The IGF Main Session on Cybersecurity, Trust and Privacy brought together a mixed panel of private, public and government sector representatives. As a result, the commentary and responses provided by the panellists reflected their diverse backgrounds, with viewpoints that were at times conflicting and that generated discussion among presenters and from audience members alike. However, the central point of agreement that was echoed in various forms by the panellists is that with all of the challenges posed by cybersecurity and privacy practices, the most effective way to move forward is to employ a multistakeholder approach. As became clear throughout the presentations, this term clearly appears to mean different things to different sectors, and not all stakeholder input was viewed equally.
Taking an openly state-centric approach, David Martinon, the French government’s Ambassador for Cyberdiplomacy and the Digital Economy, described the work of the Group of Government Experts (GGE), active since 2009, which is a group that come together to examine various issues on cybersecurity. By setting clear timelines, he said, they have been able to come up with some interesting outcomes. In the words of Martinon, “We didn't come up with new rules or new norms, but we did work on establishing certain voluntary behavioural standards for states, and for that it has been very successful.”
How these experts were chosen was not clear, nor was it evident whose interests they represent beyond those of the governments. Instead the focus of the statements was on rampant proliferation of cybersecurity threats, with references made to hackbacks, malevolent tools, destabilisation and vulnerability, among others.
These statements in fact prompted an audience member to express concern whether “all this talk of danger, danger, danger isn't scaring us into the arms of the government, so that we then need the government to 'save' us, and that this is actually curtailing internet freedom?”
The response from the French government was one of surprise at the level of distrust among civil society, though the follow-up did little to abate the concern over fear-mongering expressed by the audience member. Specifically, Martinon stated that “no one has died from a cyber war, yet... but there will be deaths in the future. When that day comes, the French citizens will not turn to Orange [national service provider] and ask them to show responsibility; they will turn to the government and will ask us what happened. They will hold us to account.”
Also representing government interests, this time in China (a country well known for its repressive policies on internet access), Long Zhou, coordinator of Cyber Affairs in the Ministry of Foreign Affairs of China, was even more direct on what he sees as the role of government, saying, “We must have rules; without a rules-based system, there can be no peace, trust or stability on the internet.”
Adding to this, Martinon stressed a need for interstate cooperation, and inclusion of other stakeholders, with a particular focus on the private sector. According to him, “The French government doesn't want to see privatisation of law and order; it wants the states to retain the monopoly on maintaining public order in cyberspace.” Indeed this raises the question: even with public/private sector cooperation, what space does this leave for civil society?
Mallory Knodel, head of digital at ARTICLE 19, which engages by defending freedom of expression and information, attempted to steer the discussion toward the broad public by saying that “there is a lot of focus in cybersecurity on conflict, and there are other sorts of digital rights issues that are not included in cybersecurity that maybe should be... The risk to infrastructure is often put at the centre, but it really is people: the reason we care is because people are at risk.”
Christoph Steck, director of Public Policy and Internet at Telefónica, one of the largest private telecommunications companies in the world, weighed in with another angle, representing the interests of the private sector. Using impressive statistics, he indicated that “80% of critical infrastructure in the world is owned by the private sector. Government has a huge role to play, but business does as well.” Unsurprisingly, civil society once again did not feature in this partnership.
Anahiby Becerril, researcher at the Public Centre for Research and Innovation in Information Technology in Mexico, tried to present a more inclusive approach, saying that “another way that companies may participate is sharing information when an incident occurs; however, many companies don't share such information, and it is important to see all the different stakeholders and understand that what we are after is common objectives.”
Indeed, Mexico appears to be taking a more progressive approach in cybersecurity, employing a strategy based on three principles, as Becerril noted, namely, human rights, a risk-based approach and multidisciplinary multistakeholder cooperation. She stated that “government acts as coordinator but all parties have the opportunity to speak and be involved.”
Interestingly, Seth Bouvier, senior advisor for cyber policy at the US Department of State, attempted to take a somewhat more balanced approach than the other state representatives, noting both the potential benefits of the internet and the value of multistakeholderism. However, his message was not without a degree of caution, stating that the goal of the United States was to prevent state conflict, and prevent offline conflict from spilling over into the online world. The focus once again was on government strategy to, in his words, “advance in open, interoperable and secure cyberspace.”
Once again trying to put a more direct spotlight on people as being those most at risk and most impacted by issues of cybersecurity, Ashnah Kalemera, programme officer for the Collaboration on International ICT Policy in East and Southern Africa (CIPESA), pointed out that “the threats are real and they undermine privacy and trust and security and the use of the internet. The challenge is the use of cybercrime legislation to then curtail freedom of expression and privacy, among other rights.” Specifically, she noted that one of the biggest challenges for African states is the lack of consultation on participatory policy development.
With so many diverse and sometimes disparate approaches, an important point was raised by Knodel, who noted that despite the theme of this year’s IGF (“Internet of Trust”) and the name of the panel (“Cybersecurity, Trust and Privacy”), there had not yet been discussion about the key issue of “trust”. She made the astute observation that “if there is all this fear, uncertainty and doubt that forces all these conversations into one about cybersecurity, then it is really counter to the idea that we have to build trust.”
Consensus on how to achieve this, however, seemed out of reach for the representatives of the different sectors. While multistakeholder models were generally seen to be desirable across the panel, the government and private sector seemed to be most successful at developing trust between them, according to her, but this can often lead to unfortunate outcomes for people. Indeed, civil society tends to bear the brunt of ineffective policies established by more powerful or better financed stakeholders, and that is a paradigm that needs to shift entirely before questions of cybersecurity can be effectively addressed.
Instead, corporate and government sectors tend to be more absorbed by protecting their own interests, as was made clear in this session. As Knodel noted, “In most cybercrime legislation I've read, a lot of cybersecurity strategies, if people are mentioned at all, they are often mentioned as the problem, either through malice, hackers or through incompetence... instead of flipping that around, talking about people as the ones we need to protect.”
A complete video of the session can be found here.