussion. However, before I ask them the questions, let me
 just talk about a piece of housekeeping. To make your interest known to the
 people who are the assistants of the hotel that you would like to get the mike
 and to say something, just raise your hand and let your presence be known to
 the ladies in the back, and they will be the ones who can have you give either
 your name or your business card, if that's easy, bring it back up here, and
 then we will call on you. Okay. Is there anything else in terms of housekeeping
 that I may have forgotten before we start? No? Good. Remember that, of course,
 this is being blogged and I will -- and also being transmitted over the
 Internet. And I will be asking for comments from the cyberspace about what
 their reaction is to all of what we're doing here. Why don't we please start.

 >>DAVID BELANGER:  I'm David Belanger, chief scientist of AT&T labs and head of
 information and software research. I'd like to take my kind of first place in
 line here to say what the issues are that we think we are trying to accomplish
 when we think of security. They're basically availability of the network, very
 basic. Integrity of the transmissions that are going over the network, so that
 middlemen can't add to it, detract from it. And, finally, confidentiality in
 the face of an intelligent adversary. And that brings up probably the most
 important issue, that the adversary will change what they do in reaction to
 what we do. It's an ongoing game.

 >>KEN CUKIER:  Thank you.

 >>LAMIA CHAFFAI:  Lamia Chaffai is my name. And I'm director general of the
 Tunisia electronic certification agency. A resolution came out of the Tunis
 summit to create an environment of confidence for electronic exchange. The
 development of services is something on which the development of a country
 depends. And to develop eGovernment, eCommerce services, et cetera, we need to
 foster this confidence, this environment of confidence also linked to the
 electronic signatures. So I feel that this is a very important aspect in the
 development of countries' economies for the future. Ilias Chantzos good
 afternoon, everybody.

 >>ILIAS CHANTZOS:  My name is Ilias Chantzos. I am the head of government
 relations for Europe, Middle East, and Africa for Symantec corporation. What we
 try to do in Symantec is try to empower people so they can safely work and play
 in the connected world. So what I would perhaps try to discuss a bit with you
 today would be the way we see the evolution, the changes, in the information
 security, the threats and trends of the evolving threat landscape. Perhaps one
 of the key issues from our end would be to point out the fact that hacking is
 no longer for fame, but for fortune, that there's a financial motivation behind
 cybercrime, and that all stakeholders, both private sector, government, and
 civil society, have a role to play in addressing that.

 >>CHENGQING HUANG:  Good afternoon, everybody. My name is Chengqing Huang. I'm
 from China NGO. I'm deputy director of CNCERT/CC. I'm also Secretary-General of
 Internet Society of China. I speak English only a little. Well, I don't speak
 very much English, so I will speak Chinese. And our society is a professional
 one. We have tried to promote the use and development of Internet, so we are
 delighted to have been given this opportunity to exchange views and ideas with
 you. Thank you.

 >>GUS HOSEIN:  My name is Gus Hosein. I'm here today speaking from the London
 School of Economics and political science, from department of information
 systems there. I also speak on behalf of a number of nongovernmental
 organizations, including privacy international and the American Civil Liberties
 Union. I guess my main point is I'm a little perplexed by this emphasis on
 security the way it is defined here. And it's usually at the expense of other
 issues, such as privacy. And so just about two hours ago, we had a workshop on
 the nexus of the two, of privacy and security, being identity and the
 management of that. And when do you actually identify yourself online, how do
 you do that? Does it actually increase the problems of security or decrease
 them? So on and so forth. So I look forward to seeing how the IGF can actually
 take this issue forward into -- for more discussion.

 >>RIKKE FRANK JORGENSEN:  Hello, everyone. My name is Rikke Frank Jorgensen.
 I'm from the Danish human rights institute. And I've been active in the
 business process through the human rights caucus of civil society and also the
 privacy group. In the WSIS process and also more generally, there is often a
 tendency to see privacy and security as two opposing issues. And I think it's
 really crucial that we understand that the protection, the privacy protection
 of the individual, it's a security measure. It's really a security of the
 individual freedom, and it's a very key component in a free and open society.
 So whenever we discuss security measures here, it's very important that we have
 privacy protection up-front in the way we deploy and design these measures.

 >>HENRIK KASPERSEN:  My name is Henrik Kaspersen. I am here as a representative
 of the council of Europe. There is a microphone here, yes.

 >>KEN CUKIER:  A little closer.

 >>HENRIK KASPERSEN:  Again, Henrik Kaspersen. I'm here as a representative of
 the council of Europe. I was -- have co-responsibility for the development of
 the Council of Europe Cybercrime Convention in relation to security, technical
 security. And technical security measures are extremely important. But also
 legal security should be a very important element. And the basic importance of
 the cybercrime convention is that it sets rules for behavior of individuals in
 the Internet and cyber environment.

 >>ARCADY KREMER:  Good morning. My name is Arkady Kremer. I come from Russia. I
 am the director of a private and public sector association, the Russian
 association of networks and services. I'm also the vice president from the
 world telecom standardization assembly. I would like to answer the moderator's
 question and explain what I think is the most important factor in guaranteeing
 security. I think that in order to achieve full security, we have to see
 security not just as our own objective, but as the means to defend the Net.
 This will allow us to work in a more precise and stable way. The issue of
 information security is not a service or a good that can be traded. It is a
 system which has to be set up and which is -- it is necessary also to manage.

 >>ANDREW MAURER:  Andrew Maurer from the Australian department of communication
 I.T. and the arts. My area developed the Australian spam legislation as well as
 looking at various other eSecurity matters such as phishing and spyware,
 Botnets most recently. I would like us to have a look at security as a positive
 construct rather than just a reaction to the current crop of eSecurity threats
 that are out there. So in terms of capacity-building, considering more could be
 done in order to ensure that transactions are secure, that personal data is
 kept protected, and that computer resources are used the way that the users and
 owners of those resources want them to be used.

 >>MALCOLM HARBOUR:   I'm Malcolm Harbour. I'm a British member of the European
 Parliament. In case you're wondering why I don't look like Margaret Moran,
 unfortunately, she is detained in England by what is known as a three line wit,
 which means she has to be there to vote. So she brings you her best wishes. She
 is chairman of a group of which I am also a director, called URAM, which is a
 U.K.-based Parliament-industry group. We submitted a paper to the IGF on the
 security issue. And it's something that we're particularly interested in. And
 you can read our paper there. And I think our views, very strongly, are that
 the issue about raising the confidence of users of the Internet in its security
 and in its integrity, which I think is an important word, is a crucial task for
 all of us, and it's a shared responsibility in every sense. It's a
 responsibility of the users themselves. Industry clearly has a crucial role.
 And, indeed, industry, I would argue, is putting more resources than anybody
 else into this. Governments have a role, but there is a crucial and vital role
 for intergovernmental collaboration. And I hope we can talk about some of those
 issues this afternoon.

>>TERAYASU MURAKAMI:  My name is Terayasu Murakami, from Nomura Research
 Institute. While usually I -- in this kind of international conference, talk
 about the ubiquitous network. But today, I am representing Keidanren, Japan
 Economic Federation, which is representing more than 1500 major Japanese companies. 
 And Keidanren submitted proposals to the IGF.
 In that, we introduced one best practice and one worst practice. And basic
 message underlying those two cases is, we should pay more attention to the
 victimizer's side rather than victims' side. Most of the security measures
 concentrate how to educate or how to train victims, but we pay more attention
 to the victimizers' side.

 >>FREDERICO NEVES:  My name is Frederico Neves. I am the CTO of the Brazilian
 registry. And because of my background in -- as a service provider on the
 network, I think the principal issue that we should try to address here is the
 network security on the edge of the networks and routing to.

 >>RICHARD SIMPSON:  Good afternoon. My name is Richard Simpson. I'm director
 general, electronic commerce, at industry Canada, which is Canada's federal
 department of industry. Not surprisingly, we look at the subject of security
 from an economic growth and marketplace perspective. I think everyone in this
 audience is aware of the growth potential in the online marketplace
 internationally, which is now trillions of dollars in net worth, and nationally
 in billions of dollars, growing at a very significant rate. So looking at the
 subject of security, rather than focus on one key issue, I'd like to point out
 a key orientation that I think we can discuss this afternoon. And that is to
 look at a more proactive rather than a defensive and reactive posture to the
 subject of net security. In my view, we should be less focused on short-term
 threats and on cops-and-robbers approach to net security and more on
 longer-term, preventative measures which can deal with this issue of the --
 protecting the online marketplace well into the future. And I think there are
 significant roles for government in terms of the legal and policy framework for
 that; and for the private sector in terms of network engineering and other
 aspects of the physical delivery of the Internet.

 >>CHRISTIAAN VAN DER VALK:  Good afternoon. My name is Christiaan van der Valk,
 and I am a cofounder and vice president of a small Swedish security company and
 also co-chair of the International Chamber of Commerce task force on security
 and authentication. I have a long background in dealing both with policy issues
 and, more recently, also the business and technology aspects of security. And
 one of the things that has struck me in the past couple of years is the
 importance of the quality and quantity of legislation and its impact on
 businesses. We've heard already how business has to play a very, very important
 role in development of trust on the Internet. And if you look at this from an
 inside perspective within larger businesses, the amount of legislation that
 affects business security practices and their I.T. systems is growing every
 day. It is national legislation, usually impacting businesses in various areas.
 I can just mention corporate governance rules, privacy, electronic contracting,
 taxation, know your customer rules, and whole bunch of other types of laws that
 affect businesses. The matrix businesses are faced with is just enormous. And I
 actually believe that we're coming to a point where it is becoming counter
 productive and businesses are asked to take so many sometimes conflicting
 security measures that it is actually impacting security negatively. So I think
 the quantity and quality of legislation is an issue that business and
 government need to collaborate on quite seriously.

 >>KEN CUKIER:  Good. Thank you very much. So we've heard generally, I think,
 big-picture themes on what some of the issues are for security. We've heard
 about privacy. We've heard that our adversary changes, the role of the business
 sector, the importance of the edge and the user in all of this. It seems to me
 that there's probably a lot more issues. If we were to come up with just an
 inventory, we would see issues like spam, phishing, viruses on the individual
 level. From the idea of critical information infrastructure protection, we
 would have big network security issues in terms of undergirding -- the security
 of the domain name system and other things. Let me ask, before I open up the
 panel to more questions, let me turn it to the audience and ask, granted, we
 didn't speak about specifics, but we looked at larger themes. Are there any few
 specific topics that you think in our inventory of identifying the important
 issues that really ought to be raised immediately rather than through the
 discussion? And if you have those questions, let them be known. And I will call
 on you, and then we'll go right directly into the panel. I see one person, the
 gentleman back there. I see a second person there. Okay.  And two more.

 >> (inaudible) I would like to add to the agenda, if I may, a coordination
 between the certs around the world within the Internet. This was not mentioned
 in the panel. And I think this is importance in the governance of the Internet.

 >>KEN CUKIER:  Thank you. .

 >> This is (saying name) from Swiss Internet user group. And I would like to
 add to the agenda the issue of how do we deal with complexity, how can we
 separate this vast amount of things that should be taken into consideration
 into manageable chunks of concerns so that we can actually, at least in small
 parts, understand what is really going on, and not just take measures that
 increase the complexity of the whole situation and thereby decrease the overall

 >>KEN CUKIER:  Okay. Thank you. I see a gentleman there. Yeah, thank you. Yes.

 >> (saying name) from the government of Quebec. I think it's very important to
 put in place tools to make more aware and to educate rather than adopting

 >>KEN CUKIER:  I see a gentleman here in the third row.

 >> I am from Moscow University. I would like to ask or even request if we can
 look into the issue of whether it is correct not only to think about threats
 coming from criminals, but also threats from the state, from states which use
 information technology in order to settle accounts. So let's not just look into
 criminals, but also criminal action by governments.

 >>KEN CUKIER:  Do I see anyone else? It looks like we have a good new
 inventory. There's --   Please. Stand up. And introduce yourself.

 >> I have a question. I have a question for at least some of the panelists
 here. Yes, I agree privacy is valuable. But a lot of the people who are
 actually working in the security field are also working with the aim of
 protecting the privacy of the users on whatever network they are responsible

 >>KEN CUKIER:  Excuse me. Let me interrupt you for a second.

 >>KEN CUKIER:  Excuse me, let me interrupt you for a second.  Is this a new
 issue we are identifying or is this a comment about an issue that has already
 been raised?

 >> No.  How do you reconcile the two so you have privacy and security
 co-existing without any conflicts?

 >>KEN CUKIER:  Thank you. I see a gentleman there and two more there.  So why
 don't we turn to this gentleman first, and then those two.

 >> My name is Radin from Sudan. I will talk in Arabic, excuse me. There's a
 question of security on the Internet that can only be decided through
 international cooperation.  So what we need to find is an international
 framework where we could cooperate.

 >>KEN CUKIER:  Please.

 >> Hello.  My name is Tarek, I am with the Ministry of I.T., government of
 Pakistan.  The issue I would like to add to the agenda is that of continuity of
 operations.  It was embedded or sort of implied by the availability of networks
 which was the very first panelist had identified. But in terms of continuity,
 what I would like to specifically add to the agenda is the physical security of
 networks.  For instance, we faced a breakage in our only Internet C-cable two
 or three years ago.  Since then we added two or three more cables.  But that
 one breakage by a very innocent fishing trawler or something, caused a blackout
 for two or three days for the entire country. Similarly, there are physical
 threats to the infrastructure, or even electricity blackouts can cause a
 tremendous loss of confidence in the use of I.T.  So I would like that issue to
 be addressed, please.  Thank you.

 >> The issue I would like to add involved authentication.  Both routing
 authentication and address authentication, and then the derivative scaling
 problems of routing and tabling all the additional information.

 >>KEN CUKIER:  Thank you.  Please.

 >> I represent Tunisian civil society.  I would like to first of all thank the
 people who organized the seminar who allowed us to find a path to dialogue. My
 question is to find if we can have universal legislation which will allow us to
 deal with this problem. I think other countries as well have raised these
 questions because sometimes we want to surf to sites which our governments find
 should be prohibited. So I don't know how the people deal with this.

 >>KEN CUKIER:  I see another gentleman there.

 >> Hello, my name is Detrick from the metropolitan police and my question is
 regarding jurisdiction of basically international responses to critical
 instance.  And how the different governments will deal with that.

 >>KEN CUKIER:  In the back please, yes.

 >> Good morning.    I am from the Prime Ministerial service on development of
 the media in France.  There is a point I would also like to raise, is how we
 take into account the particular characteristics of linguistic diversity in the
 security, broader security issue, and also what is the protective technology
 which is used and how can we make it financially accessible to all.

 >>KEN CUKIER:  I see another person here, and then one here, and I think then
 we will go right into the session. Please.

 >> Yes.  I am from the Finnish parliament, from the Committee for the Future,
 and we have a very -- at the present there is a law, proposal for the law for
 the Finnish parliament which is called something, the National Health Data
 Bank. And there is a very international ethical problem.  Who is the governor
 of the National Health Data Bank?  There will be the whole history of all your
 medical treatment, your medicine, everything, the whole history.  Who is the
 governor?  Who gets the right to be the boss?  The patient or professionals,
 doctors?  Who is the main boss, the real governor?  And that's a very ethical
 question, and it's on the table now.

 >>KEN CUKIER:  Thank you.  In fact I would expand it and say who owns personal
 information is a broader issue. Yes, please.

 >> Thank you.  I am (saying name) from the province of Rome.  Dear panelists,
 how is your opinion about the role of local governments?  Do you think that
 local governments may be (inaudible) as a key actor in multistakeholders arena?
  We think so for a constant feedback from (inaudible) and from the civil
 society. And a last question. Is it important to discuss about ICANN and the
 role of ICANN in this delicate theme?

 >>KEN CUKIER:  Okay.  Thank you very much. Let me do this.  I think that let me
 close off the comments right now.  Let us go right into the panelists and here
 what the reaction is to some of this, and then we're going to open it up again.
 It strikes me that we now -- have a huge inventory of things, probably too long
 that we can possibly ever hope to deal with adequately in the time remaining. 
 So the best we can do is try to think of a framework about how to think about
 this. My first question to the panelists would be we have been talking about
 information security in its myriad of forms, even with new issues that are
 coming up that we didn't expect before, for decades.  Still, the problem is
 considered unsolved.  Still, the problem seems to be that more can always and
 constantly be done.  Are we forever stuck in the situation that we are never
 going to get it done or can we agree more can be done, we can identify what it
 is, and there will be a baseline degree of security that we can be comfortable
 with?  Essentially the question is, why have we not resolved this problem? Who
 would like to take the first stab at that?

 >>TERAYASU MURAKAMI:  Well, can I add a comment on the inventory of the
 security issues.  We did a study in the process of developing the ubiquitous
 network paradigm.  What will be the challenges of the network society now and
 in the future? Well, in that process, we identified ten different category of
 the issues, and ten different challenges in each ten categories.  That makes
 100 challenges we are facing with. Virus, Spam, phishing, and unauthorized
 access is only four of 100. We have another 96 source of headaches. So I think
 the important point of listing out the issues is that issues will change.  The
 security issue will constantly evolve, changing the shape. So it is, perhaps,
 no use to specify the kind of security issues we tackle.

 >>KEN CUKIER:  Malcolm, did you want to --

 >>MALCOLM HARBOUR:  Yes, I think in response to your question, because the
 level of security problems is growing faster than I think that we have the
 systems to cope with them. And that means that we have to talk about ways in
 which we're going to step up international cooperation, because that, I think,
 it at the heart of it. I am very wary, I have to say, one or two questions were
 raised about new international legal frameworks.  I work in a political system
 where we're trying to reconcile 25, shortly to be 27 legal frameworks, and it's
 extremely difficult and takes a long time. But it seems to me that the big
 issue that we need to talk about is how we're going to step up our exchanges of
 information on a timely basis, and to present information to each other in such
 a way that you can actually do something with it quickly and effectively. 
 Because surely the way to actually deal responsibly and quickly with these
 issues is to respond to alerts quickly, but above all actually to get that
 information flowing.  Because so many incidents and problems with citizens I
 think go largely unreported.

 >>KEN CUKIER:  It seems like we have institutions already to do that.  There's
 the European network information here in Crete, I believe.  Or Corfu? Yeah,
 ANESA {sp?}. We have our CERTs in the U.S. and in China and elsewhere. What is
 inadequate about the institutions that need to be reformed, first question. 
 Second question, is there a role that collaboration among different
 stakeholders can do to play a role in this respect to remedy those
 deficiencies? I impose upon you to respond.

 >>MALCOLM HARBOUR:  Well, I think you're right.  There are good examples
 working within particular geographic regions.  But as we know, the problem is
 not confined to those geographic regions.

 >>KEN CUKIER:  It's not like we even have good network security here in Europe.

 >>MALCOLM HARBOUR:  No, I agree.  I think we still have a lot more to do than
 we are at the moment.  ANESA is certainly intended to be a mechanism of
 exchanging information to be able to do that, but member governments still are
 doing a lot of collaboration among themselves.  And from country to country we
 see things like the Internet Watch Foundation which show what could be done in
 specific areas.  In the area of child pornography, for example. But it seems to
 me we ought to have a broader look at what is best practice and to use the
 power of this gathering for example to step up the work, and that can be the
 work of future summits of the IGF.

 >>KEN CUKIER:  Let me first ask -- Ilias, please.

 >> ILIAS CHANTZOS:  I'd like to -- I think we're getting a bit heavy on the
 fact that, well, maybe we're not doing that well.  Maybe we should be doing
 more.  So before we go there, I would like also to look a bit at the positive
 side. So let me begin by saying that the growth that we have experienced in the
 Information Society is there because we're actually doing quite well.  On the
 other hand, we need to face a fact that the success of the Information Society
 means that there is money there, and the criminals will follow the money trail.
  That's how it works.  People rob banks because that's where you put the money.
 So on that understanding, we need also to take into account that information
 security is not just a product.  It's not about just the technology.
 Information security is a circle.  It's a holistic approach around technology,
 obviously, people, and processes.  And often the people are the weakest links.
 Moreover, we need to take into account that whilst we cannot have 100 percent
 security, security is an evolving target.  Internet Society is involved,
 technology is involved, people get new technologies and so does the threatened
 landscape changes. The bad guys see the technology and see an opportunity. 
 We're there.  We're doing quite okay.  We are covering up, we are protecting
 our technology.  But since there is going to be another switch, there will be
 vulnerabilities found and they will move there. So it's an evolving target. 
 It's a moving target. So that's why, perhaps, we need to see also, if you like,
 a more positive side it have. Obviously collaboration is key, coordination,
 international approach.

 >>KEN CUKIER:  Yes, please.

 >>GUS HOSEIN:  I'm amazed that everything everybody is saying so far makes so
 much sense, and there is a reason why.  It's because we are speaking at an
 overly generalistic level.  We say international cooperation but what does that
 actually mean?  We say sharing of information.  What kind of information are we
 talking about?  Are we talking about people?  Which people?  Users or people
 working within companies?  We need to get into the specifics to really
 understand how complex this field is. Let's use an example.  We all agree to
 some extent that countries must cooperate to combat crime.  It makes a lot of
 sense.  But then let's say the U.S. puts in a request to a French ISP for
 information on a suspected criminal.  You would expect the French to say
 absolutely because we all agree on combating crime, increasing security.  But
 what if months later you find out that the U.S. was not investigating child
 pornography or terrorism.  They were investigating gambling, which is illegal
 in the U.S. but not illegal in other countries around the world. When we get to
 the specifics that's where you see the richness of the problem and how
 complicated it is.

 >>KEN CUKIER:  Thus, do you think because there is this conflict of law, that
 not every culture deems the same thing legal and illegal, that network security
 in this respect, the case of information sharing, is just impossible?

 >>GUS HOSEIN:  I think it has to be done with great care.  I think we can make
 a problem worse before we make it better.  I think we are going to decrease
 confidence.  When people heard during the European Union debates about data
 retention, that the data from ISPs across Europe could be sent to the U.S.,
 people were concerned.  That actually created a lack of confidence in European
 Internet policy, and that's a problem.

 >>KEN CUKIER:  Mr. Huang.

 >>CHENGQING HUANG:  Thank you.  I support the views expressed by the experts
 just now. We must increase international cooperation for network security. We
 have experience in this area, especially when dealing with network emergency
 incidents, quick response through international cooperation is very effective.
 For instance, our organization, CNCERT/CC, we cooperated with the U.S.,
 Australia, Japan, and other countries, and when dealing with network incidents,
 we have effective mechanisms. This July the 12th we received a report from
 Korea that an IP address falsified domain name and it spread virus.  We found
 out this address and closed it. The 29th of August, the Australian authorities
 reported to us that we have IP address which is sending Spam.  We found it and
 closed it. In early September, we cooperated with Internet law group, and we
 traced some Spam addresses. We think through such ways we can combat cyber
 crimes and Spams and other things.  How to establish effective cooperative
 systems globe-wise, that's very important, I think.  International cooperation
 is very important in this regard.  Thank you.

 >>KEN CUKIER:  Thank you very much. I see three of our panelists want to make
 remarks.  Mr. Kaspersen.

 >>HENRIK KASPERSEN:  I want to talk about the room.  The wish was we should not
 complicate things more than necessary.  And I have to think, we have different
 things here.  First we are talking about security, what infrastructure
 security, that is a very important issue, how to protect the infrastructure. 
 It's a dispensable tool, the Internet, and it should be protected.  That's one
 thing. The second thing is that we protect users and their systems from misuse
 by other users of the system. And I would like to make a distinction there.
 Protecting the infrastructure is extremely important.  Also in the room it was
 said that we might need to reverse the legislation to deal with it.  I'm not
 sure about it, because when we want to have legislation in this field, we
 should first agree whether, is the Internet and maintaining of the
 infrastructure, is that something we can leave to the private sector, or is
 that something where a government or the government should interfere?  That's
 also a very important debate.  What is the need for such an intervention?  And
 I will say we have so far seen that the Internet is organized by private
 industry, and we should maybe more emphasize, address the responsibilities of
 the actors in that field.  And the actors in the field are providers, software
 industry, and so on.  But also there is a responsibility for the individual
 people. Second point, when we're talking about misuse of the Internet
 facilities, then we might deal with a typical task for governments where they
 would like to criminalize or provide sanctions for that misuse.  And there I
 see an extreme need for international negotiations about what the common
 standards, behavior standards should be.  Otherwise, if we don't do that, any
 system would be without any effect in the end.

 >>KEN CUKIER:  Okay.  Thank you. Please.

 >>FREDERICO NEVES:  We should take in account that the network is quite big
 today, but it's growing in a tremendous rate.  Not in the development world but
 in the underdeveloped world. And actually what we should take into account is
 that new users should receive basic training about security.  Especially in the
 -- a lot of panelists are talking about vectors and the change of the vectors. 
 But most, most of the threats are imposed to the end user, because like --
 things that you normally face when you receive a telephone call or things that
 you don't normally act the way in the real world, but in the network, a new
 user will take --

 >>KEN CUKIER:  Let me ask you about that, Frederico.  In the Internet world so
 far, in the first billion users we have all been literate, we have all
 understood the ASCII character set so if we were Chinese or we were from
 somewhere else we would have to actually know the Roman alphabet with which to
 interact with information online. But if we're going to actually make the
 Information Society viable for everyone else, people who maybe are illiterate
 or simply don't want to go through the rigamarole of understanding the
 difference between a P and a Q, it seems maybe that we are setting too high an
 expectation about users would be able to take so much responsibility for
 themselves. Now, clearly, there has to be some responsibility, but maybe the
 networks, maybe the equipment providers, the software providers, hardware
 providers, need to take more of that on. In the telephone world, we have a
 degree of certainty about how transactions go on, but of course that's a
 centralized system, and we know that there's benefits to that but there are
 already drawbacks in the case of lack of innovation, et cetera. So, is it
 feasible to simply say that users need to just -- we need to educate the users?
  Or if we need to do more, what more should we do?

 >>FREDERICO NEVES:  One of the key points one of the people in the audience
 pointed out is that we should simplify.  But he talked about complex
 (inaudible) systems, but I will bring this to another level. I think the
 end-user software is too complex for the general user today, and we are failing
 in this area. And I think we should provide interface that are quite simpler to
 the end users. But besides that, basic training on security, basic security --
 I'm not talking about high-level techniques.  I am talking about not providing
 your credit card to the operator, to the marketing operator.  So why you
 provide it in an unsafe way on the Internet? So that's what I am trying to
 point here.

 >>KEN CUKIER:  Okay.  Let me ask first Rikke, then Christiaan, then some other
 panelists, and then we will go to the blog.

 >>RIKKE FRANK JORGENSEN:  Okay.  Just a very short remark to what we just
 discussed now and then the point I originally wanted to make.  I think there is
 a big problem that users are not interested in security, myself included, that
 I just want it to be there.  I don't want to have to think much about it, and I
 think many people feel like that. But another point I wanted to make was to get
 back to the link between privacy and security.  And to give a very concrete
 example on how we have tried to advance that link in Denmark where we have
 actually set up a task force by the Danish industry Association with industry
 people, I.T. company people sitting there together with privacy advocates and
 user groups.  And over the last eight months we have tried to take the point of
 departure in the privacy principles in the OECD guidelines and the data
 protection law at E.U. level and then to transform these principles into
 guidelines and checklists that the I.T. companies can then deploy in their
 daily practices. And this has actually been driven by industry themselves, and
 it has been a very good and very practical initiative that has resulted in
 guidelines that are out there now and that go out to all member organizations.

 >>KEN CUKIER:  Okay.  Thank you.  Christiaan.

 >>CHRISTIAAN VAN DER VALK:  I just want to go back to your first question, Ken,
 and give my perspective of that. We heard international cooperation is a term,
 obviously, that we hear a lot in these kinds of settings.  And one of the
 things I believe we do not stress enough is the fact that, and it's pretty
 obvious from the word complexity that we have heard as well, that security is a
 multi-disciplinary subject.  In order to get to security you need to take into
 account the process, you need to take into account the network, the people, but
 also aspects of law and a number of other things that need to be merged into
 the same approach. And I think one of the things I have seen a lot is the
 different disciplines that are involved in issues around security, talk a lot
 among each other.  There are plenty of groups of lawyers that talk about
 privacy and security, but the different groups don't talk to each other.  And
 there is no common process within the Internet world whereby lawyers,
 technologists and business process people, for instance, get together and
 hammer out what needs to be done in order to actually beef up security.  And I
 think that is one of the big problems we are facing today. We certainly don't
 have a lack, from my perspective, of international cooperation among
 governments.  We certainly don't have a lack anymore, and this is huge progress
 that has been made in the last ten years, in terms of a lack of consultation
 between business and governments either. The problem is more cross-cutting. 
 Technology people, policy people, regulatory experts and others talking to each
 other, sharing knowledge in order to get to a high level of security.

 >>KEN CUKIER:  Well, interestingly, one of the points of this forum, in fact,
 and this session is looking at areas of collaboration.  So let me ask David,
 when you respond, if you could do two things.  Tell me your response firstly
 towards the issue of collaboration among stakeholders.  Secondly, please try to
 tailor your response to the other theme of the Internet Governance Forum which
 is development issues for the developing world. I know I am putting you on the
 spot.  If you would like to yield your time, you may, and think about these

 >>DAVID BELANGER:  I'll try to do something, but first make the point I was
 going to make when I raised my hand. I thought I'd add a little bit of
 historical perspective of similarities and differences from the telephony
 world, which was mentioned, to the Internet world. And in this context, in
 telephony world it's called fraud -- in the Internet world it's called
 security, but it's a whole lot broader -- they share the criminal, the
 intelligent adversary, and they also share money, the motivation. They also
 share the fact that they are growing, although at different rates, so that
 telephony fraud, which we think of probably as a solved problem, is growing at
 estimated double-digit rates every year.  Fundamental new types of fraud come
 about approximately every month, that sort of thing. But what they don't share
 is an openness which is essential to the Internet.  And they don't share a
 newness, which leaves us in the position of not having quite as structured ways
 of reacting to it. Probably most important, they don't share the intelligent
 edge, which means that when people talk about all the software, all the
 hardware that goes into the edge, there's the opportunity to do more thing on
 it if you are a perpetrator.  But there's the problem of trying to manage
 something that, for most people, is a very complex beast, connected to a
 network which is an even more complex beast.

 >>KEN CUKIER:  Is there a way to take those points and think of them in the
 framework of what different stakeholders can bring to the table?  And also in
 terms of the developing world.  What they may need to know and how they should
 prepare for the same issues that we in the west had faced by dint of having
 developed our infrastructure further.

 >>DAVID BELANGER:  Let me try to address the collaboration and perhaps someone
 else can address the developing world better than I. One of the things that's
 happened over time is that there is enormous collaboration on these issues
 within industry, and I would say typically with governments, in the telephony
 world to the point where we would share what information we have that might
 help other companies protect themselves against fraud, rather than simply
 protecting ourselves. What I would say in the Internet, that that sharing is
 beginning to evolve over the major peering partners as they start to do what
 are actually very similar defenses and active defenses, actually predicting and
 anticipating security, at the network layer. Typically, the information of
 what's going on when you get all the way out past what might be a business
 enterprise's network, which can be controlled and watched very carefully, to an
 individual's PC, which may be being recruited as a botnet or its root may be
 attacked so it can be part of a sale to somebody who wants to attack us, that
 information isn't in the hands of a group who watches 7 by 24 what's happening.
  It typically is quite a bit richer information because every two people's PCs
 are quite a bit different. So I think that the approaches, both in
 collaboration and in technology and in operations that have been being used in
 the network are harder to apply at the web layer.

 >>KEN CUKIER:  Okay.  Thank you. I would like to ask Mrs. Lamia Chaffai a
 question, because on this question of the certification authority for Africa,
 we were talking about this beforehand.  Can you tell us about your experience

 >>LAMIA CHAFFAI:  Thank you for that question.  The question of cooperation on
 development in particular is a very important one.  In the African region
 today, there are quite a lot of countries which already have a regulatory
 framework for electronic commerce and signatures.  Others are working on that
 now.  And we have to ensure that all these countries have a framework of
 Harmonization for their legislation to ensure that they can participate and
 contribute to international exchange in order to bring about this development.
 So we must ensure that e-commerce carried out in a particular country should be
 recognized at international levels. So you need operator confidence for users
 in Africa, and that that is on the same footing as what exists at international
 level. So there are a lot of different areas of cooperation in terms of the
 legal framework standards, modus operandi among certification bodies, at the
 technical level, but also in terms of training of human resources, and
 awareness raising amongst decision takers in terms of the scope and the
 importance of this trust, this confidence in terms of development in this
 country. So that they genuinely can be concretely involved in this development
 of what we call the intelligence economy.  Thank you.

 >>KEN CUKIER:  In listening to your experience and some of the things that I
 have heard on the panel, I would still go back to an earlier question and pose
 in information security, the needs of different countries are so diverse and
 the cultures of different countries are so diverse that it makes sense to think
 of it not on an international level but actually maybe on a regional level
 instead.  And that might be best we can hope for. Would anyone on the panel
 either like to agree with that or disagree with that? Please.

 >>HENRIK KASPERSEN:  I would say in this respect, it's always difficult to
 choose the right approach. There are distinct two approaches, the bottom-up and
 the top-down approach. And I would think if so many countries and so many
 different states of development with different frequencies and occurrences of
 Internet in their countries, it would be extremely difficult to have the
 ambition that it should be done top-down. So I would be very much in favor to
 do it bottom-up. That means sector-wise, and, if possible, through more
 regional organizations that would benefit the whole process. But I would not
 have the ambition to do it top-down, because that is probably a very
 long-lasting process and probably not going to succeed in the end. That's a
 general remark on this issue. In the meantime, I also would favor, let's say,
 codes of good conduct of the actors in the field themselves. Actually, I think

 >>KEN CUKIER:  Sounds like wishful thinking. Who would the code of good conduct
 apply to?

 >>HENRIK KASPERSEN:  Well, to a certain group of actors in the field, where you
 have the network operators, where you have the access providers, or even where
 you have the Internet users as a group, that could be beneficial as well. It's
 all difficult. How do you start it? It should be the private initiative. But,
 nevertheless, it should be tried anyway. And this sitting here and saying,
 let's start, do something worldwide from top-down.

 >>KEN CUKIER:  Richard. Did you want to?

 >>RICHARD SIMPSON:  Yes. Yes, thank you. Just to pick up the point that's just
 been made about codes of good conduct and how you start to put together these
 cross-national or cross-jurisdictional solutions to some problems in the
 security area. What we underestimate in this area is the degree to which there
 is mutual benefit across industry and across countries to making the Internet
 work effectively and ensuring the online marketplace continues to grow. And the
 challenge, it seems, to us is to capture this mutual benefit in practical ways.
 One code of conduct that we were very successful in developing in Canada
 recently in response to the spam problem was a series of best practices for
 network management, which network service providers in Canada adopted. It later
 on became the basis for work at the OECD, and now there's a cross-OECD code of
 conduct along the same lines. We have figures to show that, actually, this
 network management best practices was greatly successful in Canada in cutting
 down the amount of spam initiated in our country through Botnets, primarily,
 because of certain technical arrangements that are made through this agreement.
 And if we had not put industry together to define their mutual interest in
 developing these standards and putting them into practice, we would not have
 had that success in dealing with spam, and the international community would
 not have had that model to work with.

 >>KEN CUKIER:  Interesting. I want to ask one more panelist for a reply, and
 then I'd like to bring it to the blogosphere and comments from the Internet. 

 >>ANDREW MAURER:  Just in terms of different countries, some developing, some
 slightly more developed in terms of security. There are some constructs, like
 the OECD spam tool kit, which acts as a starter set of some policies out there.
 It puts forward some legislation. It puts forward some advisories on things
 like industry collaboration that was mentioned just then, technical solutions,
 and educational material. Now, some of it's going to be very specific to
 countries that have been engaged with the Internet for a long time. But others
 of it, other elements of it can be taken away and built on or cut down or
 adapted.  And it provides a bit of a kick start for almost any other country
 that wants to look at the problem and make some headway. Often it's very
 difficult to engage with these problems with no source material or no
 background to work from. So drawing on that sort of broader resource is
 actually quite useful.

 >>KEN CUKIER:  The OECD spam tool kit, as you've described, it sounds very
 interesting, because it's a way for the developing world -- excuse me, the
 developed countries, who have so much experience with spam, to their annoyance,
 can take their learnings and codify it into the mechanisms of capacity-building
 in the developing world, if I understand you correctly. But the limitation of
 that is that it's only about spam. Might there be a way, a framework, an
 institution, to take other issues that the industrialized world has grappled
 with by dint of having dealt with it first, and then putting it forward in a
 way that developing countries can actually have a one stop shop on how to deal
 with this one particular issue of network security, information security across
 the wide, broad gamut of problems that they're going to face?

 >>ANDREW MAURER:  It would be a lovely idea. But as someone pointed out,
 security is so multidisciplinary that we're not always talking about the same
 thing. So the spam approach, I think, works really well for that. In many other
 cases, you have people building basic capacity. And perhaps the third model is
 something that works better there, where the people who are actually putting
 together the infrastructure and the services themselves, if they get the
 knowledge and the information exchanged that certs provide, then they're
 building in security at the same time that they're building the basic capacity.

 >>MALCOLM HARBOUR:  I just wanted to make a short point which linked to
 something that came up this morning. It's on the question of wireless and
 wireless Internet. If you look at what someone with wireless Internet delivery,
 they've come in later and actually put in different mechanisms for dealing with
 spam and unauthorized content. Now, if, as I think -- and maybe this is a point
 for the floor. But if the next billion Internet connections, I think -- my
 hope, obviously, is that a much higher proportion of those will be wireless
 than the current connections. And so people putting in in developing countries
 where there will be a lot of wireless-enabled connections, I think they can
 very much learn from the sort of packages that have been put in to protection
 wireless consumers. But on the other hand, of course, the security and
 integrity of the wireless networks -- and these are points that were made by
 expert panelists down the table -- perhaps present more of a challenge than
 fixed lines.

 >>KEN CUKIER:  Let me go right now to the comments that we have over the
 Internet. Please, Jeremy.

 >> Thanks very much. Well, there are two people who I have comments from. This
 is from the chat room on security on the IGF Web site. The first of
 them is Allison Wheeler, who is the CEO of Wikipedia U.K. And although
 discussion has moved on, at the time, we were talking about training new users.
 And Allison said that the bottom-line problem is that the Internet has become a
 general population toy rather than a capable and trained person tool, and she
 mentions the fact that computers are now sold alongside televisions and
 cookers, and that that's the serious problem here. They're not all white
 boards, but end users think they are. The next point comes from Michael Nelson.
 Michael is from the Internet Society, based in Arlington, Virginia. And he has
 a question for the panel. He says, how important are open standards in
 development of better Internet security? How have patent fights over new
 technologies slowed rollout of better security technologies and techniques? For
 example, he says, we desperately need better authentication in cyberspace, but
 most proposed solutions are based upon proprietary solutions. And he suggests
 that the IGF, if the IGF wants to have a concrete impact, it could build
 ubiquitous, open standards-based authentication.

 >>KEN CUKIER:  Very, very interesting. Let me do this. I think that Allison's
 point is very interesting, the notion of the generality that we need to have
 that affects how we treat information security. But let's treat that later on,
 because we're going to always come back to that, particularly as it concerns
 the developing world. Mike Nelson's point might be an area where we can drill
 down while we also ask the audience to come up with questions and to write it
 down, write their name or give their card so it comes up here, and we'll open
 it up to the audience for more questions. Let me drill down into Mike Nelson's
 question, which is the question of the development of standards. Clearly,
 listening to all of you so far, particularly in your opening summations,
 opening overview, there was -- you all noted that industry had a role to play
 and, in fact, was doing quite a lot. Yet you also noted that there were somehow
 problems and inefficiencies from realizing the robust enough security that we
 would feel confident with. To what degree do you believe that standards are a
 problem? How can we actually create these standards? And is there a role for
 something like the Internet governance Forum to help establish those standards?
 Or should we just say that they're for a technologist and for the private
 sector to come up with and we'll just wait until you do so? That's not a loaded
 question, of course. Feel free to challenge the question. All the other
 speakers have done so far. Please, Richard.

 >>RICHARD SIMPSON:  Well, I think Michael Nelson's made a very good point in
 talking about the importance of electronic authentication to the problem of
 security. And I would generalize it to be an issue that is more about an
 effective means for identity management online. If you look at a lot of the
 emerging threats that we are talking about, that we will continue to talk
 about, they relate to areas that -- like identity theft, which really have to
 do with the problems of identity online, identity both of an individual as well
 as in a corporate sense. So I think he's raised a good question, one that we
 should look at. There are now many instruments available where we could look at
 strange electronic authentication specifically, but also identity management
 online. The thing is that it's not just the I.T. community that is involved in
 areas like this. The banking industry worldwide has a significant interest in
 how this whole area unfolds. I know they're working on areas of authentication.
 Just the final point I'd like to make here, without sort of choosing whether a
 single forum or body could deal with an as complex as this. I think often that
 the private sector responds to -- very much to public demand in the first
 instance, as it's reflected in their business, but, secondly, also to
 leadership as it may be reflected by governments in terms of responding to
 their clients, which is the voter for all of our countries. So, you know, I
 think that we really should take a look at what we can do in terms of
 underlining the importance of the area, pointing industry to the need to come
 up with something like an open approach, let's say, rather than open standards,
 which is kind of a loaded term, but an open approach, which allows for
 interoperability and flexibility in dealing with the problem of identity
 management. Thanks.

 >>KEN CUKIER:  Let me ask, does government have a role to play in helping the
 -- the security industry to come up with these open approaches? Is there
 anything that the government can do? There's lots of tools that are available.
 Of course, the Internet was an example of a data networking protocol that was
 created in part because the government decided they didn't want to have a
 multiplicity of computer systems that didn't interact with each other. They had
 DARPA fund the idea and of course the government as a buyer of technology,
 through the DOD, was able to standardize around the TCP/IP protocol. That
 created a marketplace. Similarly, is there a role for government in this area
 for computer security and network security? I see a couple of questions.
 Indicate who -- the panelist who want to address this tissue issue. I see one,
 two, please, start from the -- Council of Europe, parliament of Europe. Sorry.

 >>HENRIK KASPERSEN:  In general, I would say that governments should not
 interfere in the process of standard-setting. I think that's something that
 should be left to private industry. They are most capable of doing so. They are
 dealing with competition. So, in principle, I would say there is no influence
 needed there of governments. The influence, nevertheless, could be some
 pressure to do it, convincing pressure to bring parties that far. But most of
 the time, what helps is really if in the discussion, societal discussion, it's
 clear that standards are needed to achieve a certain quality. If that quality
 has not been reached, it could be the case that courts, for instance, may make
 parties accountable for not having implemented certain measures. That will help
 considerably, too. But that is a very tricky process. But I think, in
 principle, state parties should not interfere in the parties of

 >>KEN CUKIER:  Ilias, I see you have a comment.

 >>ILIAS CHANTZOS:  Thank you. Well, being among the industry panelists, I think
 it's expected I would have a view on that one. So let's begin with a couple of
 points here. I think that, first of all, we can well argue that governments
 have already in their tool kit a number of tools which they could be using.
 However, the fact -- or which could be already applicable. However, the fact
 remains that if we don't want to be carving things in stone, it's very
 important that we understand and show that the market is there and able to
 innovate. And to do that, we need awesome standards and market-driven,
 bottom-up approach. Technology moves too quickly. We cannot afford to have a
 stifling in the innovation by not having a technological neutrality when we're
 getting things through the institutional democratic process. Having said that,
 yes, competition in the marketplace, openness, interoperability are key issues
 for information security. The fact that we're having right now a healthy market
 on information security, comparative market on information security, a diverse
 market, are key issues to ensure that we maintain a high level of information
 security. We cannot afford to have a security through obscurity. Now, having
 said that, I also need to point out that the fact that security and choosing
 security products, if you like, security solutions, should be based on the risk
 that we're dealing with and on the things that we want the product to do. That
 can be open source; that can be, if you like, proprietary. But that does not
 necessarily mean that just because open source is more secure. It's not the way
 that it's licensed; it's what it's made to do.

 >>KEN CUKIER:  Okay. Well, open source is one issue, among many. But the issue
 of open either silicon standards or even open approaches doesn't necessarily
 have to be open source; right? So let me press you on this. In creating the
 Internet, the -- it took academia and government to not just benefit one firm,
 but to change the state of the entire industry so that many firms could
 benefit. Clearly, you might see, as having proprietary standards, et cetera,
 and technologies, that you could grow your market even more, sufficiently more,
 with an open approach than you could if you had many different proprietary
 approaches that would put a brake on companies and countries and individuals
 from investing more in information security. So, essentially, government could
 fuel industry for a socially optimal outcome. Do you think that this is a good
 idea? If so, how would we go about doing it? Would this forum be an appropriate
 forum? Or even would this forum be the right place to raise this sort of issue?
 And then develop it, allow the issue to ripen somewhat, and then hand it off to
 another institution to see through? And who would that institution be? Do you
 have any ideas on it? And then I invite the other panelists to respond. But I'm
 going to challenge you first.

 >>ILIAS CHANTZOS:  You're going to challenge me with six questions or
 something. Let's try to tackle it in a constructive way. I think that the
 current marketplace is such that there are the drivers which would ensure that
 we see innovation and we maintain innovation. Certainly from our point of view,
 we aim to try and we aim to be interoperability. We aim to be operating across
 platforms, because that is what the market also needs. So as long as we
 understand that diversity, competition are key elements in the marketplace and
 we ensure and we strive that we maintain that, I think we're to start within
 the right path. Now, whether IGF is the best place to do this, quite frankly, I
 think that this is a very technical discussion. This is a discussion which is
 -- perhaps -- which runs the risk of perhaps boring the delegates to death. And
 I wouldn't want to see any people falling off their chairs while I'm speaking.
 So I think that though the IGF is a good place where we can kick the idea, hear
 the views of the different stakeholders, because that's the value of it, the
 diverse participation. We need, then, to make sure that the different bodies
 are, kind of like of the international community, which are following up
 standard work, continue to work together, continue to push these ideas, and see
 what comes out of the democratic process.

 >>KEN CUKIER:  I see Gus and Rikke.

 >>GUS HOSEIN:  I'm half excited and half terrified by this proposal. The part
 of me that's excited is saying that the current standards-making process,
 whether it's the de facto standards created by companies or the larger
 standards created by international institutions, are such a closed process
 already, it's impenetrable to most, very technical, as you say, but also very
 economically ex- -- well, very expensive to attend these meetings. And they're
 basically dominated by very powerful players. So Mike Nelson's idea of moving
 it to the IGF is a fantastic idea. At the same time, authentication and all
 these security issues are so delicate that I worry that what we'd come up would
 be unusable or even dangerous. So I'd actually recommend, instead of coming up
 with standards, why don't we follow the guidance of the Canadians when they
 created authentication principles that they're now working with the OECD. Why
 don't we look at what's coming out of the U.S. from companies like Microsoft
 and Liberty Alliance about principles of authentication, and look at what's
 going on in Europe and bring these ideas together and coming up with
 principles, not hard, cold standards, but principles.

 >>KEN CUKIER:  Interesting. Please.

 >>RIKKE FRANK JORGENSEN:  This was actually a short supplementary question to
 the issue of the standard committee's linking it to development issues, again.
 I'm just wondering, and this is a question, could be anyone on the panel
 answering, to which extent these rather close processes, these standard
 committees are in any way open to people from developing countries. They might
 be in principle. But in reality. And if they are not so, how can we by any
 means enhance that openness?


 >>ARCADY KREMER:  I would also like to make a few comments on the importance of
 standardization, and to which degree these questions could be discussed and
 settled through collaboration. First of all, standards are a very important and
 useful means to guarantee interoperability. And standards are also a way to
 find the best possible solution. But we have thousands of standards and
 hundreds of pages of scribing them. So we should find -- we should see what
 true standards are. True standards are those which are used. And when we
 discuss if they are useful or not, first of all, we should see if there's any
 point in our discussion. And I'm not trying to make any allusions to the
 institutions which are writing standards, but I think that we should see it on
 -- from the viewpoint of the user. Of course, it's very important for the
 various forums to collaborate and cooperate in order not to exclude anyone. And
 we also need to work in parallel to find the right standards. But this work, I
 can say that at this time it's being undertaken by the World Telecom
 Standardization Assembly, which does hold regular seminars and has various
 committees which receive information and prepare texts. But the question is,
 how can we cooperate, how can we achieve cooperation between governments and
 the private sector, regulators and users. Well, I think the only way is through
 cooperation. And that's the way to achieve information security for the
 network. Because --

 >>KEN CUKIER:  (inaudible) on that as well, and the rest of the panelists.
 Because I think we've done a good job of identifying the problem in this
 respect. But it's not so clear we know what the appropriate institution is to
 drive this forward, even if one exists at all. Can you --   Does anyone have an
 idea of the way that this can actually be driven forward? I'll let you think
 about it. While you do, I'm going to call on Howard Williams of the university
 of Strathclyde to make some remarks -- offer some questions for the room, as
 well as for the panel, on the question of these issues of security and
 development. Howard.

 >> HOWARD WILLIAMS:  Thank you. I'm starting in a position of just
 understanding some of the context where some recent data that I was shown
 showed that one in every 150 e-mails was a phishing or identity theft attempt.
 Something like 54% of all filtered e-mails was spam. And so from a developing
 country perspective, most of the issues of security are really about, from the
 end user perspective, just the denial of service, the cost of actually running
 your own or having access have become too high and so they're stopping to use
 the net. That's the sort of context where my comments and questions are coming.
 And we know that in many developing countries, bandwidth capacity's relatively
 limited and relatively expensive. And I'm sure in the session on access, we
 will talk about this much more. And so there's a question:  We know that most
 of that Internet traffic is coming from outside of the country. So there is a
 question. Is there an obligation on the major tier-one peers or other peer
 agreements on the Internet exchanges or the ISPs in the more developed world
 and the OECD countries actually to manage the security and quality of the
 traffic that is being sent across the network, particularly to developing
 countries? Is there an obligation for some users? And then going through this
 question on the roles and obligations on sort of intermediaries in the
 marketplace, are there other obligations that we can place on ISPs? And there
 is some quite interesting data, I think, that shows that sometimes, in some
 markets, ISPs place less attention on security than they may do. And there may
 be a real role for public policy intervention here. And I think the two sort of
 related points on this one. One is we had some comments at the beginning that
 said, you know, security isn't about traded goods and services. But perhaps
 there is a case that, actually, you know, the latest security tools, the latest
 downloads should be provided as public goods if we're really generally
 interested in inclusive information society. Perhaps these are the very things
 that ought to be public goods and provided internationally. And then my last
 comment is really about how the IGF can play a role in this, and is there a
 role in which the IGF can really help the development and the coordination
 between certs in developing countries? Thank you.

 >>KEN CUKIER:  Great. Thank you, Howard. Those are a rich variety of questions
 and issues for us to think about. What I'd like to do is ask the audience to
 think about some of these issues and give us some feedback in terms of what we
 should be asking. Do so. Let yourself be known to the women with the
 microphones, who will then get your card, your name, and then bring it up here.
 Then we will call on you. While you are doing that, let me turn to the
 panelists and focus on one of Howard's questions. And it's that issue of public
 goods. A principle of immunology is that the entire system is better the more
 that everyone in it is healthy. The idea that I may get a flu shot and you may
 not seems on one hand that it benefits me. But, of course, the fact if I get a
 flu shot, it benefits you, too, because there's less probability that you may
 catch the flu. Likewise, in information security, the more that the entire
 network is secure, and all its pieces are secure, so, too, everyone else rises.
 So we would have an incentive, say, that everyone in Moldova has extremely good
 security and there will be fewer Botnets that will attack me in London. These
 are same global issues that we're seeing in terms of communicable diseases,
 like we're seeing in terms of climate change. We have created institutions.
 We've created philanthropies. And we have a greater sense of awareness of the
 notion of the public good in health care, on one hand. We're gaining that
 awareness for climate change. What does it mean to have public goods accessible
 for all for network security on the Internet? Andrew, I invite you to respond.

 >>ANDREW MAURER:  Blast. What it can mean is something a little bit difficult. 
 Yes, it's good if we immunize against small pox or flu.  It's not so good if we
 immunize against Bubonic plague because it's a sexy thing and it involves rats.
 So there has to be an approach to what security tools are being put in place,
 what security approaches are being put in place. I think -- well, I am, of
 course, speaking from a government perspective.  I think that the role for
 government is to bring together the right players with the right ideas.  And so
 bringing together civil society to bring forward the ideas about what is
 important to them, what interactions they particularly want is useful. 
 Bringing together the private sector who can bring together perhaps a bit more
 detailed information of the economic choices, of the market choices that are
 there.  Are people --

 >>KEN CUKIER:  Andrew, let me cut you off for a second.  If we were to do that,
 we would talk about this, we would host more meetings, we would have lots more
 great receptions like we did last night, and we would still have the same
 problems.  We need to cut this Gordian knot with one fell swoop of our sword.
 Let me ask Richard from Canada, maybe you can help us.  Is it feasible to take
 a Gordian knot approach to this and just do it?

 >>RICHARD SIMPSON:  I liked your first metaphor about public goods more than
 the Gordian knot metaphor. But just to answer the question about what role can
 public authorities play in tackling this issue in the first instance, and in
 the first instance, reflecting public demand, they can set some expectations
 which have to be met one way or the other.  And I think this goes back to the
 early days when we started talking about the Internet.  When many governments
 put forward expectations about how the private sector should introduce
 electronic commerce and e-business using the Internet. And the private sector,
 by and large, responded well to that once those goals were set. Now, these are
 much more complex in nature.  But I think the same -- I would -- I would
 recommend the same starting point in terms of the role of government, private
 sector, and civil society. Government's first responsibility is set the
 benchmark, and ask the private sector to respond.  And I think your analogy of
 the Internet as a public good and mutual benefit and mutual self-interest, the
 point I was making earlier being quite obvious here once people think about it
 for any period of time, will be the driving force behind the private sector
 responding. And just to give you a very specific example of how this is
 happening in the area of security, there are international groups organized by
 the private sector entirely on their own, like the messaging anti-abuse working
 group, MAAWG, that has been working rapidly adopting many standards practices
 and policies that are dealing with some of the issues that you mentioned.  For
 example, standards of network management for ISPs, for example.  I think your
 point about tier 1 network providers also an area for their attention, although
 this is primarily an ISP group. But the success of MAAWG shows that the private
 sector, if it is given a set of expectations based on the mutual benefit they
 gain from working together, will respond.  But governments, individually and
 collectively, have to put these expectations clearly.

 >>KEN CUKIER:  Richard, let me -- is my mike working?  It's not working.  Is it
 now working?  My mike is still not working.  May I have the microphone, please.
  Thanks. I can understand.... Of course I can empathize with the interests of
 the organizers to shut me up as much as possible but I think this is a horrible
 tactic to shut off my mike. Richard, that's true.  I don't disagree with that
 whatsoever. However, for the developing world, the problem is cost.  So we may
 actually see that we have spurred industry to act and it is still now
 inaccessible to the developing world and as a result, computer users in Britain
 are harmed by the inadequate security from botnets hundreds of thousands of
 miles away. How do we address that particular issue?  Does anyone have a good
 answer to that?  Malcolm.

 >>MALCOLM HARBOUR:  I just want to refer back briefly to the earlier point
 about how we approach this issue.  And I think one of the things that is
 actually, if you look at the European Commission's consultation paper on the
 current framework legislation in Europe, is to say is it time to say that we
 put a duty of care on network operators, a legal duty of care to operate a
 secure network. And they can be held liable for problems that will be caused by
 that.  They have to demonstrate they have done everything possible to protect
 their network from security breaches.  And maybe it's time to ramp that up. So
 I think there are a number of issues around that.  And similarly in some
 countries, Finland is an example, where network providers also have to provide
 security tools for all their users. So there are things that could be done. 
 But on the broad issue we are talking about, I think -- what I think is
 striking about the discussion so far is the number of ideas that have come
 forward. I mean, I don't think that there is going to be a single silver bullet
 or the sword to cut the Gordian knot, because everybody has got their own
 ideas.  But equally, you know, criminals and people are evading the systems, so
 it's going to keep moving at a very fast pace. But I would have thought that we
 were in a position with the sort of expertise discovered here to put together,
 if you like, a digest of best practices.  Because if we're talking about
 rolling out new networks, anybody who is in a developing country who is working
 with people to invest in new networks surely wants access to all the
 information and then they can decide what they want to put in place, which is
 best practice to do that. Maybe one of the ideas that my colleagues in
 parliament have suggested to the IGF is why don't -- when we meet in -- next
 year in Egypt that by that time we will have a whole series of best practice
 awards for security tools and techniques. So instead of having a big panel like
 this, perhaps we will have a little award ceremony and we will have some
 exciting ideas up there and you can moderate that as a change from having a big

 >>KEN CUKIER:  Malcolm, any chance for me to be a moderator, I'll accept it.
 Before I turn to you, Mr.  Kaspersen, I want to turn to you, Ilias.  You are
 the member from industry here.  Symantec is the world's largest I.T. security
 company.  Clearly, you might have an interest in how we are going to force to
 you either furnish products for the marketplace or tell your customers they
 must comply with our regulations.  What do you think?

 >> ILIAS CHANTZOS:  I think you don't have to force me.  I think we are putting
 in the market very nominative products.  I think that, in fact, the security
 marketplace is working and producing very nominative, very competitive
 solutions.  Which is why I get uncomfortable when I hear statements about
 public goods.  Does this mean we are taking out from the marketplace this
 dynamism, this innovation?  Often we see, when it comes to public goods, also,
 what we see as the tragedy of the commons.  i.e., if they are common, everybody
 has rights in it, nobody has obligations in it.  Everybody enjoys it but nobody
 really cares for it. So to go out and say we're going to turn A or B into a
 public good, we need to make sure that at the same time we sustain a level of
 innovation. And I think that in this sphere, in this area, in the area of
 technology, we cannot sustain a level of innovation that we are right now
 having and we need anywhere else other than but the marketplace. Moreover,
 moreover, we need also to take one more thing into account.  Even if we were to
 kind of like, I don't know, make -- Even if this concept of public good would
 go forward, there would be the fundamental point that I raised previously. 
 People, processes, and technology. There's no point in me giving you a
 technology if you don't know how to use it.  There is no point.  It won't be
 able to protect you.  There is no point in me giving you technology for which
 you don't have a process on how to use it. So I want to echo the points raised
 also by Malcolm whereby he talks about other approaches as well and what's
 happening in Europe about a multi-layer defense about the role of ISPs.

 >>KEN CUKIER:  Wikipedia.  Wikipedia is a great, great encyclopedia.  It's
 created by users, by the people who actually use the Internet.  It's all for
 free. Open source software.  Absolutely fantastic. We know that Microsoft
 offers different products.  Some of them are more successful than others, but
 we also know that in terms of server software, about 60% of all server software
 is from Apache and that is a free, downloadable, open-source product.  The
 Linux kernel is secure.  Large companies are using it for the most critical
 information infrastructure, yet it's done by the open-source community. Is it
 time that we have an open source security practice for network security?  Is
 that what we need? Let me invite the man who I am going to pillar from industry
 first to respond and then others.

 >> ILIAS CHANTZOS:  That's unfair because you are picking a second time on me,
 but I will take the challenge. So let me begin differently. If we see, for
 example, this (inaudible) in the security threat report, we see that on the
 latest reporting period, 47 new vulnerabilities were discovered affecting open
 source browsers, up to 17 in comparison to the previous period.  And 32 which
 were proprietary.

 >>KEN CUKIER:  What were the statistics?  Say the numbers again.

 >> ILIAS CHANTZOS:  47 versus 38.

 >>KEN CUKIER:  Statistically, that sounds quite simple.  That sounds almost the

 >> ILIAS CHANTZOS:  Actually, no, but in any case, the point I want to be
 making is this.  I'm not standing here and I'm saying that the open source is
 something which is not good.  No, not at all. Every kind of like technology has
 its uses.  Every business model has its uses and its values. All I'm saying is
 that the key issue around what you want chooses when it has to do with
 information security has to be based not on how a solution is licensed, because
 ultimately that is the difference between open source and proprietary software,
 how to license, but actually what it's designed for and what it is supposedly
 doing. And also, at what risk environment it's going to be placed.

 >>KEN CUKIER:  Okay.  Let me first pick on Lamia Chaffai.  Tell us, what do you
 think of our conversation?

 >>LAMIA CHAFFAI:  About open source software and proprietary software?

 >>KEN CUKIER:  (speaking French).

 >>LAMIA CHAFFAI:  Open source software presents an opportunity for the
 countries in developing countries, but also the propriety software are
 complementary in some ways. I want to speak about the role of the government in
 the development of security. They have an important role as a catalyzer for the
 private sector.  The public/private partnership is very important in the domain
 of security. For instance, for development of the industry, also to boost the
 human resource capacity building in terms of security, sensitizing the users of
 the -- for the security issue.  And it is important that the government has a
 whole strategy and be aware of the security issue for all kinds of services. So
 the government has a role in this aspect.

 >>KEN CUKIER:  Thank you. Mr. Kaspersen.  Thank you.

 >>HENRIK KASPERSEN:  I am moving with you to other topics, but backing up this
 role of the government, indeed I agree that the government really can play the
 role of a catalyst.  That's not strange when we are talking about security in
 other areas.  When we talk about the real world, we see it's the task of the
 government to seek that the citizens are secure in certain environments. If you
 build a house, we have prescriptions.  If you do something else, you drive a
 car, you have prescriptions. It should also be normal that the government looks
 to Internet security. The only point is it's very difficult.  How bad is the
 situation?  What you see is initiatives from the government, when we talk about
 critical infrastructure, that they take clearly responsibility, at least in my
 country, and where it goes to user protection one is a bit more lenient to pick
 it up because it's extremely difficult. You can check, see if a house is built
 that the prescriptions are followed, but it's very difficult to do the same
 when you build a network or you use a network.

 >>KEN CUKIER:  That's right.

 >>HENRIK KASPERSEN:  So there is a problem.  At least what I want to stress,
 and that's my role in this conference, at least the bottom line should be what
 kind of behavior should be criminalized, what should not be done, at least. 
 And it's extremely important to have a clear idea what should be in criminal
 law, and also strong pressure on to prosecute and investigate those kind of
 crimes in order to make it clear what will be accepted and what will not.

 >>KEN CUKIER:  Okay. Let me first turn to Frederico, and then....

 >>FREDERICO NEVES:  A role that governments can play is that normally most of
 the countries, the government is one of the biggest I.T. users in the country.
 And a role to set some standards is like to set up federal CERTs.  Like to deal
 with security on the government networks.  Some countries have set up this, and
 this one of the good roles that government could play in the security arena.
 And so this is one of the things that IGF could propagate to governments in the

 >>KEN CUKIER:  That's right.  Terayasu, please.

 >>TERAYASU MURAKAMI:  Well, I would like to raise the point on the importance of the government
 function to coordinate the various measures to fight against the security
 issues. That is coming from our experience that best practice of decreasing the
 mobile phone Spam mails in the last two or three years. Well, since year 2003,
 in Japan we have a very well-coordinated actions occur, where government
 established the anti-spam law and expanded that function of that law.  And the
 industry had a coordinated action to share the information on the spammers. 
 And private sector reacted to that movement by, well, for instance, changing
 the address to a very long one.  At one time, I had a  mail
 address of more than thirty letters.  Well, those coordinated actions occurred
 simultaneously with the -- the coordination of the government. And I'm a
 believer of broken window theory. Whenever we have an effective action to fight
 against the, for instance, spammers, we ought to have no broken windows at
 home.  If you have a broken window in user side, well, that action would not
 work.  And if you have a broken window in industry side, that action also
 doesn't work.

 >>KEN CUKIER:  Let me do this.  Let me turn to the audience for some of your
 questions. Let me have all -- a few questions add and then we will reply to
 them, trying to see what your -- getting your feedback to what we can get refer
 to. The first person I would like to ask the question is Elena Batueva. Please,
 thank you.

 >>ELENA BATUEVA:  Thank you very much.  Good afternoon to all experts.  Good
 afternoon to everyone who is participating here today. I'm very glad to be
 here, and I'm very glad to be at this session, which is discussing the matter
 of security, because it is of great interest to us.  And I'd like you to answer
 this question. Many experts today talk about cooperation and collaboration, and
 they said that security is a very complex issue, very complicated. So they all
 said that we should approach this from different positions and viewpoints, and
 we should be more systematic in our approach. What is the case in your view? 
 Can Internet users be divided into three categories?  For example, individuals,
 society, and state. So perhaps if we make this division, if we put them in
 categories, we can decide what their security needs are, because sometimes, if
 we are thinking of the individual as an Internet user, then his civil rights
 have to be protected.  If it's society which is the user, then we have to see
 the commercial and trade aspect, and also the security of the transactions. And
 when we are talking about the state as an Internet user, then we should see it
 as a resource to be managed and also as a way to connect to your citizens. So
 when you talk about international cooperation today, I would like to give a
 concrete example.  It's regional cooperation in the Shanghai Association. We
 have set an expert group from the member countries on information security.  It
 has already started its work, and at the next forum I think we will be able to
 give you text on our successes. Thank you very much for listening to me.

 >>KEN CUKIER:  Thank you. We have a question from Suresh Ramasubramanian. 
 Suresh, I don't see you.

 >>SURESH RAMASUBRAMANIAN:  Not really a question but I was pointing out that
 when you were saying what could developing countries do, and it takes money and
 all the things like that, (inaudible) does have (inaudible) in the tool kit and
 there is a problem of Spam in developing countries that covers a whole lot of
 what you ask for.  Good reading, I guess.

 >>KEN CUKIER:  Thank you. We have a comment from Vasilis Maglaris on the
 private sector and standards.  Please.

 >>VASILIS MAGLARIS:  Although my question was answered by the last positions
 put by the panel, I would like just to point out, just to ask how would third
 trusted party functions like authentication and authorization infrastructures
 could be influenced by the private sector and if it is really the function of
 the private sector to set standards and operate third trusted parties.  It is
 my experience that it is sort of similar to like outsourcing for this function
 or other kinds of security functions down to -- over to the private sector. 
 This is my question.

 >>KEN CUKIER:  I didn't actually -- Say it again. Were you -- should it be for
 industry it do?  I didn't fully get it.

 >>VASILIS MAGLARIS:  Exactly.  Is it for industry to do?  Is it industry a
 third trusted party?  Or is it something other government bodies, like the U.N.
 or like the IGF or civil society or whatever else should do it.

 >>KEN CUKIER:  Thank you.  There is a question by Sascha Welter.

 >>SASCHA WELTER:  I would like to remind you to some of the points brought up
 by the audience in the beginning, especially to the things about the developing
 countries.  We had the speaker from China tell us some examples of IPs that
 they blocked.  Well, as a network administrator, I could open my mail locks and
 give him more IPs to block as fast as he could write them down.  And the answer
 to this from some administrators, not many, is to shut down service from all
 IPs in China or other similar countries.  And I think this is a terrible thing
 because developing countries are right now struggling to get on the net.  And
 because of these security problems, we shut them down again. And, well, I see
 international law corporation is somehow more interested in shutting down
 bloggers like now in Greece or sometimes in China we have seen and not so much
 interested in getting after IPs of spammers or virus IPs because those are in
 the millions.

 >>KEN CUKIER:  Interesting.  Thank you.  That goes back to Terayasu's point
 about we're doing so much to help the victims but we are not doing enough to
 actually go after the criminals. Let me use that as the starting point for
 questions to the panelists. SASCHA raises a very good point.  What can we
 possibly do about the issue.  On the one hand there is a question of fairness
 and justice.  On the other hand, we need to take reasonable precautions if we
 are experiencing hacking or attacks or bad packets in terms of Spam from
 another destination.  Is there any way around this, and can the IGF play a role
 in this respect? Please.

 >>CHENGQING HUANG:  I'll answer the question from our experience.  We deal with
 Spam.  We have a coordinated working group of the society.  In November 2002 we
 organized this agency.  At that time, Spams were a very serious problem in
 China and affected the economic interests of operators, including taking up
 their space.  And they requested the society of China Internet to issue this
 working group on this matter. And the first task of this agency is to establish
 principles of work.  For instance, whether in the organization they should
 share information.  If they find IP addresses of Spam, they should discuss this
 matter and we should assess whether the IP address sent a lot of Spams.  And
 also we have the principle of coordinated action to make joint efforts. So
 after defining some principles, we received the reporting and denunciation from
 society and the relevant organs and received some addresses that sent Spam. If
 we determine that these IP addresses, indeed, sent Spams, we announced the list
 of such addresses. So such a list, we have WW.NT slash Spam Web site, you can
 see how many servers of Spam we have announced. If after three months they have
 not improved their behavior, we will organize resistance to such Spams. After
 several years of work, we also established a white list, so to -- so as to
 request self-discipline and build up trust among relevant parties. In this
 March, we also determined the guidelines for service. Before our spams were
 increasing from the first quarter of this year, the end of the first quarter
 and the second quarter, spams decreased by 1.8%. And for the second quarter, a
 drop of 2%. I think this is quite good. And we, with the Australian authorities
 and KISA in Korea, we established the administration to combat spams. I hope in
 the future we can cooperate further internationally, because this matter of
 spam is an international matter. I think cooperation is vital in this area.
 Thank you.

 >>KEN CUKIER:  Thank you, Mr. Huang. Rikke, would you like to --

 >>RIKKE FRANK JORGENSEN:  Thank you. I would like us to also bring into this
 discussion a point that was raised from the audience earlier in the session,
 namely, that the threats come not only from criminals; they come also from the
 state, actually. And while we have -- we could set a government benchmark out
 of the themes from this forum and the business in general to develop the
 Internet as an open, secure, diverse, accessible space, at the same time, we
 have the strongest political pressure ever to expand surveillance all over. And
 in Europe, where I come from, we've had the debate over the last year on data
 retention, the systematic retaining of user data for the purpose of law
 enforcement, but not based on a concrete suspect. A general retention of data
 that might be nice to have at a later stage, where you might find a reason to
 persecute an individual. So, I mean, we have also a political dimension of
 this, where we have these systematic surveillance issues being implemented on
 many measures, on many levels, and with the participation of Internet service
 providers, not that they necessarily want to, but they are being mandated to,
 to participate. And I think we need to bring in this into the discussion also,
 although it's very difficult to address.

 >>KEN CUKIER:  Hmm. It gets to the issue -- it gets to the issue that the other
 gentleman had raised as well. He framed it in the question of who should be the
 trusted third party, the PKI.  And whether that role should be for industry or
 for government or for someone else,. And it raises the question of what are the
 respective roles and how we can find a way to work together, particularly
 considering we don't actually have institutions where we can actually exchange
 these views. In the case of, for example, the Council of Europe, they may come
 up with a cybercrime convention. But in the case of industry, they may have
 problems with the way that is being worded. In the case of civil society
 groups, they may have a problem with the very nature of some of the things they
 are recommending. And there's less of a chance to make those things known.
 Christiaan, from your perspective, how do you see reconciling these issues of
 how we can collaborate together as different stakeholders?

 >>CHRISTIAAN VAN DER VALK:  I wanted to put it in the context specifically of
 the question on PKI certification authorities, because the issue of
 identification is, of course, very central to a lot of the things we're
 discussing here. How does one identify self, how can you identify someone else,
 whether that is a legal person, a natural person, or maybe an application or a
 machine on the Internet. All of these questions have been debated now in
 various forums and in various fora for at least the last ten years, possibly
 longer. And to answer the very specific question, can we leave the
 identification of these different entities to the private sector, my answer is,
 definitely yes. Even I would go further than that. We have to. And there is a
 simple reason for that. I mean, sometimes analogies are useful to explain
 things like, you know, public key certificate is like your apart on the
 Internet. Or an electronic signature is like the equivalent of a handwritten
 signature. These analogies, though, also tend to be sometimes a little bit
 tricky and sometimes even, I think, do damage to the reality of some of these
 matters. Interaction on the Internet is multifaceted, incredibly complex,
 impossible to define, and changing all the time. And all of these interactions
 are based on security credentials or identity in one form or another. And, yes,
 we would, of course, all benefit from a more standardized way of creating
 credentials and identities on the Internet, or validating them, of
 understanding them, and exchanging them between all of us. But because of all
 the different levels and because of all the complexity, it is impossible for a
 public authority to be the identifier of everything that transacts and is
 communicated over the Internet. This is something that has to be left to the
 various levels and the various types of entities themselves, and it needs to be
 worked out by the private sector. Obviously, within a regulatory framework.
 That regulatory framework has been put in place, I think, in various ways, both
 within the European Union and a number of other regions, but also within the
 U.N., there is another law on electronic signatures that was created by
 UNCITRAL already many, many years ago. I believe many of these frameworks today
 have to be revisited. And the way also in which people -- certification
 authorities and other issuers of credentials that are used on the Internet, the
 way in which they are used, many of these things have evolved tremendously. And
 I definitely believe that one of the things that the IGF might also look into
 is how -- the new way in which resources are identified on the Internet, how
 that works both legally and technically, but also, what is the overall
 regulatory framework. Because today, the framework that is in existence is
 definitely no longer up to the need from the marketplace.

 >>KEN CUKIER:  Thank you, Christiaan. Lamia, since you're running a certificate
 authority in Tunisia, maybe you have some views, also expand it and look more
 broadly at other ways in which we can reconcile the tension between the roles
 of different stakeholders and how we can find ways to collaborate. Thanks.

 >>LAMIA CHAFFAI:  Thank you. Well, there are various different models of
 hierarchies in terms of this. There is an open one where different public or
 private players can intervene. You've got a pyramid-shaped one. You've good a
 root, to give the case of Tunisia. And that can try and regulate the modus
 operandi to guarantee a certain level of confidence. Because we're talking
 about identity on the Internet. So there are economic stakes, transactions,
 legal issues involved as well. So, yes, there's an awful lot at stake. Are we
 going to have to give each player various different identities, for example,
 for ebanking they have one identity, egovernance, another one? There's also the
 cost issue as well. Could we allow one user to have various different means of
 authentification? Is it practical for them to have to present a different
 authentification each time? It's rather a complex issue. Are you going to have
 one single identifier? This comes back to the question of privacy as well. It's
 an issue which has been dealt with at international level at the current
 moment, and we're striving to find a consensus. Thank you.

 >>KEN CUKIER:  It's true it is a very difficult issue and one where, on one
 hand, it's going to be difficult to find consensus. On the other hand, I'm
 sensitive to what Christiaan said.  And it seems like the technology is moving
 so fast, that our attempts to define standards and rules become very, very
 thorny, indeed. Let me ask for three more questions from the audience and have
 our panelists respond to them, and then make some closing remarks. The first
 question comes from Juvenal Nshimiyimana from the African initiatives in

 >> JUVENAL NSHIMIYIMANA:  Thank you very much, indeed, for having given me the
 floor. I don't know whether this is a pertinent point, a pertinent question.
 Let's see. I'm not an Internet or an I.T. expert at all. But to get to my
 question now. We've been talking this afternoon about security, about
 broadband, is there enough of it in Africa or is it too expensive. You seem to
 be rushing ahead here. I'm not saying that what we're doing here is pointless.
 But if I may say so, I think we're rushing into this a little bit. You've got a
 large percentage of the world population not connected to the Internet, as we
 said yesterday. Now we've moved on to discussing security. So all these
 billions of people we were talking about yesterday are just left on the
 sideline are they? I was in a meeting in Geneva last week, talking about the
 environment. And somebody turned around and said, "Look, African countries are
 being forced to choose between dying at 23 years old of hunger, or dying of
 cancer at a later age. So the choice is clear." We are spending a lot of money
 in organizing meetings these days. For example, this type of meeting. You're
 planning another one for next year. And you are spending a lot -- you spent a
 lot of money in Tunisia as well, wasted a lot of money, if I can put it that
 way. But you're talking about broadband. You're saying it's possibly too
 expensive for poor countries. Couldn't we have put this money to better use in
 boosting the level of broadband?

 >>KEN CUKIER:  Thank you. I've got a -- we've got a second question. We have
 Mr. Hill, I think, from Geneva. Richard hill from the ITU. Please.

 >>RICHARD HILL:  Thank you, Ken. Richard Hill here from the ITU, the
 international telecommunications union. Ken, coming back to your question about
 the overall coordination of the activities and reaching out, -- Can you hear

 >>KEN CUKIER:  Yep.

 >>RICHARD HILL:  -- and reaching out to the developing world, I had the
 impression that this was pretty much settled in the Tunis agreement itself,
 because if you look at the annex to the Tunis Agenda, will you see that the ITU
 is the overall facilitator for C5, building confidence, which includes
 security. And we have undertaken a number of actions. Some of them are in the
 CD that was handed out today. And my colleague, Alex, could you stand up,
 Alexandra Antoko (phonetic), from the development sector, is, in fact, leading
 the effort, which is done in partnership with a number of companies, including
 Cisco. Art Reilly is sitting over there in the corner. So there are activities
 going on. Some are summarized in the CD. The rest you can find on our Web site.
 I guess the question for the panelists, how do you see that effort fitting into
 other things that are going on. Thank you, Ken.

 >>KEN CUKIER:  Thank you. Let me invite Jean-Jacques Subrenat to -- please.
 Microphone here.

 >>JEAN-JACQUES SUBRENAT:  Thank you. Jean-Jacques Subrenat is my name. I'm a
 retired ambassador and a consultant nowadays. This afternoon, I've heard some
 very interesting analyses being made, well, it going without saying, because
 we've got some real experts up there, all of whom are very -- in responsible
 positions in their own sectors. But I would like to give you my overall
 impression. Behind this expertise, nowadays, there is a little bit of timidness
 about the way we -- the tones we use to couch our ideas in. Now, we're meeting
 under the aegis of the United Nations Secretary-General, Kofi Annan, today,
 Nobel prize winners.  And this means that we bear a high level of
 responsibility. We should bear that in mind. Our Greek hosts as well, I think,
 would like us to remember this inaugural IGF here in Athens, in Vouliagmeni,
 and remember it as something which wasn't just a high-level exchange of views
 at an academic university level, but, rather, I think what we should be
 thinking about is what is the actual added value of this first IGF conference.
 Look at the title. It includes the word "governance." This means that it should
 be a meeting point, a crossroads for concerns coming from the users, the
 private sector, the governments, international organizations, and so on and so
 forth. What I would now like to hear -- and we've got precisely half an hour
 left, Mr. Moderator -- as I was saying, what I would like to hear now are
 proposals which you, as moderator, could then broadcast out to the Internet
 community in general, and possibly, more particularly, to the organizers of
 this conference. Now, these recommendations may or may not be taken on board.
 That will be down to governments and other decision-taking participants
 finally. But I would like to make these proposals at least on two levels: 
 Security amongst individual users, what ideas can you draw out of this debate,
 what would the ideas be that the members of the panel would like to repeat
 before 6:00. And then at international level, what are the best practices, the
 benchmarks which the various members of the panel would like to see transmitted
 to the organizers and people who are responsible for decision-taking? Richard
 Simpson put forward various ideas just now. And I think that that calls on
 governments to establish these benchmarks, these references. That is a very
 important task. So let me repeat my question:  What is the added value from
 this conference? Thank you.

 >>KEN CUKIER:  Before I ask the final question, this one from the Internet, let
 me give a -- let me amplify what the ambassador has challenged us to do and ask
 all of the members of the panel to try to think of one con- -- one thing that
 they've learned from this panel, something new that they thought was
 interesting that they can explore beyond this panel, and if they have one
 concrete recommendation or proposition that they'd like to put forward, either
 for their institution, their stakeholder, their group, or for another one, or
 just in general that needs to be done. It might be the same thing, but it might
 be different. So do think about that. What have we learned? And is there
 anything tangible that we can take beyond this particular setting that we can
 try to institute in practice? While you're thinking about that, I invite the
 comment from the Internet.

 >> Thanks very much. We've actually got two now, because another one came in
 after I raised my hand. But one of them is from the chat room, as before. And
 I'll perhaps relay that one first. It's Michael Nelson again, who says, what's
 the nightmare scenario? Do you worry that there could be a catastrophic
 security problem that would cause most Internet users to stop using the net?
 And we also have one that's come in by e-mail to the e-mail address
 comments@IGF2006 .info from Mel burns. It's quite short. He says, watching the
 security panel currently in progress, I'm interested in the panel's thoughts
 about the possibility that Internet users should eventually be required to take
 a form of virtual driving test, something that could be a requirement for
 future generations by the educational system. Since users could be located by
 their I.P. address, surely penalties for misuse could be issued in the same
 manner as they are for motor vehicle drivers. It should of course be some
 international code of conduct rather than nation-based. And I suppose that that
 raises, again, the issue that Allison brought up earlier, that we haven't
 gotten back to yet, about how most Internet users nowadays are treating
 computers like white boards rather than complex technical devices that they

 >>KEN CUKIER:  That's true, although we don't have a driver's license to use
 our toaster in the morning. Would we want to do that for our PC if it becomes
 ubiquitous? Both of those questions were very, very good. Before I force you to
 reveal your hand in terms of what you think the future should look like -- and
 what I will do is go down one by one -- let me see if we can take a look at
 those two issues. One is the nightmare scenario. And the second one is, should
 we -- how do we reconcile the fact that as information technology becomes so
 ubiquitous, that security is going to be become even trickier? Should there be
 a driver's license for it? Does anyone have an idea of the nightmare scenario
 for information technology and how vulnerable we are? David, please.

 >>DAVID BELANGER:  Well, I can give you one, and I suppose there are quite a
 few of them. It turns out that most national infrastructures -- water,
 electricity, nearly everything else -- is based on networking. Right now
 they're probably based on more classical networks, which are far more closed,
 in the main. But since nearly all communications networks are moving to I.P.
 over time, I think that we will have to be extraordinarily careful in trying to
 create nearly bullet-proof networks for the large national infrastructures.

 >>KEN CUKIER:  Does anyone else have an idea of what the nightmare might be for
 information security? And how vulnerable we are? Andrew, please.

 >>ANDREW MAURER:  I think the more practical thing is that transactions won't
 be trusted across the Net, so that the Net would actually fragment, so that
 people could create their own small network of trusted users and trusted
 providers. And I think that's probably in some ways a more near-term or more
 realistic threat to the Net with the various security threats that are out

 >>KEN CUKIER:  What about the idea of a driver's license? Should we enforce
 some sort of requirement on users to be conscious of how they interact on the
 Internet? Sure, Henrik.

 >>HENRIK KASPERSEN:  My answer to that would be no. The driver's license
 discussion is a very old one. I remember that from 25 years ago. Actually, why
 would you like to achieve that? You have to be sure that somebody is, indeed, a
 user. You would have to take such, let's say, severe measures that we are
 really endangering the privacy of the persons. That's the same for society. We
 walk around a lot of the streets. There is no need to put a sign on our hat who
 we are exactly. We may have been asked who we are to identify ourself, if
 necessary in certain situations. And I would say there must be a balance
 between is it really necessary to know at all times who is doing something or
 is it only necessary if something is -- somebody is doing something wrong. And
 I think that balance is still there that we do not need, for the time being
 now, clear identification at all times of a person who is active on the Net.

 >>KEN CUKIER:  Good. Let me ask first Gus and then David. Gus.

 >>GUS HOSEIN:  I just find it odd that throughout all of our statements today
 and throughout all of the statements generated, when we talk about users, we
 automatically assume that they're absolute idiots. Isn't that odd, that all
 these years later, despite all that talk about empowerment, we still presume
 that users are idiots? I think that, honestly, if we left it in the hands of
 the users, if you gave them the ability to decide over what transactions are
 permitted within their computer and what goes out and so on and so forth, they
 might very well make the right decisions. But we have always treated them like
 idiots. And we have given them stupid things to do, like, for example, one of
 the possible reasons why we have phishing is that at some point in time,
 somebody made the dumb idea that HTML messages was a good idea. And that's why
 we have users making mistakes, because they're being sent HTML messages saying,
 click here, log into your bank, so on and so forth. Honestly, if we let
 consumers be smart and not want flashing e-mails and all of that, they might
 actually make the right decisions for themselves.

 >>KEN CUKIER:  Gus, what about in a world in which we don't have one person
 with one Internet connection, but that we have Internet connections in about 50
 to 150 different devices that we carry with us that are in our car, that are in
 our home, where people who are using the Internet without even realizing that
 it's connecting over the Internet, how do we accommodate a world like that? How
 do a accommodate a world in which the people who might be using it actually do
 have really low skill sets, if you think my grandmother is bad on the Internet,
 you know, you can imagine that, countries that are just developing literacy and
 living standards in Africa and Asia are going to have also a difficult time in
 having to accommodate the windows browser. What do we do about that?

 >>GUS HOSEIN:  I think there are a lot of grandmothers out there that we keep
 on using in our stories. I feel really bad for any grandmother out there who
 knows how to use the Internet. I think we're discriminating unfairly against
 grandmothers. I think there's a lot of practical solutions that can be offered.
 But I want to take the high-level approach for a change, for me, which is,
 users should be at the center. They should be in control. They shouldn't be
 using a device and not realizing it's not connected to the Internet.

 >>KEN CUKIER:  That's just not realistic anymore. If the Internet is going to
 grow to accommodate not just one billion, but six billion people, you can't
 just say users have to decide how -- you just have to be in control.

 >>GUS HOSEIN:  They should be let known. I don't want my mobile phone to be on
 the Internet unless I tell it to go on the Internet. Otherwise, I'm paying for
 it unnecessarily, so on and so forth.

 >>KEN CUKIER:  In 15 years, that's like saying I don't want my camera to have a
 microchip on it.

 >>GUS HOSEIN:  I want to know when it is. I want my camera to be linked to the
 Internet when I want to put up photos, when I want to do it. I don't want it to
 be ubiquitous and constant. I want to flip the switch on and off. Most people,
 if given the choice, I think want to be empowered. They don't want to have it
 always on. That's just a guess, but I'm an idiot who presumes that people
 aren't idiots.

 >>KEN CUKIER:  Well, there you have it. Mr. Huang, please.

 >>CHENGQING HUANG:  In my opinion, the nightmare of Net security will be in two
 forms:  Firstly, the lax infrastructure for Internet security, when online, the
 user's information might be stolen or falsified. As a result, net users will be
 afraid of going online. So this would be a nightmare that would affect the use
 of network. Another nightmare is the excessive popularization. It's like an
 idea of house which has been locked with many padlocks. As a result, nobody can
 enter. So we have to find a balance between security and convenience. We should
 make it easier for users to go online and to ensure their security. Such a
 balance should be achieved through technical means on the one hand. This is a
 necessary condition we need to provide antivirus software, firewall, et cetera.
 On the other hand, Internet is a global network. Once attacked by virus, it
 will affect not only an individual machine, but the entire network. So we have
 to have a kind of a mechanism for coordinating emergency response. Without such
 a mechanism, such a problem, it will be difficult to handle. So the mechanism
 for coordinating responsibility will provide full condition for security. Thank

 >>KEN CUKIER:  Rikke, and then Mr. Kremer.

 >>RIKKE FRANK JORGENSEN:  To add to the list of worst scenarios, mine goes to a
 situation where we build and design in civilian structures in our societies
 that will take years to roll back again and which results in a situation where
 it's the citizen, the individual, that becomes the transparent party, rather
 than the state.

 >>KEN CUKIER:  Interesting. Okay.

 >>ARCADY KREMER:  I would also like to answer this question on how we can
 coordinate our efforts to guarantee a secure Net. We should see how we could
 implement the decisions taken by various summits. The ITU has been asked to
 coordinate this work, and we are following three directions. First of all,
 finding the methodology which would help us at the regional level to give a
 national solution in order to guarantee security, which means to have a basic
 principle which will be adapted to the concrete conditions in each country. The
 second direction is how to harmonize the work undertaken to guarantee that the
 legislation prepared will be coherent. Because there is no one institution
 which could offer a solution to all aspects. I think that what's being
 discussed here will be taken into account at the ITU level. And the third
 direction -- perhaps this is the most important one -- is to find a way to
 exchange best practices, comments, and find the equipment which will allow for
 rapid reaction and an adequate reaction to all kinds of threats. I think here,
 we should create an inventory where we will be offering solutions. There is an
 information portal at the ITU which does offer such information. And I think
 that everything that's been heard here today is extremely important, and it
 should be followed through in the future. I think that we look at the Internet
 and think that it's a kind of virtual world where we have virtual users. No,
 these are real people. And we have to guarantee a secure environment for them,
 because we don't want to limit the uses of the Internet because of security

 >>KEN CUKIER:  What I'd like to do is ask for one last question from the
 audience. That is Izumi Aizu. Izumi, are you there?

 >>IZUMI AIZU:  Thank you, but I thought you said final three questions, and I
 thought it's gone. But, anyway --

 >>KEN CUKIER:  It's the role of -- the prerogative of the moderator to change
 the rules midway through the game.

 >>IZUMI AIZU:  Thanks a lot. As a global citizen or global citizen viewpoint,
 and think in ten years' time or 20, perhaps, although this IGF will only
 continue five years, but we are given the mandate to be as innovative or
 creative as those who invented the Net, who sort of (inaudible), as I said
 yesterday as well, there's no -- the TCP/IP has no national border, unlike the
 telephone numbers; right? That's the difference. So to reflect that, as well as
 some other older communications and movement of the people, information, money,
 don't you think that we need to think more creatively, that some parts of --
 not all -- national sovereignty be given more limitation or some, you know,
 less boundaries, or change some boundaries down the road? I say this in two
 ways. One is that when the E.U. was created, they put first, second, and third
 pillar. And you put some of the, you know, common areas, such as economic
 activities of marketplace, gradually, right, after taking all the lessons from
 the world -- they killed each other -- and you achieved the common currency. 
 Although some countries, we don't have them, even in Europe. But we have a very
 interesting idea of having one side of a coin very much common; the other side
 in each country still has its own national identities. Likewise, if you come to
 the Olympics, we still see all the national competitions, but very peacefully,
 taking the lessons from the Olympic Games, where most police stopped cease
 fires. So I'm not just saying in abstract theory. But in the age of global
 citizens, how many people have the opportunity to talk to the other nationals
 for their lifetime, and you compare that with 50 years ago, 100 years ago,
 where the sovereignties concept was established. So 20 years from now, or 50
 years from now, I think we need to really redefine the national sovereignties,
 especially in the law enforcement, where we're talking about security and the
 privacy or human rights. Then I think we will have more common, I think, sort
 of goal or direction to which we need to come up with really pragmatic,
 implementable solutions. If you have any comment, I will appreciate that. 
 Thank you.

 >>KEN CUKIER:  Thank you. Let me take up what Izumi has said, his challenge to
 us to understand a vision of the sort of society we want to create and how the
 Internet plays a role in terms of its security in 20 to 50 years. The idea of
 national sovereignty, of course, is one issue.  We don't have institutions with
 which to drive forward some of our visions. But if that is the target that's
 far ahead of us, let me put it out there but maybe concentrate your focus a
 little bit more closely and the immediate space so we can figure out a way to
 get from here to there.  I asked you earlier to take up the challenge by
 Ambassador Subrenat about either what we have learned or a proposition that we
 can drive forward.  The IGF, obviously, is the beginning of something. 
 Yesterday I actually said it wasn't the beginning of something.  I said we were
 mid process.  But clearly if we are in mid process, we are in the start of that
 middle process. Let me mention first that we don't have a lot of time.  So we
 need about maybe 30 seconds, 60 seconds maximum from you and what you think is
 the most critical thing that you have learned and that you want to perhaps
 advance forward, and whether the IGF can be a mechanism to advance that
 forward. I'll start with the thing that I have learned the most.  I thought the
 idea, maybe it was Frederico's, it's his point so maybe I am stealing his
 thunder.  But the idea of taking the CERT, the computer emergency response
 teams that we have seen in the U.S. that exist in other countries, and
 expanding that out to other nations, trying to build that through capacity
 building and trying to forge links among them might be a way in which industry
 self-regulatory mechanisms can go forward, can get the blanket of antitrust
 immunity from government, so there is a role for the public sector as well. 
 And therefore, we can see that better information security practices happen
 globally, not just nationally, through the coordinating role of government but
 through the activities of industry. That's one thing that maybe the Internet
 Governance Forum can take up and can be advanced through this mechanism. That's
 mine. I'm going to go down the list.  Those at the end, like Christiaan, have
 time to think longer.  David, you don't.  Please start.

 >>DAVID BELANGER:  Okay.  I think what I took away from this most dominantly,
 and this will rephrase it a bit, is that information has actually become the
 good which we share in an economic sense as well as a social sense around the
 world.  And actually, a little bit to my surprise, there was a discussion of
 regionalizing the net, for instance, when what I see is many companies who are
 global who have an absolute necessity for this net to look like it's one flat

 >>LAMIA CHAFFAI:  There are two points that I would like to stress and which
 came up in this discussion.  Security, and elaborating a strategy at the
 national level.  And I'm thinking particularly of developing countries, because
 they have to take into account the security issue whilst preparing their
 strategies. There are various pillars which we have taken into account in
 Tunisia, and there is also awareness, partnership with the private sector, the
 citizens, and also international cooperation, harmonization of the legal
 framework. The second pillar, which is cooperation for development and which is
 absolutely vital, this perhaps could help us create an exchange platform in
 order to better cooperate in the future.

 >>KEN CUKIER:  Ilias.  Please.

 >> ILIAS CHANTZOS:  This is my first IGF event.

 >>KEN CUKIER:  It's all of our first IGF event.

 >> ILIAS CHANTZOS:  Well, let me put it that way.  And it's also, if you like,
 that I am attending from the point of the WSIS process, if you like, that
 started. So in that regard, I think that to hear the different -- the diverse
 views and the diverse cultures and the different points of view and
 perspectives of the different people is something, if you like, expected. On
 the other hand, I think that we come to the point where we all agree that
 security is important, information and identity, privacy of individuals or, if
 you like, parts of the currency of the modern digital lifestyle which we are
 living in and in that respect need to be protected. So I guess what I am taking
 from this event is the need, the importance for the private sector to be
 engaged.  Certainly for the (inaudible) security industry to be engaged, and I
 think that's what would I like to bring back to my colleagues. And obviously to
 thank the United Nations for the opportunity to be here today. And the Greek
 government for hosting this.

 >>KEN CUKIER:  Chengqing Huang from CERT in China.

 >>CHENGQING HUANG:  I think the contribution from the forum is that here,
 through our discussion, we can inspire more ideas.  Maybe we do not have a lot
 of conclusions in the short run, but we have brainstorming.  And it will be
 conducive for further development of Internet in the future. For instance,
 today, we discussed the issue of security, which is very inspiring for me. 
 That is, security, whether it's an issue of public service for the government. 
 I think this is an issue that merits serious consideration. Internet security
 is a complex matter, and we need such discussion.  Through our discussion and
 exchange of views, we can form good ideas and, in the future, we can further
 promote security for a global network.  And maybe as the moderator pointed out,
 organizations as CERT, whether they can effectively facilitate mechanisms for
 emergency response, such ideas are important.  I think the forum can play a
 part in this area.  Thank you.

 >>KEN CUKIER:  Thank you very much. Gus.

 >>GUS HOSEIN:  I'm excited by all the confusion.  That's what I'm taking away
 from this.  I am excited by the fact that we still don't know the role of
 government.  We still don't know the role of industry.  We still don't quite
 know what international cooperation should be like.  And we still have a very
 limited idea of what users are. I think that's exciting to be in a field where
 after all these years we're still so confused. As for the thing IGF can take
 forward and we can take forward, I really think we should build on Mike
 Nelson's idea of a form of -- I wouldn't say standardization but principles of
 authentication, principles of identification, bring together the existing
 knowledge and see where we go with that. I think it's a perfect nexus of
 privacy, security, eyed tee, policy.  I think it's everything, everything the
 IGF should be looking at.

 >>KEN CUKIER:  Interesting. Rikke.

 >>RIKKE FRANK JORGENSEN:  I noted two things.  The first is the link between
 security and development.  As much as we wanted to address it today, I take
 away that we are still rather weak when we talk about this link and what it
 actually means and how security play into the development agenda.  That's one
 point. The second point is that I think this is a very interesting way to do
 follow up to U.N. summits compared to the classical model. I actually much
 prefer this one.  But then it's also important that it builds into something
 concrete that the IGF can carry forward. And here what I would like to see
 would be a multi-party, a multistakeholder task force on security and privacy.
 Privacy is not very dominant in the action line, in the action plan.  And I
 would very much like to have the privacy issue raised on the security agenda.

 >>KEN CUKIER:  Okay.  Let me ask you about that.  Do you think that it's
 appropriate for the Internet Governance Forum to make this a subsidiary body?

 >>RIKKE FRANK JORGENSEN:  I think the added value of the IGF is that it
 actually brings together different parties that are not brought together in
 other fora. So if we can leverage some knowledge here that we can then play
 into other decision-making organs, then I think it is an important role, yes.

 >>KEN CUKIER:  Interesting. Henrik, please.

 >>HENRIK KASPERSEN:  I would like to support another idea because I think it's
 extremely important by -- when developing security measures that you take into
 account what impact those measures have or may have on other interests, like
 the privacy interests. As to the form, I made the distinction between, let's
 say, network security and user security, if I may phrase it this way. I think I
 should recommend not to take it all on the card at the same time.  Maybe first
 concentrate on network information security, rather than on the other issue.
 And then I support the ideas put forward as to the form.  I would recommend
 maybe a recommendation can be made in the end to this extent, which will surely
 be debated the last day, what is the right format was to bring this out.
 Further, my particular area of interest, of course I call to all state
 representatives present in the room to consider accession to the Council of
 Europe cyber crime convention, or at least use the convention as a model for
 their own domestic purposes, to copy things that have been invented by all of
 us, can be easily applied by themselves in their domestic legislation. By the
 way, abusing this moment, when there are questions about the convention, I'm
 available after this session. Thank you very much.

 >>KEN CUKIER:  Thank you. I'm going to pass over for the moment our chairman,
 secretary Tsoukalas, and ask Arkady Kremer, please.

 >>ARKADY KREMER:  I think that today's discussion is very useful and very
 interesting.  And we could comment on the name of this forum, which is the
 Internet Governance Forum.  Then I think that full governance security is
 vital. I think that we can't guarantee security on a voluntary base, especially
 when we are talking about a network as big as the Internet. I think we should
 make efforts, because there will be many attacks.  So I believe that the
 state's role will increase in the future, especially when attempting to
 guarantee security on the net. Today, we saw various examples.  It's very
 difficult to regulate technology.  It's very difficult to regulate the
 relations between users and the links. But from today's discussion, I think
 that we heard the ideas expressed by other participants, and they were very
 interesting.  And they have given us food for thought to those who are experts
 in this field and whose job it is to regulate. I think what we heard here today
 should be used as a stimulus to mutually guarantee security on the net.  Thank

 >>KEN CUKIER:  Thank you, Mr. Kremer. Andrew.

 >>ANDREW MAURER:  Not a very strategic thought.  It just interested me that in
 this room of experts and interested people, we have got two, maybe three
 infected PCs that are broadcasting they are a free Internet cafe out across the
 airwaves.  And the people that have those computers, should really install
 something to try to protect yourself because someone is trying to steal your
 money or your personal information and damage other computers. I think that's
 probably a message for everyone in this multistakeholder group. You can educate
 the people within your constituency about the threats that are out there and
 the tools that can be used to protect themselves. Private sector, at least, or
 the technical providers can perhaps develop tools that are a bit easier and
 simpler to use.  And all of this can operate across the various borders of
 countries to share information, to target those threats, and perhaps to enforce
 laws against the bad actors.

 >>KEN CUKIER:  Malcolm.

 >>MALCOLM HARBOUR:  Well, I think it's reinforced very much the point I made at
 the beginning about the fact that this is a shared responsibility that goes
 right to the heart of the whole of what we are talking about. I was interested
 in the point that Gus was making about confusion.  All I can say is if we're
 confused, then hopefully criminals are as well. But that's perhaps a slight
 trivial point. But in terms of practical ways forward, it seems to me that
 there have been so many examples of best practice in other areas that that's
 something I think this forum perhaps need to try and pull together in some sort
 of source material, source book. I think that we learned a bit about the ITU
 work, which I thought ought to be brought into this, and maybe they can report
 back on future occasions.  And like all good politicians, I never let a good
 idea drop.  I want to come back to my idea of actually having some visibility
 or setting up some awards in key areas, like, for example, educating the public
 in some way, educating users, small businesses, government initiatives, and,
 for example, maybe a future candidate and I was very pleased to learn about
 what was going on in Denmark that Rikke had talked about.  I would certainly
 like to hear more about that because that's something we should be certainly
 looking at certainly perhaps for the European-wide application or it could go

 >>KEN CUKIER:  Terayasu.

>>TERAYASU MURAKAMI:  At the beginning of the session, I mentioned the
 importance of the more attention to the victimizers than the victims. Well, I
 think IGF also should have that position.  And, for instance, with the
 international cooperation, whether we can enhance the sort of traceability of
 the victimizers within the unanimous Internet communities.  In this respect, for
 instance, we'll enhance the power of WHOIS system by proper
 restoration of the contact information, as one idea to do that.

 >>KEN CUKIER:  Frederico.

 >>FREDERICO NEVES:  I will stick to my point that I think the role that
 governments could play because of the IGF is on education.  And so in this
 sense, they could collaborate between -- among governments and to get best
 practices or the best material to basic users.  Because of the simple fact that
 independent of the way the threats spread to users, in the end, most of the
 problems that face end users are based on socio-engineering. So this is
 something that basic training could resolve. So we stick with education of end

 >>KEN CUKIER:  Okay.  Thank you. Richard.

 >>RICHARD SIMPSON:  Thank you.  Well, in terms of what I learned from the
 discussion we have heard, I notice that our concern with authentication and
 identity management is shared with others in the room and it's very
 encouraging.  But it's also part of what I would propose the ongoing role of
 the IGF might be. I mentioned earlier the idea of and the need for setting
 benchmarks, goals, targets, whatever you call them, which the international
 community can work toward, including the private sector as well as governments.
 Well, the flip side of benchmarks is also reporting on progress.  And because
 the IGF is set up as, for the moment, at least, as a regular opportunity to
 meet and discuss these issues, it's a -- it could be a very important vehicle
 for not only setting those goals but also reporting on a regular basis on how
 well we are achieving them. And I think that's important for governments and
 industry alike. So I would say that that may be something we can incorporate in
 the ongoing organization and format of this event.  And some of the things we
 discussed in this panel on security could be good candidates for things to come
 back to in a year's time and to see from some of these group's we have
 mentioned, Council of Europe, OECD, MAAWG as a private sector group, how much
 you have accomplished.

 >>KEN CUKIER:  What penalties would you impose if it did not accomplish much,
 if it got worse?

 >>RICHARD SIMPSON:  Well, we would pick some very unsolubrious part of the
 world and force them to meet there next time.

 >>KEN CUKIER:  I have the perfect penalty.  Make them a moderator to stand up
 for three hours and talk to such wonderful, wonderful panelists. Christiaan,
 what have you learned?

 >>CHRISTIAAN VAN DER VALK:  My take-away bit of a personal remark, and those
 who know me, I am a bit of a conference skeptic, and having been in so many
 conference in my life, that by now I certainly find years ago I had the feeling
 that everything that could possibly be said about the Internet had already been
 said.  And usually in some form of confusion, and we weren't making much
 progress.  And I expressed that view even to some of you again this morning
 when I walked in here. But I actually think that after this session I am a
 little bit more optimistic.  And I think progress has been made. One of the
 things that struck me is WHEREAS, obviously, this is a very rich and diverse
 topic, it does seem that we have a common vocabulary today, and that we
 certainly didn't have five or ten years ago.  We all know what we are talking
 about.  We know what the issues are.  There might be slight differences of
 opinion but we certainly, I think, have a common ground in terms of how we
 refer to the topics.  And I think that this is definitely a very important
 piece of progress because it lays a foundation for us actually addressing the
 issues. So that's one take-away that I have. My very concrete recommendation,
 to take up the challenge from the Ambassador, one of the things that struck me
 was the IGF could potentially play a role in helping governments face the
 challenge of how regulation ought to work or how to regulate in the Internet
 age. I think that we in the private sector very often, very easily criticize
 legislation, and I have done so myself now in the past three hours a few times
 as well. But, of course, creating legislation, regulating is a tremendously
 difficult task and has many, many different dimensions. I certainly believe
 that the process of legislation and the way it works and the way it is done
 today in the age of Internet and all of the added dimensions that the Internet
 brings to this process should, I think, be the subject of perhaps a session at
 the next IGF conference or perhaps even a work group amongst governments so
 that they can learn from each other and also hopefully from the private sector
 in terms of how do we deal with all of these issues in terms of legislation.

 >>KEN CUKIER:  Thank you, Christiaan. Hearing all of you express what you felt
 to be what you have learned has come up with a thought to me.  I think to
 close, before I hand it over first to Markus and then to the chairman, I had
 say that it is rather amazing that right now, in the room, there's two
 networks, one that's called free Internet access, the other called free public
 Wi-Fi, that is basically splaying itself and offering it to all of us that --
 for us to use that is basically a mechanism by which they can actually steal
 our personal information and do malicious things to our own computers. It
 strikes me that that's a very powerful example that there are problems that
 need to be addressed. In economics, we call that an agency problem.  Why an
 agency, meaning a problem of who does what, who pays for what.  And the reason
 why is because the person who is harmed and the person who can take action to
 prevent the harm may be two different people; right? You connect to the
 malicious -- what you think is a Wi-Fi spot where it is connecting it and then
 sending it off to some godforsaken country, and the person with the infected
 people are two different people.  And the person who has the infected PC
 doesn't know he is infected.  And industry, the market may not be able to kick
 in because the person who is affected is running the botnet, he may not be
 suffering any damages and he may not even know he has this infection in his PC.
 So it strikes me maybe there is a mechanism, as Andrew said, where we can
 create an award ceremony or government can fund a venture capitalist and kick
 it in or national science foundations of some sort to investigate this and go
 into it and try to find a way to fix it because, essentially, it's an area
 where there is an economic problem. But from Terayasu what I learned is that,
 in fact, we have the mechanisms to actually prevent some of these things.  We
 are just not doing it.  And there we have another role for lots of stakeholders
 to do it. In the case of government, it's been remiss.  We know that we can
 find spammers or people who do very malicious things.  If someone tries to
 break into the pentagon or sends Spam such as the Melissa or "I love you"
 virus, we were able to track that down.  It just cost money. However, here the
 government hasn't been using its deterrent power by locating people and
 bringing them to justice. But it seems there are a lot of roles for lots of
 different stakeholders to play. With that, allow me to in five minutes, the
 interpreter is gone. So Markus only has one minute and then I bring it back to
 the chairman to finish.

 >>SECRETARY KUMMER:  Thank you, Ken. Just to remind the audience that starting
 from tomorrow at 9:00, we start the day with a summing-up session. That will be
 brief reports from today's sessions basically aimed at those who were not able
 to be in the main session hall, those who attended the workshop, so that they
 get the flavor of what you are discussing today. And another half hour will be
 an open mike session which would allow the audience to comment on what they
 heard today either in the main session or in the various workshops. The second
 announcement, the panelists of tomorrow's diversity panel, again, are
 requested, kindly requested to gather at the Aphrodite A room to prepare with
 the moderator.

 >>KEN CUKIER:  Mr. Chairman, I invite you to bring our event to the close.

 >>CHAIRMAN TSOUKALAS:  I have been listening very carefully to the discussion
 here this afternoon. And I found it very interesting. We talked about a wide
 range of subjects. And it was cost, availability, security, confidentiality,
 privacy, legal protection, cybercrime, cooperation, victims and abusers,
 economic issues, contradictory legal frameworks, and such. All these confirm
 that if a classical scientist was examining the Internet, he would have called
 it a cosmological, primordial soup. So I think that we should be very careful
 when creating the founding principles. And this was discussed here today. So I
 would like to, in turn, praise the WSIS and its key address and also this
 forum, because I've been an academic for most of my life. And many times, I've
 had to do battle with the vacuity of terminology when we're teaching. And I
 think the time has come to give true meaning to these words. This is offered
 both by the Tunis Agenda and by this forum. And I think both have been
 extremely useful. I'm a lot more optimistic. I'm more of an optimist than you
 experts, because I think that adaptable systems can find adequate solutions,
 and man is an adaptable system. And I also am a firm believer in Greek
 mythology. The God of necessity rules the world. The Internet is here to stay.
 So I am convinced that we will find the right solutions which will allow
 humanity to use everything it has acquired. We should thank the panel for its
 excellent work and contributions. But we should also thank the public, which
 has followed with great patience this very long debate. And also we should
 thank the very intelligent way the moderator moderated this discussion, and
 also the interpreters, who allowed us to communicate. So I would like to thank
 you all. And the meeting has come to a close. [ Applause ]