You are connected to event: CFI-RPC3 Intertwining of IXIXPs and CDDNs 9:00 am - 10:30 am . . WS47: Content delivery alternatives... intertwining IXPs and CDNs. >> Check one two three. One two three check. Testing mic. Testing mic. Perfect. It's on the screen. I think we are ready to begin. [ Great test! Thank you ]. WS47: Content delivery alternatives... intertwining IXPs & CDNs. Thursday, December 2016 9:00 a.m. 10:30 a.m. Please standby for realtime captions... >> Please standby for realtime captions... >> MODERATOR: Good morning, everyone. Thanks for coming along on this Thursday morning. We are hear to talk about IXPs and CDNs, content delivery alternatives, and I will ask for the panelists to present themselves when they start to talk. And we will start with Jane Coffin. And Jane, you have the floor, please. >> JANE COFFIN: Good morning, everyone. All right. Awesome. In Africa, if you ask that question and you don't answer back, you're in big trouble. So good morning! Thank you for joining us today for this fabulous panel. For those on the remote connection, this is workshop 47: Content delivery alternatives... intertwining IXPs and CDNs. Thank you to everyone for putting this panel together. And the team in the region, of course, too. I'm Jane Coffin. I'm going to try to speak slowly for the people that are not in the room. We have remote people listening in, maybe. So Michael here will help us with some of the logistics. And I think if we have questions from the remote participants, if people could help us with that, we'll go for that. So welcome to the panel. You have an amazing group here, as you can see on the screen. Gracias to everyone doing the technical work, too. The bottom line for me and the internet society is we're big champions for the internet exchange points. We help develop them. We donate equipment, but really it's all about them. So we do what we can from the bottom up to help. By helping, that means we listen to what they have to say because they know better than we do. So one thing that I've known and from the work I've been doing around the world, and I often will come in to do best practices workshops to try to boot up the community and get people together. Because the key thing about any internet exchange point is the community. It's the people who interact and help develop and champion. You've been hearing a lot about community networks here. It's the same with IXPs or any group of people that you're bringing together. It's about them and how they interact and how they want to agree together. So at the internet exchange points around the world, there are different characters and characteristics, but there are the same similar issues right now from a technical perspective. So before I jump into a content delivery one-minute moment, I would like to ask who in the room runs an internet exchange point, runs IXPs or has developed an IXP. Raise your hand. Awesome. I see people here from Thailand, the Philippines, the Canadian internet registry authority. I see many that I know here. So if you haven't heard me say your name and you want to say something later, we would really like to hear from you during the question-and-answer session as well. So content, critical for an internet exchange point. Content delivery networks, anyone running big content pipes, many like to exchange traffic, put their caches in through the IXPs. It's a great place to meet up with many networks. The challenge for many small internet exchange points is attracting the content delivery networks. You will hear more from the panelists about the economics, the issues with platforms, sharing platform space. You will hear some innovative approaches from the team here, specifically Antonio, about new ideas for content platform sharing. With that I'm going to turn it over to the people you're here to hear from. But know that there's a great group of people around the world doing this type of work from the bottom up. They're everything from euro IX, APIX in Asia Pacific region, the regional internet registries are strong, strong advocates as well. Chris is in the room. Wave your hands? We all work together. Know one does it alone. We're all partners. You can't exchange traffic with BGP without an ASN, right? So there are very important actors in the room and in the world. And I forgot to mention the Canadian IX association, that's the newest one I know of, CAIX. We have had people come to us and say that someone was advertising the entire routing table, what should we do? Perhaps we can have a workshop and you can help reboot BGP training. When you're an internet service provider, less on the content delivery side, perhaps, you have many strong technical people who may leave and when they leave and if they are your BGP expert, if they're gone, what do you do? Someone might not know exactly how to do SBGP at the IXP. So we often will go in with teams, the network resource center or the regional internet registries and we will do free training. If you're in a region and you know you need help, talk to your RIR. They do BGP training, routing management, IP routing, they're excellent. So back to content, I'm going to turn over to Bastiaan Goslings from one of the largest IXPs in the world. These IXPs started out small. If you're small, more will come. But you have the challenge of how do I attract the CDN to me if you have so few peers and running maybe a gig of traffic. You go from 300 megs to 1,000 in two weeks. If you're not ready, you can't carry that traffic. There's a lot of information here. So Bastiaan, over to you. We're going to reset the clock up front. Each speaker has about ten minutes, and then we'll have Q&A. >> BASTIAAN GOSLINGS: Thank you very much, Jane, for the introduction. Good morning, everyone. My name is Bastiaan Goslings and I work for the Amsterdam internet exchange. It's a great honor to be here. I think it's a very interesting and timely topic. So I hope I will be able to add something to it. Today, I would especially like to share our experiences with getting CDNs on board with popular content. Specifically I want to share the experience I had with the IXP we set up in the Caribbean. Hopefully there were lessons learned and that can give you some food for thought. I think we need to keep in mind that any place in this particular situation will have its own particular characteristics. That doesn't mean that whatever we did there can immediately be copied and pasted to another situation. But none the less, there were some things that we ran into and overcame, and I hope that's interesting for you guys. You're probably most familiar with us as being one of the larger internet exchanges in the world. The largest global internet hub, so we're proud of that. Over the years we have been exporting that particular model we had in Amsterdam to other places, not only to increase value for existing members and customers, but adding value for other regions and locations and local networks. We always do that on demand. It's not something that we think everything we touch will turn into gold. It will happen when there's demand from the local partners. So I would like to talk specifically about the Caribbean. I counted a number of challenges specifically with regard to CDNs, and that's something that I can share here during this particular workshop. At the time when we set up in 2008, we knew it was going to be a relatively small regional exchange. It was a smaller island, 150,000 inhabitants. The reason we set it up at the time is because of a government initiative. They felt an IXP would be an added value and they asked us to build the exchange and manage it remotely. From the start we knew it was going to be a challenge to get the local IXPs to work with each other. That's not what they did. They got all the content from Miami. There was hardly any local content available. And whatever there was, you know, that would be exchanged and handled, maybe some e-mails that would be handled in Miami, too. They did not want to pair with each other and they still do all of that in Miami. That's what they're familiar with. So setting up the IXP and the ISPs not being supportive of it, along with the fact that they were unable to pair with each other, we had to find something that would make it attractive for people to come there. Quite obviously at the time, it was obvious that the engines of the ISP, they like content, especially CDN content. So we felt that was a strong reason to get the CDNs on board there. Hardly any local traffic. So that was another confirmation that we had to get the CDNs on board. It took a while, so we started off in 2008. But in 2010, we got Google cache at the IXP as well as another. Basically I tried to make it as practical as possible, what we did. We found a way of sharing the costs involved and getting all the stakeholders on board and doing all of the challenge. So the CDNs themselves, they sent the servers. They carried the physical transportation costs, which is actually quite significant. The IXP provides support free of charge. The data center provided space and power. The two largest ISPs, the largest consumers of the content, they were willing to take care of the cache flow. So one took care of the Google cache, and the other took care of the acimai cache. Ultimately we were pairing with all the ISPs on the platform. The idea was to have this particular set-up, and everyone agreed upon that, including the CDNs. CDNs are always willing to come as close to the end user as possible. Very happy customers of ISPs and willing to put their traffic in the networks. The way we did it was something that the CDNs could work with. We did agree that we would do it for a limited period of time. It was not set in stone. But until the amount of traffic exchanged would also make it a business case for CDN so that they would then eventually be willing to pay for a port on the IX and take care of themselves and the cache flow. We estimated at the time that it would take a couple of years. We're in the process now of having the first CDNs pay for connectivity themselves. So that gives you like an estimate since 2010 about the period of time it took. That coiled be different somewhere else. I have to say connecting to the exchange has been a great success. Immediately the exchange of traffic explodes. Also over the years, we have seen because of this trickling down for end users on the islands in the region, internet speeds going significantly increasing and prices going down and also penetration, the amount of people who have usability significantly increased over the years. 1% in 2007 and now we're speaking of 90% of inhabitants having a broadband connection. So that's been very successful. In general terms just to refer to a couple of lessons learned, at least for us, in order to keep an IXP sustainable, it's very important that all of the longer term costs of running the IXP are covered. And at the end of the day are covered by port fees. If there is any period necessary of subsidizing a certain set-up in order to create some critical mass and demonstrate the business case, then it's important that the costs involved with the subsidy are also shared like what we did in the case of connecting the CDNs. I would always advise people to try to make an inventory as specific as possible of all the costs involved. Think of the equipments, reserving funds for re-investing, expanding the platform, total costs, leasing fiber, personnel cost, etc. Try to make as specific a plan as possible in order to justify the port fees you will charge. Assume that a port is comparable to the CDN case. At the end of the day, you are running a business, even if it's not a nonprofit one in nature as ours is, and because of that you do need a business case and a budget. And try to be as transparent as possible because that will create trust and make it more likely to convince stakeholders and ISPs to participate and share their goods in order to make it a success. What I have been told, four points from the Caribbean. It's about creating trust. It might sound a bit cliche and vague, but it is very important. Simultaneously, number two, have a solid financial transparent model about what you're doing. Number three, recognize the entire eco-system and give everyone sufficient attention by engaging all of them. It's about the IXP, the CDNs, about the members or participants or customers and whatever you want to call them and the data center involved. Try to focus on a common interest, a common ground. That will also help make it easier to create this particular trust. That's basically it with regard to the CDN case. Looking into the future for the Caribbean, the next steps will be involving new CDNs, connecting them to the exchange. I can name names because everyone is aware of Netflix. And we are encouraging the ISPs to pair locally. They might like content but it's important for them to pair as well. It is indeed very important to have traffic there locally. That is it for me for now. Thank you very much. >> JANE COFFIN: Excellent. Thank you so much. I would like to just rest on one point that you made about building trust. That's one of the most critical things we've seen and you've heard from an IX themselves and there are plenty of others in the room. I see you in the back there and others in the room. To help start up and develop and support IXPs. Building that trust is what we can often call the human trust network. It's person to person or eye to eye. It's when we meet each other you're not quite sure. I met Arial and he's a great guy and I see you and I know you and we can work together more. Bringing the content closer to the consumer and getting the caches into the IXs. The cache, some of you pronounce it differently. This is the life blood of the CDN. And up next we have Alejandro. Over to you. >> ALEJANDRO: I'm really happy to be on this panel because my whole professional life has been between IXP, ISPs and CDNs. I was part of the committee in Colombia. I was part of the first board of directors. And I want to talk a little about what was my job every day and how this was operated. And why is an IXP useful for and what it is not. Okay? So if we can go to the next slide, please? We want everyone in the world to be able to access information that is useful for them. Thinking about it in a diplomatic focus, the users are always behind an internet service provider. The users will come behind an ISP. So my work every day is to think about how to get connected to the ISPs and ensure that the content is working well and good quality. We understand that when ISPs are getting the costs lower, then they can do that. So the users can get all services for a better price. That is the work I do every day. I'm responsible for Latin America and the relationship with the big ISPs. So I will start first with some cases where the ISPs are not the solution. So let's start with the first case. A market where there are only big ISPs, so they have big ports. We are talking about, for example, 100X ports. When the number of ISPs is low, they have big traffic. To connect them through an IXP is not the right solution. We are duplicating ports. We are forcing on the side of the ISP and then against ports on the side of internet service provider. In that case, we are also doing by use of permission, sometimes, they are in the same building. A better flavor to connect them. And maybe IXP looks at what we need to set up to get there. In this case, when we have this kind of market, then the IXP is not the right solution for that. When a market didn't have an ISP, we tried to help the community get together to try to build an IXP to try to help them. Sometimes it's not possible, and sometimes we have to solve the content in another way, trying to connect with everyone there in a separate way. And then an IXP is created. But everybody else is already connecting in other ways. They are connected to different CDNs by other means. At that point of time, to just connect to an IXP is not going to add value and at that point we would decide not to join an IXP. Okay. When the IXP has policies that are not open and says the interest, we all know that there are some IXPs that work in that way. It was created just for some of the ISPs in the country. There are some countries, for example, where the government is going to try to buy services from an ISP and it is required to be connected to the local IXP. So ISPs around that IXP don't want anybody else to join because of competition. So unfortunately, there are some that block other players to connect. In Peru, many others tried to join, but they couldn't. In that case, as Google, we don't want to increase the bad behavior. So we prefer to help everybody else. Something that is run with good policies and open and goes straight to the market, not just to serve the interest of a few ones. Other case, when the ISP is not cost effective. The port cost is so high that it's cheaper to go to transit. Or when you put together the port, and the transmission to get to the ISP is so expensive that it's better to connect in other ways. There are cases where this is not the right solution. But there are cases where an IXP is the right solution and they are good to have. The first one, when we use the cost efficiently. In a well delivered market, where they are well connected to the ISP. In this case we are using the capacity in a better way and we are saving costs because everyone is connecting and getting content in that place. The same happens when the market is not that big. And it is easy just to serve the traffic there. Okay. Big markets, more a well developed and too many ISPs. So we have like 6,000ISPs in Brazil. So the IXP makes a really good job putting all of them together and benefitting from a single point of connection. There are not many markets like this. Like India, Russia, and others, they have so many ISPs, so this is a direct solution. When we want to develop the environment. They hope to have the definition point from a few ISPs, but we saw that potential and provided a patch. We knew it was not just the case for that. It was not good for a moment. We provide a cache and that helps in the case, Argentina at the moment. We have been helping them. And the content and traffic was super-fast. And many ISPs were connecting. From like 80 members a few years ago to now 300 this morning... 400 as of this morning. Okay. It's adding value. We can jump to others. So in conclusion, IXPs are a good solution for many cases and that's why, as Google, we try to help IXPs to develop, to have the native equipment, money, and everything to make this happen. This is not good in all the cases. We have to focus in the ones that it really adds value. If they are open, cost effective and good for the market. >> JANE COFFIN: Thank you very much, Alejandro. It's been a long week. Thank you very much. One perspective on content for some of you in the room as well, when you have a non-competitive market, and small ISPs are trained to create an IXP, it's hard to attract content to the networks. And what you're hearing from Alejandro and what you will hear from Martin, possibly, is there are certain things you can do to attract one to come. But if you're trying to create a local IX, it's the local content development. And you've probably heard this in other panels this week, which is so important. Which also means it's a cyclical issue or eco- system of local hosting. Do you have the capacity to host? Are your ISPs ready? We have been working to host 10,000 sites back in Ruanda. There's no 24/7 support. Part of the issue is having local ISPs ready to bring the traffic host. Not send out a lot of spam, which happened in one country, to their peers. And also to think about what it is that you can do to increase local content. So we're going to turn it over to Martin Levee with cloud flair. Martin, over to you. >> MARTIN: Thank you, Jen. I'll do the quick introduction. And then talk about the subject at hand. I've been building internet backbones and moving bits on the internet now for a long time. I am not the most amount of gray here. But some of it is caused by moving bits, some of it. The concept of internet exchanges is not something to repeat, but I have been involved in connecting to them since the mid 90s, basically. Having moved from building large backbones to now content distribution, you can't reiterate more the important of internet exchanges in that job. So I'm going to give you a slightly different perspective than Google, but complimentary. We have absolutely similar issues all around the globe. We're just at a different scale. So when we look at internet exchanges, the common problems of do we have facilities that are appropriate are the internet exchanges that we want to connect to, are they easy to connect to? Have they actually been implemented in the right buildings? In buildings where an interconnect... and I use the word cost effective as opposed to cheap, always. So these issues sort of are identical around the globe. I'm going to focus also on the need to fill the content. Content in the content delivery network is always... is 100% somebody else's content. We are an integral part of how the internetworks today, but we bring content from somewhere else. And then distribute it around the globe to make it more efficient, faster, to protect it, and other features like that. So we also have to solve the problem of filling the cache, making the data local, the first step before it's delivered to the eyeballs. We are, as was mentioned, building, and this took quite some time because the exchange was not a problem. That's an easy tick mark. Yes, there's an exchange there. We spent most of the time dealing with the problem of cost effectiveness. In other cases when we're in a large city such as London or Hong Kong or Los Angeles or New York City, etc., the content amount that we're delivering is so high that the cost effectiveness of the whole eco-system that we build is easy to understand. We can buy a very large amount of band width to fill the cache. We can connect with large amounts of capacity to fill the exchanges. We find multitudes of carriers and ISPs that will take a private interconnect, a point to point fiber connection inside the same data center such that we can take the high band width networks and deliver the bits directly. That eco-system gets financially strained. Interestingly enough, it's not a technology problem at this point in time. It is far more about the economics about every part of the building block. I will take a time-out to point something out to the audience that no one can see. The timer has gone into sleep mode. In theory I have an infinite amount of time to talk. But I believe those in charge will fix this within seconds. They haven't yet. Anyway. I will continue. The clock has not stopped. There are lots of interesting issues brought to the table. We as a content delivery network partly because of our D-DOS mitigation network, we have a very, very particular requirement on content flow, which means that we normally can't take a generic internet feed and use it efficiently. We have to do quite a bit of engineering on that. So those points are normally discussed on a point-to-point basis. But the effort described, and I won't repeat because I know it has existed in other places around the world, that effort is a very worthy way of spreading the word of multiple eyeball networks to bring content. I'm going to reiterate a point that was made, which is yes there are many times where we sit and talk with the local providers and find that they are not peering amongst themselves, which is foolish. If they all want to peer with us and our competitors, okay, fine. At least that solves our problem. And if nothing else, a little bit of peering can move on to a lot of peering. There are specific cases and points of which to give an example, as a content delivery network, we have build two facilityes which are surprisingly close to each other. The Philippines and manila because we have two massive telcos that will not interconnect with each other. They have actually just solved that problem, and I will talk about that in a minute. There are internet exchanges over the last year or so that has grown in manila in the Philippines. But the mere fact that these two telcos won't get along and, by the way, are causing the non-beneficiaries of this are the end-users. We as a content delivery network have had to duplicate our capital expense, duplicate our network in manila just because of the connection issues. I'll sum up and give some time back to the moderator and the panel and simply say that we are finding that an enormous amount of bits on the internet are being delivered by content delivery networks or very large sources of data, normally on behalf of somebody else. And this trend is not going to change. That is fundamental to our business model. But the reality is that we also want to work in every single part and place that we can. But what we want to do is bring the content close tore the eyeballs and in most cases, internet exchanges are the motis opporandus. >> JANE COFFIN: That was Martin levy from cloudflare. Before that, Martin spoke from Google. And then Bastiaan Goslings spoke first. Next up is Henrique from CGI, yeah? He will tell you a little bit about who he is and what he does. He has ten minutes like everyone else. >> MODERATOR: We require a change in the order. >> JANE COFFIN: Okay. You're in charge. We're going to Antonio now. Antonio Morales will be up. >> ANTONIO MORALES: I'm an engineer and I'm in charge of the development and the presentation? No presentation? Let's do it without the presentation. Okay. We have 26IXPs in Brazil. IXP.BR has 26IXPs. But one of them is responsible for 80% of the traffic and about 80% of the interconnected ISPs. So we have a lot of concentration. I want to add to the presentation of Alejandro to see if the other IXPs have the correct approach to be useful to the CDNs. They are true for the users and policies of ISPs that want to connect. I think that a lot of content... don't... didn't solve yet the connected problems in their regions where the IXPs are in. But in fact, the CDN has been the main content providers. So what's the problem in Brazil? The ISPs are very small and have very few participants. I think they don't make very good business case for CDNs and other content providers to connect. Oops. It's not this presentation. Sorry. It's the other one. >> JANE COFFIN: One moment. >> ANTONIO MOREIRAS: Well, CDNs, we see that they have basically two models today. One model to bring home, it's the model they use in places where we have a lot of ISPs, and big ISPs. They are present in the big data center. Their other model is when the CDNs put the caches aside the ISPs networks. So it generally works for medium and big ISPs because there is minimal amount of traffic to... should the CDN have a good business case to do that. When, for example, ISP asks Netflix to put a cache server inside their network, Netflix, you ask for 800 megabits per second of traffic to be able to do that. So for a small ISP in the country, probably neither of the solutions are very good. They are not able to connect to the bigger IXP that is far away from where they are. And they are not big enough to be a good business case to the CDN to put the cache inside their network. So this map shows where the ISPs are connected to IXP from Brazil is a very big country. We have ISPs coming from very, very far away to connect to IXP here because the content is present there and not present at the local IXPs. In the next area, it's very simple. We are not reinventing the wheel. We see a trend of small ISPs, when they are not big enough to ask for a CDN to put a cache inside their network, they come together and approach the CDN... oh! If you put a cache inside the network, this will be shared between these three or four other ISPs. So they make this agreement to share the caches locally. And it works sometimes. But sometimes it does not work very well because their ISP that are hosting the cache grows a bit, and then the cache is... they have the traffic. They have the cache only for them, and they break the agreement to the others. And bell, we see that the agreements between the ISPs are not very stable. So we are trying to have this kind of arrangement and institutionalize it. So we are creating, we are proposing to create an alternate system that we will help with hosting the space near the local ISP. And we are highering the capacity of the IXP of Sao Sao Paulo. And the users, the participants of the local IXP are going to share the costs of connecting and of the hosting. With the CDNs. We are trying to convince the CDNs of participating, of the sharing costs. So the idea is very simple. It's to have a tiered way of model, where the caches could be shared between a lot of ISPs. And the costs also could be shared between ISPs and IXPs. For now it's a project that we are trying to make it relative in the IX.BR in Salvador. Probably we start to break it in next month. But we have an example of local IXP where an association of ISPs meet the national association of inclusive... inclusion. They made a similar product, and they asked for caches for bigger systems. And they shared this cache inside the local IXP. So they did it and you can see on the graph how the traffic has grown. It was about two gigabits and now it's 15.52. So that's it. We think that the model for the internet has developed, so the first place we have the tier 1, the core with the ISPs connected. After that, we had the donuts internet where the ISPs start working with each other with the help of IXPs. And now it's very important that we ask the CDNs to go to the model of the donut internet. So the CDNs must be closer to the ISPs and to the end users, because the main contents and the CDNs are responsible for approximately 50 to 80% of the traffic that ISP have to bring to the users. So that's it. Thank you very much. >> JANE COFFIN: Thank you very much, Antonio. That's a very interesting model and something that I would note that some of you, in many countries there is often a cache war. Many ISPs are trying to grow but if a cache is only in an incumbent's network, it's hard to attract. It's just something to think about. If you're starting up an IXP, it can be complicated, but don't lose faith. Things change over time. The next up is Henrique, who will tell you a bit more about what he wants to talk about. And he's with CGI. >> HENRIQUE FAULHABER: Good morning, everyone. I am one of the board members of CGI.br. And we are very please ed to be part of the workshop about different perspectives that people bring to the table here. In fact, as just told, an IXP to take 26 cities, and we enter in the situation that ten years ago, we bring content from Miami and outside the country. It's so big today that it's about 80% of the content and everybody goes to Sao Paulo to take content from the major players. Sao Paulo is now a hub like Miami was ten years ago. We're in the middle of discussion of new projects to empower the IXPs in small cities. In fact, Brazil as a country now, a very big country that has different situations. Sao Paulo is too big and Rio is also big with big IXPs, but you have some states not with them inside of the country. It's interesting to have heard here, I have a few comments. I believe it's more important to have time for questions and answers from the audience. The material is too rich, and we have a future that we have to decide and make planning in how to do well with this issue of the solution of content to CDNs. It's very interesting to us to hear from Google, from Alejandro, which requirements should be considered to fit the IXP through the cache from Google. I believe those comments are very important to us in Brazil and for all the people involved in the IXP that are considering to make cache and make CDNs available on our own infrastructure. Google accounts for 27% of the traffic, Facebook about 15%, and Netflix about 11%, and Microsoft about 6%. The three biggest host about 50% of the content that goes through to the end users in Brazil. This project, the open city project, is supposed to be starting to run software next month. In fact, we'll allow the other citizens in Sao Paulo to have this infrastructure in the beginning for Google, Netflix and Microsoft available to the region. The fact of the cost is for the ISPs is too... is very important. When it was said that the content for the ISPs participate on the IXPs are about 60 to 80%, it means that above the three or four big players, other players also participate on the IXP, and the transit cost for the ISPs is, in fact, about 60% less than when they are not in the... in this environment. We proposed the new project at the end, considering the big players are offering a service and infrastructure to put their caches. We can do the research in a way that we can match the criteria that this those players ask for. In Brazil, we have over 5,000ISPs and it's not possible to have cache for everyone. We as the international community and our operational arm, we organized these requirements from the ISPs and bring them the opportunity to use the resources that are offered through the content providers in a way that it would be not possible if we don't have a good aggregation for them. Those are my first comments. I believe Bastiaan's point is very good. He is a close friend, and some of that work helped very much the community. Last year, one workshop about IXPs focusing on assistance ability. In Brazil, we are going to a new model. We are living in Sao Paulo and here is the model for free ports for the content providers and ISPs, and we're going to a model that we are participate... for the participants. Just to cover the operational costs, not the investment. As you know, the president ... funded by the resources. So, the space that Bastiaan and others brings to us, to the community, about the model of assistance ability of cost in the Caribbean on their project, I believe it's very good information for us in order to make IXPs to make them cost efficient and sustainable. So that's my first... my few comments here. I will be glad to hear from you and ask... the people here at the table make other comments and address the issues that you can bring to us. Thank you. >> JANE COFFIN: Thank you very much, Henrique. And just a small round of applause for our panelists. We're going to go to question and answer and open mic. Thank you very much. [ Applause ] And just to sum up for the remote moderation and those who entered the room, we heard from Bastiaan, Martin levy, Antonio, Henrique from CGI.br. So does anyone have questions? Excellent. I'm going to start in the back of the room. Hi, how are you? >> Hi. Thank you. Thank you very much for the panelists for great presentation this is a very acute issue for us right now. Kyrgystan receives 80 to 90% of our content from the outside, which worked until one decided to increase prices three times. Now the cost is $30 for a gigabit per second. A year ago, it was $100. We have realized a difficult situation we have now. Now the country is looking to reinventing the situation. And the issue of IXPs and CDNs has become very important. And Kygystan hopes to help the neighboring regions and neighboring countries. >> JANE COFFIN: Does anyone on the panel have a suggestion and a help? Note that Kygystan, it's almost double landlocked. China is so big, land mass wise, we're looking at situations talking about being connected and bringing economic models that would work for an IX in Kirgystan, does anyone have any advice for the team there? It's a different situation with different land masses and border issues. Anyone want to... Martin? >> MARTIN: Thank you for bringing up a new country. If you have been wondering why I have been at my keyboard, it's because I have a natural desire to say how much traffic actually goes to Kyrgystan? And interesting enough in the last two or three days, I've seen all the traffic disappear from Moscow through public and now being fed out of Frankfurt on a completely different port. So let's say in theory and practice, that they match 100%. Something has changed in traffic there and somebody changing the pricing by a factor of three upwards, the industry does not go up. It's meant to go down. It has an effect. So interesting double problem there. And I'm just going to add that yes, it shows up in the >> JANE COFFIN: I believe I saw a hand up over here? Alejandro from Mexico? >> It is thought to be a microphone problem but it's more often a mixer problem, so we always have to wait a few seconds. I'm from Mexico. I congratulate the organizers for this panel. I think this workshop should be mandatory for every attendent to IGF2016. It should be tested before people can lock into next year's. For this reason, this is one of the very few workshops that actually touches on the technical aspects of how regions get connected. The impact of the data you are showing is from everything that is in policy discussions. Particularly on net neutrality discussions. The model of a big central server sending tons of data to networks is absolute mostly thanks to your efforts. Bringing data closer to the user. On the other hand, how money changes hands between what someone pays for Netflix or pays for their ISP and finally gets into a company's coffers. That architecture changes dramatically. I would like to ask how do you analyze the impact of the net neutrality discussion and the discussion of regulating the so called OTTs, over the top providers. And is there any impact that you could tell us significantly if there's a difference between the idea of content of something that is sent to the users to read or watch more passively and be more active production of content that's actually happening, become services on content. Thank you. >> MODERATOR: If I can quickly correct you, the content will sit untouched unless a user requests the data. So 180 degrees different. >> JANE COFFIN: On the OTP side, do you want to respond, Alejandro? >> ALEJANDRO: I am passing. >> JANE COFFIN: It is a very good point. OTP are tricky. We were just at a major world conference where this issue is a big topic of debate. And stay tuned for the world telecom development conference in Buenes Ares in October. And I believe there will be a discussion about how to develop the infrastructures in different countries. We're talking basic infrastructure as well. For those of you that may not know that there is fiber involved. It's not just through the air. We're talking cables, accessing from fiber backhaul from the landing station to satellite activity and others are all part of the eco-system. Another hand was up in the back there. I can't quite see you. Stand up. We've got a white shirt on. You, excellent. If you can introduce yourself. >> Carlos from Ecuador. We are building the network, and we are interconnecting these ISPs all around the country. Because more than 300 small ISP has no way to compete with the big internet providers. The big internet providers have plans with different parities for international and local traffic. They sell only to the final user. They do not sell to the small ISP who works in areas where there are not so much people. So between 200 and 300 small ISP organized and made this network of IXP. I'm going to talk about this in the afternoon in the ISP panel of experience. But the main problem we face now is how to get content servers. How to approach to put in contact with people like Facebook and Google like Netflix. So we can have more content servers to meet the IXP connectivity. In order to ask it to work better with the content providers? Thank you. >> MODERATOR: I know we have been working with different models for a long time. I think sometimes we face an issue that is not even about wanting to do things. It's about technical difficulties. I remember a case of an IXP that was presented to us. The total traffic intoneed was around like 70 or 80. The smaller cache is more in terms of capacity. If we pull out one, there is one like the 4G capacity, the minimum traffic that makes sense for the area is 400megs because below that the cache will consume more traffic than it delivers. It really needs to make sense for the ISPs. You are not saving money, you are wasting money. That's the point. You need to put more people together to get to the point where technically we can help. >> JANE COFFIN: Thank you very much, Alejandro, for that comment. 20 years ago, people were sending over to the United States to talk to us. This is a picture that I'm going to make on cross border connectivity. Break down the walls. If you're not sending traffic over the borders at a lower cost, by the way, it's complicated. And your costs are so much higher. The long haul, the traffic goes back to talk to each other in a country? Time and distance equals money. So you're trying to minimize that long all traffictraffic. We're seeing much more build-out in the world. Islamabad just launched out. Thank you for that point, Carlos. It's an important one. Other questions in the room? Hands? Up here and then Allen after that. Please introduce yourself for the audience and remote participation. >> Hi. I'm from American university. I have a question. What prevents IXPs to connect to each other in a context as Brazil? We have 26IXPs and Alejandro talked about how it is difficult to install CDNs in different ISPs so we have 6,000ISPs in Brazil, for exampleISPs in Brazil, for example . >> JANE COFFIN: I'm going to turn to Bastiaan and Antonio. The basic idea is not to compete with your customers as well, the ISPs. So you're generally not sending the traffic back and forth between IXPs, it's the localized traffic exchange. But, let's go over to Bastiaan and then Antonio. >> BASTIAAN GOSLINGS: Yeah, I cannot comment on Brazil's situation. I'm sure Antonio will. Speaking for the company I represent here, as Jane said, you don't compete with a subset of your customers. That has always been our approach. We leave the interconnectivity between a subset of our customers, which are basically carriers. I realize that in the Amsterdam metro area and the nethernethernetherlands, the area I come from, it's a competitive market and many ISPs to choose from. I know that's not the case everywhere. Our model is not interconnected exchanges, that's not, per se, the way to do it. There are other successful internet exchanges. In Holland, we have a really big one, number five or six. And they have a completely distributed network over Europe. So wherever you plug into, commercially speaking it's very successful. So it's not up to me to comment on whether that's a good or a bad model and whether they are competing with customers. I think they don't feel like waiting and they say that their customers don't feel that way. And whether the additional agency and other things that this generates, whether that's an issue or not is probably up to their customers. It seems to be a successful model. I'm curious to hear what Antonio has to comment. >> ANTONIO MOREIRAS: The ISPs try to solve the problem of local content and stay local. So we need to attract CDNs and make this content look to feel the cache and maybe this content, look how it's different that is starting with our customers, with telecom providers. I could say that ISPs are interconnected, but not by this. By the telecom providers. They provide the service for a cost. So they are interconnected. If you are a participant on IXP want to buy capacity to contribute, they can do that from a telecom providers. Specifically in Brazil, we would have problems with the telecom regulator. We are not regulated as IXP. We are a part of the internet infrastructure, not of the telecom infrastructure. At least in Brazil, the legal aspect, the regulatory perspectives, the things are separated. So we don't want to mix the two things. >> JANE COFFIN: Thank you very much. IXPs are not the old telco NOCs, the network operation centers. Not like in the old telecom model. There was another hand up, I believe Allen from the Canadian internet registry authority. You're up. >> Thank you. I'm Allen from the CCT, CCTLD manager from Canada, and we have been involved in helping to set up from the past few years. I wanted to go back to the first presentation actually from Bastiaan because it mirrored our experience in one or two situations where we had a very small city, 500,000 people. We had some ISPs that were willing. We have a very uncompetitive market structure. And there was a willingness to do it, and it was really the CDN that provided that necessary extra little bit of value added that brought them together. So I just want to reinforce what you're saying. Everyone had to take a haircut, as we say in north America. Everyone had to contribute a little bit. We chose to pivot transit costs for a couple of years. That was the way we created the value for it to start. So I guess I really want to reinforce that message, in particular for anyone who's looking at setting up an IX, start small. So CDNs are absolutely critical to getting them going. So I have a comment, and I have an unrelated question. We have what I think is a very unusual situation in Canada, and I just wanted to see if the experience of anyone else on the panel or in the room, but Netflix will not put a cache in IXPs in Canada. >> JANE COFFIN: All right. Look at that. We have a question. Netflix won't put a cache in an IXP in Canada. >> They put a box in the large incumbents. They get close tore the eyeballs but not the cache. I'm wondering if this is something unique to us or if anyone else has this problem. >> JANE COFFIN: Bastiaan? >> BASTIAAN GOSLINGS: I'm not going to speak here on behalf of Netflix, but I have a counter question. What is their argument for not doing it? >> AUDIENCE MEMBER: They don't answer the question. Our strong suspicion is, it's for tax reasons. I'm a Netflix purchaser in Canada. I do not pay sales tax on that when I purchase, but when I buy the competing service, which I did until it went out of business, they had to pay tax. And the speculation is that they have no presence in Canada, no staff, no buildings, etc., so the speculation is that they do it for tax reasons so they avoid having to pay both local sales taxes as well as coffer tax. Again, that's speculation. I've asked and they have refused to answer. >> JANE COFFIN: And now someone has a question for Netflix, I'm sure. If they're here, this might be a good time. They're not? Okay. We have about a minute left. We would like to wrap up. First, thank you for being here. Really important to have your participation. Thank you for participating and asking questions, but also just listening. We've got a great team of people up here you can talk to. But also in the room, I want to note again, you have Carlos from Ecuador, Bevel Wooding, Christian O'Flarity who has done a lot of work. I see other guys in the back. Who am I missing? Malcolm. So on the panel here, of course I want to sum up again, Bastiaan, Alejandro, Martin, Henrique, and Antonio. There's a lot of experience here. Ask them questions. I'm sure they're pretty willing to answer. But you've now just had a very cool panel on CDNs. So we've got content issues, trust issues, Netflix not wanting to peer with the IX, very interesting. And you know, this is a key issue for IXPs as they develop, and also in your countries. This is part of the eco-systemic impact of policy, regulation, opens, open borders, equipment, and so on. Tax now. So thank you very much. Give a hand to the panel and to yourselves. We appreciate it. [ Applause ] And the last thing I'll say because you don't want to listen to me anymore. You probably want a coffee like I do. I have to make a pitch for there's an IXP best practices session this afternoon. Vin from the team working with IGF staff has done a brilliant job helping cat herding, which means trying to take people who are very busy and bringing them together to work on best practices. Last year best practices in IXP was more about how do you get started. Now this is more what we call leveling up to the next level. Business sustainability, bringing more content and peers to the IX. That will be this afternoon. I always have to carry around my piece of paper. So 1630 to 1800, IXP best practices session, WS room 7. He's keeping me in check here. Room 7. Thank you very much. We'll see some of you there, I hope! [ Applause ] Please standby for realtime captioning. ZBLOIP . >> MODERATOR: Good morning, everyone. Please standby for realtime captions. Please standby for realtime captions... >> MANAU: Hello. Excuse me for a second. Hello? Hello? Excuse me. Could I interrupt some conversations for a moment? Could those... I'm sorry. We've had an overlap in the schedule. Could I encourage people from the previous session to continue their conversations outside? Thank you. . >> MODERATOR: Good morning everyone. Some of you probably saw the old program and came here early. Others are probably not here yet, but we will compromise and start at the middle. I'm pleased to be able to moderate this session. It's about accountability and internet related policies. And maybe I should specify our context that we are especially interested in national government accountability in internet governance. So we see increased government and ministerial regulation of internet related issues at the present time, and all indications are that that regulation by governments will increase. A lot of that government regulation is coming from ministries and not necessarily through legislative processes of parliaments. So that raises questions about accountability in the sense that how are these ministerial actions then accountable? All the more because ministries are often working these days, if I can show my academic colors for a moment, are often called transgovernmental networks. That means they are meeting together in venues like the GAC, the government advisory commit eye at ICANN. Or OECD committees. Outside the purview of parliament. For that, we have a great panel here from ferment five world regions and sectors. Let me introduce in alphabetical order by first names, we have grace Githaiga, we have Leon Sanchez, from Mexico. You might know him as one of the co-chairs in a recent IANA transition. Mark Carvell, working at the ministry for culture, media and support. And also the newly elected chair of the GAC. Salam Yamout, on the executive abort of ICANN. And our next is the Vice President of the internet association of Japan with business perspectives. That's our panel: We will take two rounds. The first round where they briefly introduce their contexts and let you know what's going on. Then I will go back to you, the audience, for any clarification of the initial presentation. Then we will do a second round of presentations from the panel where they will reflect on what is working and not working in their particular situations. Hand over to Mark, to get an example from the UK to start? >> MARK CARVELL: Thank you. And great to see so many people here for our session here on accountability. And as described, I lead on internet governance policy for the UK government. I'm in the ministry, which is the... has responsibility for ICT policy, generally, including internet policy, so I'm advisor to our minister, dealing with internet policy issues. I want to emphasize that the UK government has a long tradition of public consultation before proposed laws and instruments meets the stage of parliamentary consideration and scrutiny. So it's against that background that I want to speak. But in the age of multi-stakeholder internet governance, clearly we're working in a different way and we're working in a much more transversal way in terms of engaging with other stakeholders in determining how internet policy globally is going to roll out and develop. It is incumbent on me to keep my ministers informed. Also at ICANN and elsewhere where discussions are leading to outcomes that reflect inputs from governments irrespective of public policy. Constituencies of stake holders. So we... keep our ministers informed of what is happening in the stake holder community. That's very important. Specifically, on the ICANN the government committee meets every time that ICANN meets. And also every two years, we have a high level governmental meeting to which ministers and senior policy officials are invited. Bearing in mind the membership of the GAC is now 168 governments and territorial administrations plus the African union commission and the European commission. It's a very big commission. We had a lot of ministers there and a lot of senior policy people there. There are opportunity ss the other contextual point I should make is that we have a national IGF, the UK IGF, and that's a platform also for government policymakers to engage with stake holders. And not only officials, people like me but also ministers. We had two government ministers there presenting on the policy issue s relating to their more specific issues. And now support for the transition. And also the importance of governments being engaged in ICANN policy development. And so on. And secondly we have our minister responsible for child protection and use welfare in relation to the internet. She has spoken at the UK IGF as well. So we have those opportunities to engage with stake holders for more constituencies through the UK IGF. And the UK IGF also was, you know, had remote participation from across the world. It was quite amazing. We had people joining the discussions from Latin America, sub Saharan Africa. A very high profile multistakeholder environment for ministers to speak at. Up until 2013, our specific consultations were pretty much on an ad Hoc basis >> But in the run-up to the ten year review at the general assembly, and there's a long process for preparing for that, we took a decision that we wanted to be a bit more systematic about how we undertook those as stake holder s. The original concept was to be what you might describe as a task and finish group connected to the review. We didn't envision it as having a long life. It was focused on what was happening in preparations. It was the opportunity for us to coordinate with stakeholders in the UK on how we were approaching that U.N. multilateral process. But it was a very successful exercise in establishing that group, and since then we've decided to maintain it as a permanent forum for us for discussing information and discussing what was coming up and coordinating UK engagement and international meetings and debates. We used the MAGIG really to identify non-government stakeholders that we can include in our national delegations at our conferences and so on. So it's actually a pool of expertise in that group from business, from technical community, from the society and academics as well. And it provided a successful sounding board for us to use in terms of allowing us to explain what was happening at the multi-lateral level, but also to get inputs from stakeholders so the positions we were proposing to take were properly informed, if necessary could be corrected, but it was essentially information shareng, turning to what was happening in the U.N. or wherever, and then getting the feedback on the prospective UK policy. So we've used the MAGIG for big conferences, for the conference in Sao Paulo, for the IGF last year, and for this one for discussing ICANN, what was happening in the transition process where governments were discussing us. And following on from the plus ten review. That's the main opportunity for us to identify what stakeholders were signaling as critical issues where they want to put their views forward to us as a government group. I should emphasize that MAGIG is not a decisional body. It doesn't actually take decisions on what the UK position in these various conferences and events and processes might be. It's ensuring that they are fully informed and that we get their views and that we can actually have an opportunity to correct anything that we're not getting quite right in preparing for these events and so on. But ultimately decisions will stay with the UK government. But we are confident that that empowers us to be more effective in our negotiations and not to make we also have the national IGF, and then when it comes to specific national policy initiatives, for example, on child protection, there's another separate process for consulting and informing policy. Okay. I think I've probably gone on for too long, but I hope that introduced the idea of advisory group for stakeholders and how it works and its functions. >> MODERATOR: Thank you very much, Mark. Salam? >> SALAM YOMOUT: I won't be that long because I won't have that many thing s to say about the middle east. It's a very varied region. The countries are not similar to each other. As a whole we can say that it's a region that is characterized by non-Democratly elected government. They don't like the word multi-stakeholder. I'm talking decision makers, they like to go somewhere invited by their peers, that means another government. They don't feel the necessity to grow. And talk to everybody, especially the technical community about ICT and ICT development. As a whole, I could say that in general the decision-making process in the middle east is top-down, unlike the UK. And unfortunately, top-down does not take advantage of the expertise. So a lot of time the regulations that come out are the laws that are not implementable. Because when the decision-maker there is not such culture of dialogue before taking the appropriate policy decision. And my observation over the last six years working with the government is that the governments in the middle east are more control and protection. As opposed to growth. What they want to legislate is they think there is a problem that they want to solve. They will think about it as a control. This should be the government doing that or this. There is no idea of what should we do to grow the ICG sector or to grow the name, etc., etc. I find this is very, very difficult to deal with. And the countries that are while I try to report to you or to say that in the middle east region that we don't have such great numbers, but also we don't have the consultation mechanisms. >> MODERATOR: Suggestions of a causal connection. Can you tell us a bit about Japan? >> Hi. I'm from Japan and I'm from the private sector. I have been involve ed with respect to the portion and the framework on accountability from the government in Japan, it's possible that we in particular from the private sector are very grateful and consistent opposition maintained by the local development that has been unchanged since the commercialization of internet. What that means is that overall, ICG strategies sit on information and communication council. Basically appreciating the fundamentals of internet. It is helpful to drive innovation. Therefore, the government in Japan is more, how can I say? Open to consult with the private sector. Based on that understanding, in order to drive the philosophy, to drive innovation, the philosophy that the government has been taking has been expecting that global consistenty rather than trying to come up with local or unique practices to go through the internet related portals. When it becomes absolutely necessary, of course the government has been providing a necessary support. By facilitate ing but normally, the position from the government is to list a group of experts concerning with use of internet to lead their development of a robust internet by corroborating. So, let me just spend time on more specific about the elements of the framework I just talked about, what we have in Japan with regards to development of the internet related policy. First, the government normally installs the consultation committee or study group by providing the expert to bring the skills and knowledge to discuss and re view it is normally comprised from 20 people from the technical and also users. We do actually see those are the members of the dias as well. When the committee or study group come out with recommendations for policy matters, the government in Japan normally actually through the outreach inviting a broader audience to debut and the provide the feedback on the recommended order of their new policies to be adopt ed we have a very open forum. The other examples are the location based application in conjunction with privacy. Everybody is actually seeing a new business opportunity by utilizing location-based information or the various customer experience. So let me start here. Know that it's a high level player of what kind of a framework we have in Japan. >> MODERATOR: Thank you. We'll come back for more detail in the second round. Chris? >> In in 2010, we got a new constitution. >> AUDIENCE MEMBER: We got a new constitution which now places a requirement on anyone making public policy to consult those that are affected. ose that are affected. So, the process is a draft is developed and then shared with holders drawn from businesses from the civil society. The process has been that the regulator publishes the community's input into its website. And therefore stakeholders are able to see if their contributions are on board. However, as is indicative of such processes, many of you have not even considered adopted. We don't even see compelling reasons. So the presence has its own challenges. For example, even as the constitution has that requirement of public participation and policy- making, we still have not set standards for public participation. And therefore, many institutions are still struggle ing how to make public participation meaningful. Therefore, it needs to have a public participation framework that provides clarity on the submissions are not reflected in the final outcome and just provide results that stakeholders would accept that actual ly on the morality for just something that is not acceptable within the law. Thank you. >> MODERATOR: Great. Thank you very much, Grace. Any initial reflections on what you're hearing? >> LEON SANCHEZ: Thank you very much. My name is Leon Sanchez. We have a different approach sapproaches consulting with the incumbent parties. I would like to talk about how things are done in ICANN and designing the process related to the transition. So within ICANN we have a policy development process where the organizations begin discussing an issue. And if it gets enough traction, then the process actually begins formally. And we provide input from the different stakeholders and the different constituencies from ICANN. The feedback is gathered and it is receive ed so before we have the transition, literally the board was so as the transition needed to take place, ICANN coordinated this effort with the different committees. And while the initial propose al than a group of people within ICANN won't have the back strap of the U.S. government, then we need to enhance ICANN's accountability. So for this, our second group, which was the press community working group, we're in charge of designing the propose al When forming the board, it would be accountable to the different bodies that actually fund the organization. For this we designed a structure that was based on building blocks to the process. And we looked at ICANN as... a way in which we faced a state or a nation. And our judiciary which would be the IRP process. With this in mind, we begin the process of identifying which were the accountability measures that were already in place and so there were more that needed to be put in place and assigned so we can achieve the balance and community between the board as the directing body within ICANN. So throughout the many efforts and the tireless hours that many volunteers worked in this process, we came up with the report it is to try to find the balance between what the board can actually decide and do with whatever is from... within ICANN and the policy processes. And what the community might see or perceive. Appropriate action for the board in some cases. Some of the powers that have invested into the community have to do with budget approval with bylaws approval. We designed a new set of by-laws and regular by-laws and the supervisors as some might call them, but fundamental by-laws right? The difference is the threshold of approval that the community needs to actual ly so what happened before we designed the accountability measures and the mechanisms was that if they were going to be any by law changes, the board would be able to... a project, it would go to public comment and gather the feedback from the different stakeholders and it could or it could not incorporate the feedback received. And then afterwards they would approve any by law changes. Now that has changed. The empowered committee has the ability to first reject any changes to the regular by laws and secondly to approve... it actually needs a positive action from the empowered committee to get approval on any changes to the fundamental by laws and give me structure. We have mechanisms to remove directors from the board. We can have the whole board removed or have certain specific members of the board removed. So the new powers, as I said, are trying to bring this balance into the interaction between the community and the board of directors. And the other essential change in the transition is the new IRP which also set to be the jewel and the crown. In an appropriate way. Let's say, could have some kind of harm or detriment. So, these, in a bird's eye view, what we did in the accountability... the first committee working on accountability. And we're now continuing to flesh out certain topics that were reserved for a second phase of our work, which is commonly known as stream 2, for those who are involved with this. These topics include some issues that have to do, for example, with building a framework of interpretation for human rights with enhancing for the ICANN community, for transparency, and how do we achieve accountability as well. What we understand as accountability in the context of ourselves and see staff accountability and also the role of new by laws and these new organizations. This will continue to evolve and provide the new set of accountability efforts that hopefully at the end will serve the purpose of actually bringing that balance and having an accountable organization to its community. Thank you, shin. >> SHIN YAMASAKI: Remember our question was how our governments as they make regulations about internet related issues, how are they being accountable to those who are affected by those regulations. And we've heard different things about more formally institutionalized mechanisms in the UK. Expert consultations more ad hoc in Japan. Top-down lack of dialogue is the picture that Salam gave us in the middle east, and then Kenya from Grace, and then a whole array of new accountability mechanisms that have been created there. We have a lot to reflect on. Are there any in terms of clarification? If we could take the three and maybe we will come back to the panel? Yeah? There is one in the middle and one there? Malcolm? Please let us know who you are, if you can. >> AUDIENCE MEMBER: This is probably something close to what the UK has done. We are a multi-stakeholder group. People appointed to advise the government, four from each stakeholder group. After three years of experience working within the structure. I feel accountability is absolutely key. I would love to hear more about the report, by the way, on accountability, into those governmental structures like the UK advisory council. There are five stakeholders that meet and happy to provide advice to the government, but if the government doesn't listen or care to listen, then either we meet without a purpose or even worse, we become people who are there only to get their particular interests across to the government. And that's very dangerous. I believe that kills the multi-stakeholder model. If we care for the multistakeholder model, we need to think about getting the government on board. I was wondering whether you have any ideas how to get that done. Thank you. >> MODERATOR: Just for the clarification, your example was from Poland? >> AUDIENCE MEMBER: Yes. >> JAN SCHOLTE: There was one in the back. Go ahead. >> AUDIENCE MEMBER: I was struck by the contrast between the first two speakers in the situation in the UK and the middle east. Not just in terms of the practice but in terms of the outcome. Mr. Carvell was saying that he felt as a result of their engagement, they felt not only did they have the confidence of the broader community in the UK, but they were able to draw on expertise even to extent of bringing in multi-stakeholder experts and having discussions on their behalf. And Salam, you described policies as being stillborn because of refusal to engage. My concern is, in your person, if you don't mind me putting it that way, we have a government person that is practicing opens to multi-stakeholder consultation willing to come here and talk about it. But from the middle east, what we actually have is a representative from the technical community expressing frustration. The government, as you said, did not feel the need to come here. So maybe they're not going to learn from the opportunity to learn from these experiences. How do we get past that. I would like to particularly put that to Grace, actually. What we heard there was less of the extremes there, but more report from the country that still has some challenges in the degree of consultation, but certainly to my mind, it sounded like it was moving in the right direction. In particular, you said that the constitution had been changed and adopted this principle that there must be consultation. And so even if that isn't fully developed yet or it's a work in progress, that sounds like movement in the right direction that maybe the situation for the middle east. You know, we might hope to get there. So I would ask, particularly Grace, how did Kenya move to start to believe that this sort of thing was important? And to get started on that path? >> JAN SCHOLTE: I initially saw a third hand. Did it go down? Here in the front. Thank you. >> AUDIENCE MEMBER: Hello. I'm in Japan. I think I have a question for all of you. I see most of the panel focused on our institutional design in making internet related policy accountable such as multi-stakeholder based consultational advance. I think to make internet related policy accountable, you can also give some kind of justification or review after making the policy, and putting the policy in place. So what do you think about this? >> JAN SCHOLTE: So accountability exposed to what happens. I understand you. It's good. Let's go back to the panel. May I also abuse the chair and ask you a question, too? Apart from the one reference to the diet, no one talked about parliament. And traditionally, if we think about a government's accountability, it's to the elected representatives of the people in the parliament. Is it the case when we move to internet-related governance, that parliament doesn't count and not part of the equation? I tease you with that. Shall we go down the line? Whatever you like. >> TSUYOSHI KINOSHITA: Let me ask this of the last question, which is easier for me to answer. So once again, based upon the practice we have in Japan, accountability is not just to get the expert consolidated during the course of policy development. In Japan, the Japanese government has been adopting the full space management called the PDCA. Plan, do, check, and act. Meaning the last policy that's adopted and implemented, there is a mechanism actually being used in Japan to measure whether or not the expected effect of a policy is actually there or not as the outcome. And if not, then on a periodical basis, based on the PDCA cycle, there is actually a mechanism to adjust or select a course of actions after the policy gets implemented. So that's kind of the order of how we do it. >> GRACE GITHAIGA: In 2005, one thing that was brought up was broadcasting legislation. And broadcast has drawn from different broadcasting sections, the public, community and commercial. And once, you know, they had finalized their draft, it's emerged that there were issues of convergence that could not be dealt alone by the broadcasting sector. And so the process was stopped. And at that point, it was agreed that there needed to be a policy that then would inform in what should come in the broader ICT realm. And then in... in 2006, stakeholders came together. Different stakeholders because, you know, the movement on new technologies had begun. There had been processes and Kenya had been following their world summit on informational society. So there are all of the new things that had come up, and it was agreed that they would have to be together in order for them to make sense. So in 2006, different stakeholders drew from new technologies and the broadcasting sector and the information sector. They came together now and collaboratively developed the ICT policy of 2006. And I think that is where multi-stakeholder policy began, and that is when the Kenya ICT network was born, because it was the platform that then was used to bring people together and to work with the government. So everybody who was a stakeholder worked very well. In the sense of the government, there was a very progressive minister who actually agreed that these issues were complex and needed a multisectoral approach. So that is how it started and from there on, any law that has come has had to engage different stakeholders. Even before 2010, where now this requirement was put in the constitution. Thank you. >> SALAM YAMOUT: The first is to have somebody enlightened or have a need to do that. In Lebanon what has worked is they had this law by the... not the government. By the parliament about the E transactions laws. That's the framework law for doing E signature and all of this. It stayed five years in negotiations and blocked at the end of the whole circuit by the private sector because it contained some things that were unacceptable to the private sector. The private sector did lobbying and stopped it. What happened is the Prime Minister, an enlightened person himself, decided to have a committee where they put inside the committee members of the private sector and professional organizations as well as the other ministries. This is something that worked and that anybody can do. We can start thinking like this. The other way we can do is learn from bottom-up processes that work. For example, the technical community. Policies are made... I mean they're discussed on the mailing list. People raise their hand and talk about them and people meet face to face and the policy is discussed again. At the end it's bottom-up and there is loose consensus. We are far away from reaching this in the government frame of mind. But what we can do, what we have been doing is to foster the dialogue between the state and non-state actors. We start talking to the governments how their legislations can become better and how their policy will be better if they sit down and they talk to people who have experience in this domain. And as newly appointed head of the regional bureau in the middle east, I intend to do the same thing, foster good governance from this point of view. Talking will help solve the problem. >> JAN SCHOLTE: Thanks for the questions and comments. It's excellent points that have been made. If I pick up firstly on review of the process of policy, delivery, review of outcome of negotiations, it's a very important exercise to undertake. And it should be a very inclusive exercise. Our advisory group, the MAGIG, is the opportunity for us in government to feed back to the stakeholders. It is where we had succeeded in advancing UK positions and where we had defeated proposals that were red lands for us. That we would not support. There were a number... I won't go into detail. But WTSA, those who are familiar with that will know that there are crucial proposals there, but that had to be challenged. At the political level, in respect to policy, there are vigorous processes of scrutiny through the parliamentary processes, through the parliamentary committees, third party committees in the parliament to scrutinize what the parliament has done, the positions it has taken. How the laws have performed with a view to, you know, identifying what could possibly be reconsidered or corrected. And speaking of parliamentary engagement, to Leon's point, I'm afraid that I'm going to give another acronym, to add to the ones that overwhelm us in the sphere of internet governance. PICTFOR. It's quite a long acronym. Parliamentary internet communications and technology forum. Now this is a re-branding, if you like, of previous designation, which was a parliamentary IT committee, another acronym, PITCOM, but now it's PICFOR. This is a grouping of parliamentarians. You have academics involved, and technical people. So it's an opportunity for parliamentarians to discuss those issues and bring us ministers and officials into those discussions. Just across the road from the parliament, where this... the agenda engaged on all of those issues. We have a lot of parliamentary engagement. There are members oof the European parliament that is here. Thank you. >> LEON SANCHEZ: If you ask me how to apply it to the governments, I wouldn't know how to do that because of course, government s as my teammates have said, they have different accountability measures to the parliament and to the institutions and to the people that elect those governments. I don't think that's something that we could just appoint from the private sector to the governmental sector. If we refer, we think of the decision-making process, that's another story. There is a chance in Mexico, if we have internet related policies that may affect some of the eco-system or some of the stakeholders, what we do is we discuss widely with the government. They have been involved enough to realize that participation of different stakeholders in relation to internet-related policies is important. We formed a group which is the internet governance initiative group that is formed by the different stakeholders from private sector, of course, academia, civil society, governments, so on and so forth. And we hold regular meeting s in different venues within Mexico, and we discuss any topic that we think or that any of the stakeholders raises as being important to the group. We have the capacity to create awareness on internet governance. One of the outcomes from this group is that we also hold an annual event on internet governance in Mexico. So you could say it's a local idea, but it isn't really, because it's not even branded as such. But the effort is to as I said first, create awareness and then capacity. So the civil society of different stakeholders understand how the multistakeholder model works. And lastly, but not least, to create this awareness in the government. One of the most difficult parts is to make sure the government is a facilitator and not a coordinator. That would be an answer to your question. I hope that's useful for you. And as for the question from the gentleman from Japan, I think that a constant view is needed, both before and an example of exposed... the policy development process. So I think that if you have this kind of organization or inertia between the government and the different stakeholders, then it will come natural to continue to do these consultations. Beforehand and afterwards when a policy is in place. Yes, I definitely agree that the efforts should be continuous and not just something that needs to be done previous to affecting any of the policies that are internet related. Thank you. >> JAN SCHOLTE: Thank you. We have had a confusion with the schedule at the beginning and we have been given permission to continue on beyond 11:45, so we can take more questions if you would like to raise those. Governments are accountable? No problem? All right. I have two questions for the panel myself. One is that people are saying, Leon, you said that governments are elected. They are elected but officials are not. And a lot of the times these are official regulators who have not been elected. So, it's not always necessarily that clear that they're accountable. They are being put in place to be sure that the official regulators are as well. Is this enough? And second related question is accountability is about consultation, evaluation, and transparency. And how much when you are describing these different mechanisms in Japan, in Kenya, in the middle east, in the UK, and Mexico, how transparent are those? The colleague from Poland was raising the issue, how did these consultation groups not become vehicles for lobbying and then special interest? So maybe if we could finish with those questions unless there are other questions that would like to come from the floor. >> GRACE GITHAIGA: So people have been asking, why is it that our submissions never, you know, reach that standard? That it could reach that final outcome document. And I think that's still... that is still a challenge. That's why we are saying we would like a framework. A public participation framework that outlines the processes and even reports back. So that it's stipulated clearly that either your submission answers, or it has no relation whatsoever from what is required. The second thing, there was a government about government accountability. And I have had that. We've even had that argument internally. You go to this and these are committees that have been appointed by the government. They claim that the government elected by the people, and therefore they have the mandates to represent the people. So sometimes it's not even necessary to have that multi-stakeholder approach. Because that government has been elected by the people to represent the people. Which I don't necessarily agree. The second argument that is put forward is that governments give legitimacy to processes. But they also provide the environment for all of us to do what it is that you do, including policymaking in ICT processes. And therefore I think we have not been able to come up with hard and fast responses to some of those challenges. And I can only say that we still have many rivers to cross when it comes to this issue. >> TSUYOSHI KINOSHITA: Just one comment from me, the internet policy on it. The internet-related policy matters gets complex and touched from a variety of aspects around the world. We do see interministarial coordination is happening. Now we do clearly see that the inter-ministarial coordination is necessary to make decisions going forward. That area we do see as an improvement going forward. >> SALAM YAMOUT: Yes, so, I want to touch on the legitimacy concept that has been talked about at the opening remarks at this IGF. We have to talk about what gives you the right, right? It has a right to be correct all the time or has a right to do this or that. When people take their time and resources and money to meet several times and come together to consensus, that's not respectful and not taken seriously. We need to think about what is legislative material and what is not. For your second point, absolutely transparency. It is... we have to learn to be transparent. Being transparent is a lot of work. You have to document what you're seeing. You have to publish it. And maybe that's the shining light that is going to make rulers behave differently when they know that they are watched. That somebody knows what they're doing and can then elect them or not elect them in the next election. >> MARK CARVELL: Just a couple of comments from me, reaching out to stakeholders and communities and engaging many key processes that will impact on the evolution of the internet. Including transition from my seats, the UK seat, and the governmental advisory committee. The committee itself has to reach consensus decisions, and that involves sometimes quite challenging negotiating situations. So how am I accountable for that? I'm accountable primarily through my minister, who then is accountable... the minister is a member of the elected government, of course. And accountable to parliament. And so that is a kind of chain of accountability if you like, primarily. Of course in the UK, we also have freedom of information act, which enabled anybody to access official documents. So any of the reports I do, any of the recommendations I make to ministers on what positions I should take in ICANN or elsewhere or whatever. They are readily available for anybody to access as a right of a citizen to access that information in accordance with the freedom of information act. So there are those important mechanisms. On transparency, yes. On the MAGIG, we have a bit of work to do to enhance our transparency. We are, and are working as a group, we're about 30 member s of government, private sector, technical, academic and civil society members in the group. Everybody sees the documents and has a right to say their piece and the right to go against majority views. So there's absolute transparency about how those discussions develop. In the group we stay informed on government and on policy, as I described earlier. So there's that. So in terms of why the public access to our information and our deliberations as a group, we do need to do a bit more in order to maximize that. We will do that. We've been reviewing the MAGIG recently, its membership and so on, ensuring that we have the right people. That the people who are in the group are fully committed. We've got a process of evolution. The group hasn't been active that long. Was it three years? Transparency is a very important aspect. We're looking at that now. Thanks. >> LEON SANCHEZ: Some are legitimately elected and some others may not be that way. But I think what's important in this context is to realize or at least, I believe that we are living in times in which we might be seeing a new kind of democracy. On internet-related issues, at least I believe that the legitimacy of any policy will be given not because those who are participating in shaping those policies are elected or anything like that. I believe that the legitimacy will come from having all the interested parties contributing to the effort and being, as you said, transparent about it. That will be the factor that will bring legitimacy to any internet related policy. So I guess this might or might not evolve to a new way of governmental policy-making process. But I'm sure that for the years to come, the multi-stakeholder model and the exercise that has been evolving will gain legitimacy, as I said, by having a wide participation and exemplary transparency in the way things are done. That will support the positions themselves. If you can think of maybe free trade agreements, somehow they are negotiated by the different parties to date. And if we act to that model of negotiation, the participation of the different stakeholders that will be affected by the free trade agreements, then another story in negotiation will come in the years to come. Thank you. >> JAN SCHOLTE: Okay. We're getting close to finish. Any last comments from the floor? Okay. I think then we will wind this up. We've been looking at a key question of accountability and internet governance, this time focusing on the government and the ministries and regulators at national level. There are many other issues to address as well. We looked at the ICANN case as a comparison and many other places to go. The accountability was sure one and one. I want to thank the panelists who have come together. They have not worked and spoken together before. This is the wonderful thing about the IGF, you can bring people from all of these different regions and sectors together and they immediately have a conversation that goes very deep. So I want to thank you very much for coming together. I want to thank our coordinator. Thank you very much. [ Applause ] Please standby for realtime captions. Please standby for realtime captions. >> MODERATOR: Thank you all for being here. >> ALEX WONG: My name is Alex Wong with the world economic forum. It was noted as a WEF open forum session, but we're actually pleased to co-host by the organizations that are here, mainly in the middle of the table here. We have global connection, IEEE, ITU, people centered internet, UNESCO, and the World Bank. Why these organizations? And ICANN. I apologize, Nigel. ICANN is one of our co-organizers. Besides the commonalty of being acronyms, we have all been making an effort to help connect the 4 billion people not on the internet. So part of this conversation today is while we all sit in our offices in Geneva and New York and silicon valley, conversations like this are very extremely valuable, because we know that the only way we're going to solve this issue is to have a multi- stakeholder, multisector approach is... what I have learned is the incredible amount of energy and ideas that are coming from the bottom-up as well as from other players that are doing things that we're not aware of. This is really about conversation to talk about how can we improve global and regional coordination and national level coordination to address the 3.9 billion people not on the internet. What we're going to do in this hour that we have is we have a couple distinguished opening and closing remarks, Doreen Bogdan and Vint Cerf. We will cover topics, rapid fire one, two minutes each and then we will open it up for additional views as we go through this. The three topics will be related to data gathering, monitoring evaluation. The second is how do we mobilize the local communities and local content, and the third is how do we insure that we have sustainable and scaleable country partnerships? We want people to say I don't agree and you're missing this point and you're not taking this perspective. That's been the real value of being at IGF and having this open discussion with many of you who I don't know and many of us may not know. With that, let me pass to Doreen Bogdan-Martin. Doreen, please a few opening remarks. >> DOREEN BOGDAN-MARTIN: Thank you very much, Alex, and good afternoon, everyone. It's great to see so many familiar faces in the room. I think this is a demonstration of the coalition and committed of the coalition of the willing around providing universal and affordable access to all. So big thanks to you, Alex, for including us and inviting us to say a few words. The ITU SecretaryGeneral is a Stewart of the shaping the future of the digital economy and society. Did I get that right? And so he is happy to be working with us to have reinforced our relationship with WEF and many of the others that are here today. We all really do share a common goal. I think we are all united and we do share a common goal. I just wanted to throw out quickly some of the challenges that we noted in our last state of broadband report that we can make take into consideration this afternoon. Most of the offline population lives in Asia Pacific and Africa. The offline population is disproportionately female. 58% female of the 3.9 billion that remain unconnected. 60% of them live in rural areas, and 60% have a GNI per capita of less than $6,500 per year. So our analysis also shows us that if we continue doing business as usual, that by 2020, we will not reach the additional 1.5 billion. We will come up some 500 million short. And we also need to take into consideration that the offline population, the difference between the rural and the urban populations, they have very different supply and demand considerations, and we need to take that into consideration in our discussions. And while many of these challenges may seem daunting, we really do believe that by bringing everyone together in the true spirit of multi-stakeholders, that we can overcome this. I will stop here with the mantra that collaboration and cooperation is the only way to go. Thank you. >> ALEX WONG: Thank you, Doreen. Maybe before we go into the content, maybe a bit more from the world economic forum. Some of you may wonder why we're doing this and what we're trying to do here. When we talk about coordination collaboration, that means everybody finding their comparative advantage. And for us at the forum, I would say our advantage or our niche specialty is convening power and neutrality and ability to engage global business leaders and governments. We don't have the strengths, necessarily, or the technical expertise or on the ground level country, and that's why we have so many partners in the room. But what we have been doing since April 2015 is we did launch the internet for all project. The mission of the project is to establish an enduring physical and digital platform to enable the connecting of the 4 billion people on the internet. And we see this as a challenge that requires more innovation requires new ways of investments. The $450 billion that the broadband commission has stated which is required to connect the next 1.5 billion should be an investment opportunity if we can have the right frameworks and regulatory policies in place. We do see in our role is to help strengthen the policy and regulatory environment. One of my big learnings over the past couple of days, and I was excited to learn more about the regulation programs and some of the issues that need to be addressed if we're going to allow the grass roots networks to flourish, and that's a game that we can play by helping governments on these kinds of challenges. And finally, how can we align better? We are aligning globally, but we are also trying to do this in country. We have taken the step to initiate some programs in the northern corridor of east Africa. Working with many of you to try to work with the governments and catalyze and accelerate internet for all. We need more of you in the room on that particular country. I was really happy to meet, in fact, Tony, from one of the community network organizations in Uganda, who I'm going to invite to come to... to get involved with Uganda as we develop that program. And we also developed a program in Argentina. And Nico came to our first meeting as an example of getting our on the ground experiences to the table. So that's what we're trying to do. Happy to take any further questions from any of you at any time on why the forum is doing this and what we're trying to help catalyze. With that, what we're going to do here, as I've mentioned with the three topics, We have two or three what I call firestarters. They're supposed to say something for one or two minutes that would share a view. Open it up to anyone else with a comment and then go to the next topic. It's meant to be interactive. People are willing to stand up and walk around like I do. Let me call on the first category we awe as data. Data is not necessarily viewed as the most exciting, so I thought I would do that first. I say that jokingly. Let me ask Michael Kende to say a few words. Michael, maybe you can kick us off with a few comments. >> MICHAEL KENDE: That's a great intro to the topic. I will just stay seated or I'm sure I will trip somewhere. So on the data side, you know, there's a saying if you can't measure it, you can't improve it. That as lord Calvin from the temperature measurement. And I think that's true, and part of the digital divide is a data divide. The decision makers, whether it's companies, civil society, governments, just don't have the data that is really needed to make decisions on new policies, investments, choices, new initiatives. And a lot of this data governments have data, civil society and others, a lot of them have data, so the first step is really to collaborate, pool the data, anonymousize it. One example is geography. In developed countries, there is data on traffic flow, pricing, all of this data, they anonymize, and set it back for a fee. One thing would be to have a platform to gather similar data so governments can see if policies on new cables are working, company could see if they should be doing it. And then the second step is to identify gaps in the data. And just one of many gaps would be surveys of non-users. Why are people not going online? Brazil has fantastic time series surveys going back ten or eleven years of why people are not going online. It's detailed but you can see by gender, by income, by region, whether it's a lack of availability, cost, not understanding it. Not enough digital skills. If you're trying to bring people online, it's important to know why they're not online in the first place. The second step would be to collaborate, identify these gaps. It will take some resources, but pooling together, that would be a great way to help fill this data divide and help to increase internet inclusion. Thank you. >> ALEX WONG: So we have a couple of others to add to that and we will take any additional comments. Christopher Yoo, I think you have seen the orange shoes or gray cappuccino. If you don't, go to the expo area in the morning. Christopher is a professor of law, communications and computer and information science at university of Pennsylvania. >> CHRISTOPHER YOO: Thank you. About the coffee, today is the last day. We are not doing it tomorrow. So don't shoot the messenger. So, I agree with everything that Michael says: It's more about being cautious. Measurement changes the behavior regardless of whether you change the reward structure or not. If you don't measure the right things, we can actually do bad things. We have different metrics, cost and people connected are relatively easy. That's got some nuance to it. But when we turn to outcomes, we're talking about the frontiers of social science. So what is it? How do we measure good education outcome? In the workshop that Karen and Alice organized, we talked about looking at national test scores. We all know that standardized testing, like any instrument, has limitations. We have to measure something. All measurements have their limitations, but it's a question of trying to validate this and understand them. Collection encourages us to be deductionists. It makes us want to attribute causation when it's not always possible. We have to make sure that we learn how to use the data. The other thing that happens when people who work with data realize very quickly is how difficult and how much variation there is within data sets. So in the workshop we did on day 0, someone said the EU is a shining example. I have worked with the EU data. It's government mandated data, it's collected, and it seems quite uniform until you read the notes. You have to make sure you understand so you can analyze it properly and report it properly. Lastly I would say there's problems not just in tea getting the data but updating it, maintaining it, and setting up longitudinal studies. They're extremely expensive because you lose people from the studies as you go. You have to make sure there's not a sample bias. It makes it very difficult. Last thing I'll plug is emphasizing an important point by Michael. People who have data don't like sharing it. There are incentives that can encourage it under certain circumstances, though it's not a data example, but the one that always motivates my thinking. When Sony beta max came out, the rest of the device manufacturing industry realized they were behind and agreed to stand and eventually the VHS standard won. There are moments like that where we can take advantage of the incentive structure, otherwise people with the data will only share it when they feel like there is some benefit to them when doing it. >> ALEX WONG: Our third fire starter is Sarah Wynn-Williams. Facebook has been a great partner in this initiative. I know you're thinking deeply about how can some of the data that you have be contributed to help with what is a great challenge? Over to you. >> SARAH WYNN-WILLIAMS: Sure. Facebook is very much a data-driven company, and it was through analyzing connectivity that we realized there were four very key barriers to improving connectivity: Availability, affordability, relevance, and readiness. When we talk about data around connectivity, it means many different things to many different people. One issue that I don't hear a lot on these forums is around the data around infrastructure, connectivity infrastructure, specifically. So I was really surprised to learn that since the global financial crisis, more than half the G20 countries have cut investment in infrastructure. We're not having a conversation about that. We're not tracking that data. We're not looking at investment at the government level in infrastructure. So embracing my role, I want to throw that out as something for this room to consider. Another issue that could be fascinating as we get more forward-looking in the conversation around data, you gave us a challenge that it's not an exciting issue, I want to make it a little more sexy. It is how are we using artificial intelligence in relation to data gathering? At Facebook, one of the initiatives that we're progressing is around using AI to get great data on population and to map that back to connectivity. So one of the challenges is to think about how can we be using emerging technology to improve data? >> ALEX WONG: We will have a couple minutes for comments and questions and short interventions? >> MIKE . >> AUDIENCE MEMBER: We have a huge amount of data that we use to block malicious hacking, and would love to share some of our data in a way that won't set off alarm bells among the privacy community. I know other companies have the same problem. We can look out and see which countries have state of the art encryption, which ones are using old, outdated operating systems, where the pirated software is. That leads people to say you must be snooping on everything we do, which we don't do. Our core competency is disposing of data very quickly, and we want to do that. But we have to somehow prove a negative. We have to show that we're not abusing the data that we're collecting. That's the mega issue that any company faces as we're challenged to share the data. We have two types of lawyers. Those that help us do what we want to do and those that tell us why we can't. And there's a lot of the latter type. >> ALEX WONG: Excellent. Christopher has an offer that I'm sure he'll take offline with you. I thought data would invoke privacy issues. I don't know if anyone wants to... okay. Good. This is the pace we want. I want to keep things moving. Do feel free to jump in. I thought Sarah would get a harder question from someone, but we don't have that? Let me go over here. Quick comment. >> AUDIENCE MEMBER: I have a question. My name is Sharda, and I'm a research fellow at the university of Pennsylvania law school. I have a question for Sarah. I would like to understand whether or not Facebook is trying to make their population data sets public, and if so, what are the challenges that you face in making such data public? Thank you. >> ALEX WONG: Quick question? >> AUDIENCE MEMBER: I'm from the web foundation representing affordable internet. But on this issue, I wanted to put a qualifier to it. Appropriate technology. If we're going to introduce technology in context that are going from 0 to AI, what kind of harms could be in the way if we don't consider them. Technology is great, but more importantly, appropriate technology. >> SARAH WYNN-WILLIAMS: I think that's a really important qualification, and I'm hopeful that these are the sorts of forums that we will think through what are the things we need to be worried about? How do we mitigate the risks? That's a conversation that we want to be having. We want to use this room and use the talent in here to further that discussion. In terms of the question that you raised, this is a real challenge, and we... you are probably aware that Facebook put out the connectivity report, which was our first step in trying to look at how we can share. I know you've got a session later on partnershippartnerships. We're looking at where we can build out partnerships to share this data. I think the clear message is this is something we're trying to figure out. It's not something we can do alone. And the more we can build out the partnerships and create the protocols, we want to be there and doing this. >> ALEX WONG: That's why I wanted to thank Sarah. Mike got off easy. We're all working together and that's how we got to go forward. I'm optimistic that we will figure out something on that. Next category of comments are related to how do we get local communities and local content represented? We're glad that this coalition includes organizations with grass roots on the ground with people. I don't want to count how many that these organizations represent. I want to turn to Raul first. >> RAUL ECHEBERRIA: I'm sorry. My voice is like the voicevoice... okay. We know that's the ability of infrastructure is not the only driver for connectivity. One of the aspect s contents and local languages because sometimes we speak about local contents and we forget the languages. It has segue can't representations of people that are not able to speak Spanish. Everyone thinks that everyone speaks Spanish in the country, there are probably 20% or more in some countries that are not fluent in Spanish. So if we don't provide or make available contents in their languages, we are resigning that that population will not be connected, because there is nothing there for them. This is one of the points. You have to think also in local contents in a world way. Local contents, local services. Relevant, this is a subset that is not very complicated because this is something that all the governments should be working on. And it shows that is how for the community, for the people that is important, how easy of a way that they interact with the government. And also, it was pointed to me by a colleague this week was another way of... these are ways of making money. We see that in the work that we are doing in India, for example, with community networks, that we empower the communities. We empower the community and how to use the internet for improving their lives. And they find ways by which they can double their income. We have some examples of women that use it to have single incomes per month and now they have $200, which is too much in that context, buying and selling things, providing services to the neighbors, helping neighbors interact with government services. They find ways, and this is an important motivation that we should also consider as a specific way of local contents. We work very much, as you know, on interconnection. And this is keeping the traffic local when it is possible. It has an impact on cost and also an impact on the experience of the people. So I think that as we combine the things, my colleague, Michael Kende has worked for much on the internet society in countries like Rwanda. It impacts the development of the country, and this is a positive cycle. Because if we have more local content, we expand the market. If we expand the markets, we will have more investment and so on. So I think this is something that is very important. >> ALEX WONG: How many chapters does ISOC have? >> RAUL ECHEBERRIA: How many people on staff? Okay. We have 80,000 members. That's the last time I checked. Maybe we have more now, 90,000 or something like that worldwide. We have 125 chapters in 100 countries. >> ALEX WONG: I think that is why I wanted, for those who don't know, I didn't know the countries. That's exactly the local engagement that we need. Over to you. Indrajit is at UNESCO. >> INDRAJIT BANERJEE: Good afternoon to all of you. I will keep my comments brief. Let me begin by stating a position that I stated this morning too. All connectivity equates to access in its truest sense. What is startling is I read studies that showed that millions of people who have physical connectivity do not go online. One point is, why is that so? So plan to connect the next 1.5 or 3 billion people or whatever has to take this into consideration. You give them physical connectivity and they don't use it, it doesn't benefit anybody, really. We must ask ourselves a very fundamental question, which is what access means in the largest sense? And really define it clearly in terms of capacity, in terms of content, in terms of accessibility for all kinds of people including persons with disabilities. These are crucial issues. And I think the central term I would like to use in our quest for providing access is the question of value. And we have seen again and again, wherever there's been a strong value proposition, uptick of innovation is rapid. I can give you the example of India, for example. Mobile phones, I think we are touching 900 million subscribers now. A staggering, but once you look at it, it's just not a figure. What are the users of the mobile phones? Take a very specific example. They use mobile phones because they go out to sea and have no means of knowing when storms are coming. And through mobile phones they get text messages, they can pack up and get back to shore. So, how what value does access provide? Especially in people's lives and livelihoods? Language seems to be a major barrier to access. And again, locally relevant content. So local language, local relevant content are extremely critical obstacles to our quest for access to information and knowledge. And just to highlight the problem of languages online, more than half of the world's 6,000 or so existing languages, official languages are likely or most certainly disappear by the end of the century. And on the other hand, 10 of the most important languages online have 84% of the content. So I think everything has been said. Also, cost of access goes down. We did a study and the cost of access goes down significantly when availability of local content is high, and vice versa. And it also makes as Raul mentioned, our studies show, enormous business sense. It promotes entrepreneurship and builds phenomenal capacity in the digital sphere for local communities. Thank you. >> ALEX WONG: And finally we will go to Karen McCabe. You can clarify how many you have. >> KAREN McCABE: We have 430,000. It's quite a broad reach. You know, on the topic, I think there's really three points, and back to how Doreen kicked us off, I don't think we can underestimate the collaboration and coordination that has to happen among all of us not only sitting at this table but at IGF and beyond, but also, you know, within the local communities when we start engaging our respective organizations in the army of folks that we might have in different regions of the world. That does take effort. We say collaboration and coordination. And it seems simple sometimes. But it does take dedicated effort. And I think it's important. Forums like this and ongoing are critical to that. From the community perspective, I think keeping the human centered focus on it as well. We share a lot of information and success stories. We can learn from those lessons learned from those. In order to build the value of the internet, so people feel or want to join and get on the internet to do good things beyond access, there needs to be an element of trust. A way to do that is keeping our human-centered focus on what we're doing and the ethical part of it as well. Local communities are really critical to this. We can come up with a lot of ideas and concepts, but it needs to be specific to that community. Only that community really knows what's going to work, what its pain points are, what its aspirations are. I'll end with that, but thank you. >> ALEX WONG: Nigel, do you want to say anything? How many members are in ICANN? Great. All right. Another moment for comments and reflections on community engagement? Local communities? >> AUDIENCE MEMBER: Thank you very much. I just wanted to give several comments. Last year we had a workshop on quality especially as it is linked to education. Most panelists and the audience agreed that quality should be introduced. Ranking, rating, whatever. We should somehow measure when we are talking about boosting or acceleration of local content, we should assure ourselves that we know the mechanisms and how to ensure quality controls. And second point, several years ago we had a workshop through internet of services and mobile devices. We were talking about governmental services. We were talking about, you know, local services and problems caused by a local community. You mentioned that we should somehow again accelerate or improve, let's say, local communities and ask them, you know, to innovate. Content should be created by local communities. We should somehow introduce crowd platforms for them. Social aspect is a key aspect for local content development. They don't know how to participate right? Through mobile devices they will participate. Connecting different local communities. That's what I wanted to say. Thank you. >> ALEX WONG: Any other comments? The last topic is why we intentionally called this country partnerships. All these things have to happen and land when we go down to the country. That's why I thought comments by IEE and internet society, getting them engaged as examples and creating platforms so you can enable entrepreneurs, I wanted to call on a couple of our colleagues who had been working closely with us and also very focused on getting country-level action going. So first of all, Manu Bhardwaj? >> MANU BHARDWAJ: It's great to be here with you and everyone else today. The broadband state of report has come out and said the adoption rate for last year was .3 billion. I think we have seen and heard a lot at very high levels, and it's really inspiring to hear comments and statements from heads of state, from CEOs of tech companies, from leaders like Vint about the importance of connectivity and their personal commitment to it. I think now the next step is to make sure we make the most of this opportunity to have that in country impact that you're hoping for. The worst thing would be that in five years' time, we don't see any progress. I really tried to think concretely about how we can work together, and I think I have just a few observations. I think it's very important for us to think about where are we going to be working together and how can we have the most impact together? Through the global connect initiative, it's become very apparent that there are stakeholders missing from the table and the conversation. Countries simply aren't benefitting from discussions with the multilateral development banks, finance ministers and the technical communities... the folks who actually know about fiberoptic cables, about satellites. They just don't have access to this important community. Here it's ironic. We were told how important a multi-stakeholder approach is to solving difficult challenges on internet policy. For us to actually drive forwards, we have to strengthen this by including all the stakeholders in the conversation. It's also, for us, it would be very useful for us to think about how we can really raise the visibility of what everybody here is doing to a higher political dimension. Almost like maybe a mapping exercise of roles and responsibilities and how people can contribute and help a government like Tunesia, Liberia, etc. They would like to work with us to help them achieve their broadband goals. This is an opportunity for us to think strategically. What can we do as thought leaders to help these countries with policy guidance or whatever it's going to take. I'm concerned that we're not seeing the level of adoption that we need to see. We have made significant progress in creating a platform that really represents the... a more representative sample of the internet community and the strength that they have. Whether it's the world economic forum or through global connect or through the broadband commission, we need to be very action-oriented. The last thing we want to do is come next year and see that we really didn't make any empirical progress. Thank you. >> ALEX WONG: Our second firestarter in this topic is... Sonia is walking around. She left already? AAI is running country programs. We wanted to hear from her to give a few ideas. I will add a little on what the forum has been doing. Let's hear your comments Sanjira? >> AUDIENCE MEMBER: To really tackle high broadband prices. So maybe I'll just tie to the idea of multi-stakeholderism that is adopted in this space. We are seeing multi-stakeholders in many different places and not in the same room. That's one permutation. But when you try to find civil society, government or private sector, it rarely happens in those spaces. That's how the alliance for affordable internetworks. Every member signs to committing to hearing about that and working with each other. We're not going ahead unless we do that. I'll reflect on what we're learning as we integrate within the web foundation. Where would be the people with disabilities? Would they be part of that? Or is it specific enough? One of the things that I think stands out to me is we need to not just do things for people, but we have to do them with them. This is how we will gain not just sustainability, but scaleability we're looking for. So what we've learned is even when we have a country-level engagement, translating that to the global level and vice versa, leaving room who's not represented in that particular room at the time, will their voice will reflected? After this talk, whose voice will not have been reflected and why is that? Part of what we have been doing with the alliance is baking in gender by design at every level, and making sure that they understand that they should be gender responsive. Not just telling them it should be but working with them to make sure that is the case. The other thing that has come up especially from our partners on the ground is on this issue of skill. It's interesting that you framed it as scaleable country partnerships. Investment has to go beyond pilot projects. This has been very clear and specific from a summit we had on women and girls in Africa. And we said enough with the private projects. We need to stop scaling. These are some of the principles for us that are not just things we adhere to and we're talking about what we're doing and what we're hearing about from the others. And very interesting, my work is to shuttle across the global and local to make sure that those connections are not lost. I'm happy to talk about it some more, but these are some of the lessons we've learned so far. >> ALEX WONG: Maybe for the forum, I believe in appealing to people's egos and peer pressure. I was trying to decide if I should throw a number out to be provocative. When we do something at a country we're creating a platform so people can coordinate and get engaged. Quite often the solutions are there but they don't have a platform to scale up, to get more resources, to deal with the minister or government in some cases. So A for AI platform is amazing. Mr. President or Mr. Minister, here's the forum. Here's the NGOs. So that's one piece of it. It's not going to be the answer, but it doesn't cost that much money to run a platform and have a project manager to help rally the caps and keep people accountable by having conference calls and keep people on track, bringing back people together four or five months later. I think that's what we're all talking about globally, how can we do that better so that we create the opportunities for others to be involved. Together with stakeholders and what they said they would do a year ago. We hear that everybody nods and agrees to the commitment and a year later there's a report back. Nothing beats peer pressure and' go. Nigel? >> NIGEL: Thank you very much. Just three very quick points. First of all, I don't think that ICANN can compete on the numbers so I won't bother. We have lots of people that work in lots of countries and often they're the same people as I thought of having great chapters and do a fantastic job of coordinating people to take part in these initiatives. But why I wanted to speak as ICANN is that sometimes I think, you know, we constrain ourselves unnecessarily. What are we here for? What are we all here for? We're all here for a common turf. ICANN occupies a small space. We talk about a secure, single, and interoperable internet. Well, if we don't have an internet that's for everyone, then it's not interoperable. There's no point in carrying on in this game if we don't really connect those that are not connected. The second point, clearly, is as Manu was saying, we have the opportunity at the IGF to do so much more. Where are the missing people? We sit here, we talk, and we talk intelligently. We have conversations. There are fantastic people here doing so much good work on the ground and policy-making, but where are the people that we're talking to? And therefore, picking up this idea that Alex has talked about and others have talked about, we need to do more in this forum to really pinpoint what we need to do. So take a sustainable development goal, take two. Put a score card up there. Say that next year, wherever we're going to have the IGF, we're going to tackle sustainable goal 15 or 14 or whatever, and we're going to put a country list up there. Ministers from all the developing countries to come along and talk about what they're doing, what's happening on the ground to make the sustainable development goals a reality. And we from the global connect, from ISOC, from ICANN, from IEE, from the fantastic work that Wesley is doing, the UNODC, others are all doing work in the regions and we can come along and talk to those ministers, officials, and stakeholders in the countries to see how we can practically help. Thanks. >> ALEX WONG: Thank you, Nigel. Excellent. So another couple minutes for comments, interventions? Thoughts? Criticisms? Introduce yourself? >> AUDIENCE MEMBER: Good afternoon, everybody. I am from the Gambia. I want to ask the representative from Facebook. A day before our I elections in the Gambia, our government shut down the internet basically for 24 hours. Could not have access to the internet banks. Is there anyway that Facebook or any of the internet stakeholders to help in those situations? Like a back way for the government to shut down internet for everybody? Can there be a way that people can use, or maybe can there be legislations or policies that can be used to punish the government to avoid it next time? Thank you very much. >> ALEX WONG: That's a huge question and probably more than just Sarah has a comment. Any other comments or thoughts? Okay, please. >> VINT CERF: It's Vint Cerf from Google, but let me speak as an internet engineer. It's not hard to shut down the internet. You shut down all the underlying mechanisms that allow packets to move. That's what happened in Egypt during the Arab spring. We should be aware that it's possible for governments to do things like that, by shutting off the underlying transmission systems that allow people to get access to the system. When that happens, I would guess that it can't happen for very long before there would be a reaction. In the case of an election in 24 hours, it might be hard to respond quickly, but longer than that, people are going to start using radio connections and satellite connections and there will be a number of different ways of getting access outside of the country on avenues that are not under the control of the government. I think what we should be striving for, of course, is to find ways to remove incentive for the government to do that, because it's so harmful. Let me flip this around and point out that our American election experienced a different problem, which is a lot of disinformation that showed up in the network. We're still speculating about how much impact that has on decisions. Freedom of access to misinformation is not necessarily a good thing unless you can tell that it's misinformation. >> ALEX WONG: We're off the topic a little. Michael and Sarah? >> MICHAEL KENDE: I wrote a blog about what happened in the Gambia and posted on Friday, and the message I tried to convey is what probably happened there is that by cutting off the internet, it mobilized the opposition. I think people who might not have voted got mad and went to the polls. It certainly happened in Egypt when the internet was cut off. More people who had been at home complaining on Facebook and Twitter went to the streets. If we can get that message out to dictators that cutting off the net reduces the number of votes you get, maybe there's hope in those countries where they have elections. >> SARAH WYNN-WILLIAMS: Can I say that I think it's a really important issue that you highlighted. I know it's not central to how you structured this. I think it's great that previous speakers had such an optimistic take on it. I'm aware of countries where Facebook has been cut off for months. An island country like Niru, Facebook has not been available, I think over a year now, and there's no intention, no discussion, no mobilization, there's no alliance that we turn to. I think this is a real problem. I think if we are... if there's any group of people that should be mobilizing to stop these type of blockages, it's the people who are hear at the IGF. And if anyone wants to chat with me about it, has great ideas, if anyone is thinking of... we have been working with brookings and others to produce data about the impact of blockages. We have worked with others on the keep it on campaign. We're trying to bring attention to this. But what we're seeing is an increasing proliferation. There have been over 16 blockages of Facebook this year alone. It's a real problem. We're not talking about it enough. >> ALEX WONG: It is relevant to this discussion. We have been discussing the positives, and it is a little politically intentional because we don't want the governments to immediately focus on all the negatives and maybe by the time they figure out the negatives it's too late. We need to get into those kind of discussions, and this is exactly part of what the IGF forum is also for. With that, let me... I can't believe we're actually on time. With that I will call on Vint to make closing remarks and reflections on this challenge. I want to say for Vint, when we talked earlier, your reminder that we got to let the bottom-up people find the solutions and connect themselves, that resonated with me. I wanted to thank you for that comment and invite you to say a few words. >> VINT CERF: Thank you very much. I'm going to try to make four simple points. The first one I want to make is to remind you of sort of the biological character of the internet. It is a kind of organism. It's made up of a lot of parts. It lives in an environment that keeps changing, and the way that organisms survive is that they adopt to changing conditions. And so, that's one of the things that we have to recognize is that when the internet was designed, bob and I thought that the best way to get it built was to just give everybody all the instructions for how to make a piece of internet and let them go build parts and find somebody to connect to. It's a very biological kind of model. And that works extremely well. And so, as we think about how to get more internet out there, keep in mind that trying to do stuff from the top down is less effective, generally, than making sure you have enabled and empowered people who are motivated to go build pieces of internet and find places to connect to. So that's a good model. It's a good paradigm and one we should continue to exercise. The second thing I want to draw your attention to is this wonderful word, "readiness." It applies almost everything. If our desire is that we want another 3 billion people to be connected to the internet, we have to ask for each of them, are you ready to be connected? Can you use it? If I install the equipment and you don't know how to use it, you don't have things in the right language, you haven't gotten electricity, do I have business models, do I have the ability to fund new start-ups? What are the conditions for running new businesses and growing them? The key question here is making sure whatever needs to be ready is ready for the objective that we're trying to accomplish. That may vary in different places. We looked at Google at how to make 2G and 3G useful in an internet setting, even though it means we have to compress things and do a bunch of other technical tricks, to try pre-loading and all of that. The whole point is to do as much as you can with the conditions that you are faced with. And then try to push the envelope wherever you can. So readiness in all of its dimensions, financial and educational and everything else are very important. The third thing is that we may be overhyping the multi- stakeholder model. I'm sure you're shocked to hear me say that. Let me explain why I would say that. Not everyone in the whole world needs to be involved in every action that we take. [ Applause ] Okay? It's amazing how much a few motivated people can get done. And so, what we need is for the right stakeholders to be working together wherever it is that we're trying to get something done. So it doesn't have to mean everyone. But it does mean critical mass. That's what we need is the stakeholders that form critical mass to accomplish the objective. And my last point has to do with something we'll call people-centered internetworking. I listened to the various metrics that we tried to form late for making progress, and I would submit to you that the most important metric we have is, did we make anyone's life better when we took the actions that we took? When we built infrastructure? When we provided people with equipment and training and everything else? New business models? Did we make anyone's life better? If we can't answer that yes, then we must not be doing the right thing. So please keep that in mind. And that's the end of my homily. [ Applause ] >> ALEX WONG: Maybe I'll just add the quote Margaret Mead said. Never doubt that any dedicated group of individuals can change the world. We have the resources and the organizational where with all to be here, and that's the group that has the opportunity to change the world. So I echo Vint's challenge to us on that. So thank you, everyone, and really please also thank our partners who spoke in sharing and all of you that contributed and listened. Good luck everyone, for the rest of IGF. [ Applause ] Please standby for realtime captions. ... workshop. Good afternoon, I hope you all had coffee to be awake and aware. So the question for this workshop, or the title is what makes cybersecurity awareness campaigns effective. We have brought together my colleague, Maria Bada, Michael Kaiser from national cyber security alliance, and Liina and Kerry-Ann. And then we start trying to arrange this session format by like interviewing each other on specific issues about cybersecurity, comparing what makes them effective, what are the challenges. What stakeholders should we involve and are there any other metrics that can be used? Slides? Okay. If you see on the slide behind me, there are some examples from around the world that we think are good cases. Those from Canada, cyber aware from the UK. Awareness and the Australia cyber safety campaign. These are some examples that we would like to present. Beyond that the panelists often will introduce their best cases and approaches. I'm going to start now the interview chain. I will ask my colleague, Maria Bada from the global cyber security capacity centre. Maybe tell a bit about your research and what do you think are the most critical sectors. >> Dr. MARIA BADA: Carolin's question puts me on the path of discussing exactly why campaigns fail. They didn't always fail. But let me say a few words about my work. It's one of my subjects that are very interesting for me. So around the world, there are many nationalnational cybersecurity awareness campaigns. I have seen through my work at the center, we review cybersecurity capacity at the national level, so we look at this issue as well. From my experience, visiting countries in many regions, actually in Latin America, Caribbean, eastern Europe and Asia and in Africa, I always looked at this issue. And the discussion always goes to that behaviors are not really intended. So campaigns don't have the intended outcomes. So why do they fail? There are many reasons. One of the main reasons is because they're not coordinated and maybe they... they don't have target groups targeted. One of these issues as well is not only the message, but also the messenger. Also many countries have problems when it comes to resources, so many countries are not long-term sustainable initiatives. We know that in order to change behavior, we need to change attitudes and intentions, and that takes time. So an effective campaign should be a long term process. Another issue is the fact that campaigns usually are not aligned to a national goal. So I will talk about it when discussing about the best practices, but especially in the UK, and let's take that as an example. So the national awareness campaign, Cyber Aware, it's linked to the national cybersecurity strategy. It links to the policies and goals of the country. The targeted groups, sustainability, and that is an issue that I could say that makes it good practice. I could talk about this for hours. I don't know how much time I have. [ Laughter ] >> CAROLIN WEISSER: I think we can go further on the chain and Maria, ask your most urgent question to one of the other experts. >> Dr. MARIA BADA: So when we talk about the national level campaign, and let's take, as an example, many countries adopt best practice. What is the process of adopting the campaign if you are a country, and which stakeholders should be engaged in the process of such campaign? >> MICHAEL KAISER: We were founded in 2001 in the United States with the sole purpose of providing education and awareness. Our targets are very broad. They're general population, small and medium-sized businesses, reaching into schools, educators, and basically every American. 330 million plus people. That's a challenge. We realized we couldn't do it on our own. We give a lot of thought to who is the messenger. If you think about behavior change, cybersecurity can be about both behavior change or adopting good behaviors to start out with, which is our preferred model but hasn't worked out so well. You have to think about who do people listen to. You have government. Government is definitely a stakeholder. It is a place where many people, most countries can turn to for certain kinds of advice around safety and security. United States, we have a lot of campaigns, you know, whether it's about forest fire prevention, traffic safety. The message is expected to come from the government, right? In cybersecurity, I think the messengers are varied. You have to have the very robust representation of the private sector. In the U.S. you ask people where do you expect to get information about how to stay safe and secure online, they will say my ISP or my security software provider. They will say my bank or the social networks. They're going to say the large websites that they maybe visit. They are stakeholders, right? If you're looking to carry a message and looking to change people's behaviors, you've got to look to people that they trust to deliver the message. The key and what lies under the core of our campaign is harmonizng the message with all the stakeholders. So whenever I decide to go to get my message, whoever I want to pick, I pick the messenger, right? I don't get the messenger picked for me, they send the same message. And that's really the underlying fabric of the way we do our work. We had Facebook and AT&T and Verizon and visa and security software providers like Trend Micro, Semantic, McAfee, everybody coming together to create a message that they felt comfortable delivering to their customers. We can talk more about message delivery in a bit. It's really simple. There's a free license, obviously we want to create our IP. Everything is free. You can sign a license and you can stop and connect and use it. Or you can take everything that we have precreated for you. We're interested in translation. We would love to talk to you if you're interested in translating it into a different language. And just so you know, these are the other campaigns we run. Stop think connect is the global message but we created the national cyber security awareness month back in 2004. Data privacy day, we imported from the EU where they have had data protection day for a long time. And we've been doing that in the U.S. since 2011, focusing on privacy and security. That's just the beginning of what we do in a nutshell. I have a question over here for Barbara. Because, it's only fair that we all get asked a question, right? I'm not going to let you off the hook on that one. So you know, I know that OES has really been a great provider of assistance to countries as they start to develop education awareness campaigns and you actually created a tool kit. What kind of things do they need to take into consideration that allows them to create a campaign that allows them to meet the needs of their citizens? >> BARBARA: Interesting at OES, we have intraAmerican comprehensive strategies. It has in the title, creating a cyber security culture. I think it's interesting to what Maria mentioned at the againing of how do you raise awareness and then you can actually change behavior. But what is common practice is when you actually change the culture. The first step is go through the entire process under acquiring skills, getting the knowledge, learning about this, applying this, and turning it into culture is raising awareness about it. As an international organization, we are an organization... in our case, regional trends in Latin America and the Caribbean. Throughout our research and actually with sites with the global cyber security capacity center, we developed a portal called cyber security observatory, and we have five areas where we try to understand cyber security, and one of them is culture. When you are developing, gathering information, understanding what is the situation of the region, very few countries have a national cyber security awareness campaign. How do we do this? And first it was interesting. We thought let's try to develop a cyber security awareness campaign itself, and we said it's not really the issue. It's not about us developing the campaign. It's teaching them, providing tools of how they could structure their campaign. That's why we call it the tool kit. It's more of a policy tool kit that provides what are the different things you need to take into consideration in developing a cyber security awareness campaign. It is already taken into consideration that we have different countries, different socio-economic situations and we try to generate a policy structure. When we present this to countries, we also try to present alternatives. For instance, one of the first things you have to do as multiple stakeholders is going to be a target and think, oh, a lot of resource s so it is something that is really interesting how they can convene different stakeholders. It is how can they form late a cyber security awareness campaign since the beginning, and also to take into consideration, I have to include metrics. But how are we going to reveal this and bring in the right groups? We are developing it. We were concerned that it wouldn't be for just one specific country. It's so everyone can use it. And not only governments, actually. Any stakeholder can use this as a reference. Enough about OES. Let's move to or next panelist. And I'm really glad to have Jorge here. And a national cyber security awareness campaign. We have been discussing the challenges, Michael mentioned different stakeholders, and I was mentioning how difficult it is for some countries. So if you could explain some of the lessons that we learned when implementing in Colombia? >> JORGE: Yes, in Colombia, we have two words in Spanish. This initiative started in 2012. We have had some impressive achievements. For instance, we achieved more than 6,700 websites with child pornography contents. In fact, this is important because we need to talk with, you know with the national police, with the ICT ministry. So we need to work together with a lot of also... this was promoted comes from this. The lesson here is that we need to work together. The government can't work on this alone. We need to work together with NGOs and the sector. The next part is very important for Colombia. This is another lesson that we need to have. We need to have like focus on several populations for this kind of campaigns. So with this campaign, we focused on young people, but also we wanted to give young people to enable and protect them from insecure use of ICTs. So now, that's because it's very important to have a population. We see 2 million people in Colombia with attending the workshops. They need to have the contact with other people. And but also we have a portal. We have multichannel strategy to help these people connect. We have courses with more than 9,000 peoplepeople. And another lesson learned here is the people want to know about this with the right people. What does that mean? That young people don't want to hear advice from old people. They want to hear information from people like them. So we hired very young people to bring these kind of courses and to lead the workshops. The other thing is that the people want to help like not only that but also the recognition. We have certifications. So when they achieve a course, they got a certification. It is not like a sign of achievement, yes? It's a very important way to engage them. One or two years ago we made a contest. In this contest, we wanted the schools to beat the others, to fight with the others in providing new content. This is very, very hectic in the social networks because they started to move the contents. And we have a hashtag called a digital poll. And using that kind of hashtag, they got crazy. Because they want to show their products of each school, and we have made some alliances with companies to have some gift for the people, for the team over at the school that got the most... the best campaign of them. So I think that... those are the main important things we are doing in Colombia. We just joined a stop think connect initiative. We are working hard in Colombia, not only to have stop think connect to help improve our security, but also we can share our contents and our material to the world. So I think that's very, very important. So thank you so much. >> CAROLIN WEISSER: Maria, what are the challenges on how to measure success? And what metrics exist and which are good ones and where it doesn't work at all? >> MARIA BADA: Usually metrics being used quantitative or qualitative. It would be data gathered on how many people visited the campaign, how much time they spent on the website. Issues like that. But the challenge is when you actually look at the qualitative part of the measures, so when you actually try to measure attitudes. One of those is that people denned to be more positive when it comes to their behavior. So how do you actually measure the actual behavior? I don't know. Who wants to take it? >> MICHAEL KAISER: We have been doing this for a while now, so I'll take a stab at it. Metrics tell you what you're trying to do and how you're trying to achieve it. When we started the stop think connect campaign back in 2010, we thought about what would be the first measure of success. So the first measure was could anybody identify that that's the message? Forget behavior change, that comes down the road. Can they identify the message? Can they identify it like what else the message might be telling you to do? Think about the consequences of your actions online. If I do this or post this, what might happen to me. And the connect part is less about the connection to the internet and more about how the internet connection to the real world. The better the security, the more you can do online. Right? The worse the security, the less you can do online. So we look at that message as a positive, enabling message. First they have to be able to recognize that and then recognize the advice. Keep a clean machine, own your online presence. Lock down your log-in. The things that if you do them, make you safer and more security. So you have to do that. So we do that in a couple of different ways. Our campaign strategy since we're in the United States, with e... we're in a huge country and we have a coalition of the willing for the campaign. We track a lot of stuff, right? We have extensive media monitoring where any time somebody uses stop think connect in the media, we see it. Any time somebody uses "keep a clean machine," we track it. This is a sophisticated tool, and we know how many millions of impressions that we're generating of the message. So that's number one. Then we've done that and then we've gone back and looked. We have asked people, have you heard any of this advice in the last year? 50% of adults in America had heard the advice. So there's awareness of the advice. Now you come and then we had teens were even higher, like 72% this is the most difficult part. That's not that complicated to do. There are so many tools out there that you can do that, right? You can do it on social, too. You can do hashtag tracking and all kinds of different things on social. So how do you get behavior change? I think this is really hard. When you have a diversified campaign and people are changing their behavior, there is no way to tell whether it was actually me that influenced your behavior. Give up on that. I don't care where they got it, I just want them to do it. Maybe you can look at how many BOT nets are happening in your country. Maybe you can look at some other many measures. When you look at real data you will find out that people haven't changed their password for five years. We're looking at doing more control. Doing a pre-test. Look at a college campus. Where we might be able to track infections and other kinds of things. They will know whether people changed their passwords. And see if the campaign led to that change. It's a really hard question, and I think it's one that this community out here, this community has to work on with us together. There is no mire cull cure here. But I'm curious what other people will say. >> JORGE: The two indicators? Obviously in our programs, because we need to have numbers about how many people are with us in the workshops. How many courses we have active. How many people have reached the certifications. But it's something like something that refers to so I just learned about some tool s to look if you follow stuff like that, we need to move to that kind of tools. We need to have more instruments helping our students. We need to do more work in focus groups in which we can do like a light survey about how they do things in cyber space. And try to have some numbers of that kind of workshops to know and have the same several groups and trying to have like a baseline and they need to do it in a systematic way to know if things are really changing. >> BARBARA MARCHIORI DE ASSIS: You have to keep in mind, try to develop ways of measuring it. We were discussing complicated planning. I don't know. But some specific discussions with the groups, but it's important to have this idea in the long term and try to come up with this. Also to the outcomes in terms of how do you do this? And have this process. Some people when you're working how to develop a campaign, get frustrated at the beginning because we don't have any structure. So let's target the general structure and then start at the beginning. As you implement your campaign, you see other things. I think Mike is a great example. He's been working for 15 years, I think he mentioned? How he was adapting and creating. Okay. So we see the problem. At the end, forget about behavior, but you need to be sure. We're adapting. I liked his idea of having a feeling of don't be frustrating. Start with the indicators. Every time, review it. Think about what are you doing, how you can change, how you can improve this. >> MICHAEL KAISER: Can I ask a question? So I mean, it's good for everyone. To Maria, you mentioned that one of the reasons they fail is the message. I would like to hear more about that. I think in security, you know, this is Michael's view of the world right? A lot of the messaging is tell me what you think. I have lots of ideas and I'll hold off. I want to hear your notion of why the messages fail. >> Dr. MARIA BADA: So it's one of the fundamental issues when you want to develop a campaign, what will the message be? There's a lot of research around it. There are issues you already mentioned. The cultural differences. There are issues that you have to take into consideration. Is this culture actually more of a collectivist culture? And also, the fundamental mistake is that messages tend to be kind of complicated and too difficult for people to understand. And I think that currently we expect citizens and users to become experts. Like we advise them to actually show certain behaviors, but we're not sure that we understand what we ask them to do, or whether they perceive risks and they understand what they should avoid, how they should behave. I think that's one of the main issues when it comes to messages. >> MICHAEL KAISER: Go ahead. >> BARBARA MARCHIORI DE ASSIS: We are still struggling with penetration. If we want people to be connected, but you're telling them, oh, it's dangerous. Do this and don't do this and that, how can you make sure that people will be conducting their business online? Because we want them and it helps for productivity. It definitely affects a country. It is important to also be aware that we wanted to make sure that people are conducting their business online, for example. Especially many countries in Latin America we have with SMEs. Encourage them. We have to be sure to have a language that is encouraging them to be online, but of course, safe. I would love to hear both of your experiences with this. >> MICHAEL KAISER: So there's a couple of things that are really important. Frequently, there are too many messages. When we started stop think connect, I sent people to harvest off how many messages there were to stay safe online and she came back with 240 messages. Right there you have a problem. No one can follow 240 rules. You don't have that many rules for driving and that's a lot more complicated than what we do online. The other is that we've failed in the message, right? I will give you what I think is the most horrendous example of messaging, and that is about passwords. First off, we've changed it 15 times in the last five years, right? Secondly, we've given them too technical. How many of you... anybody here security professionals? Cybersecurity professionals? How many of you have your own method of creating a secure password? How many of you have tried to teach that to somebody else? How many people have adopted your method? I rest my case. So what you see here is that like just because I know how to make myself safe and I think I have a good way to do it doesn't mean that it's adaptable by anybody else. So there's a problem with that, okay? Second problem with passwords, we've been telling people how to make secure passwords for years. It's one of the most primary pieces of cybersecurity advice we've had since the dawn of the internet age. Guess what? Nobody follows the advice, and we keep giving the same advice. If you give a message that they don't follow, why would you expect them to follow any of your other messages? This is why messages fail, right? I'm supposed to have a secure password, I haven't been hacked, they must be wrong about the other thing, too. The message is so important. We can talk later about crafting messages, but I think this is a real problem area. >> JORGE BEJARANO: I want to add something but I don't know if I will be able to explain it. It is very Colombia specific. We have a fruit that we call Papaya. Does somebody here know what that is? Good. It is a delicious fruit. Even once the Papaya is cut, we eat it. Because it needs to be delicious. So we use it to explain to people that please don't give... we use it to say don't give Papaya to the bad guys. Yes? Are you following me? Yes? Don't give Papaya is like not do the things, don't bring the treats to the bad guys. So we have only very small message. Don't give cyber Papaya. That's all. Everybody in Colombia understands that. It is a very good message, and it goes for small and medium business, it goes for the students, it works for the old people, because everyone's... everyone understands Papaya concept. So I hope that I achieved that. >> MICHAEL KAISER: Great example. >> CAROLIN WEISSER: I have one last question for Michael. You mentioned that you had marketing research to test the messages. Do you think like classic marketing approach and advertising, commercial approach to develop messages is more effective than having like, doing more like educational messages from other fields? >> MICHAEL KAISER: I think it's a combination, actually, right? So when we did our messaging on stop think connection, we went and asked consumers, American general consumers over 18 a lot of different things about cybersecurity. We took a marketing approach. To this messaging, right? We want to tell people what was one of the classic messages that's still out there? Don't click on any links in e-mail. There's another rule that people can't follow. So we have to be more creative. So we take the marketing approach because the marketing approach that we took, the firm that we used looks like how do you connect the emotional and feeling state that people have about being safe, right? Back to the action that you want them to do? Now not surprisingly, you know, I'll just give you a quick example of how they might have looked at that. We went... actually this was back in 2010. We went through and said okay, here are all the things that, you know, you've said... we asked them in a survey, what are all the things that you can do to stay safe online. They listed change my password. Then we asked them what's the one thing that you're not doing that you should be doing? And they would give that answer. Let's say it was update my software. Then we would ask them, okay, if you were to do that thing, right? Update your software? How would you feel? Right? What's the feeling state that you would have? I would feel more secure? My family would be protected? Then we would go a step further and say what would be the ultimate benefit of doing that thing which you know you're not doing, which you know would make you safersafer? Things that came out were things like peace of mind. You reverse engineer from the message from the feeling state. You want to feel better? Update your software. You've got to... here's the basic principle, right? We could sit here and brainstorm ways that people could be safe online, but they're not going to receive it unless it's delivered in a message that makes sense to them. The other really key finding in that, and we can talk about the messages themselves, but the other key thing we found, which I still use all the time is they were so clear. They get it. There is nation state hackers, there are cyber criminals, there is the kid next door trying to get into their computer. There's all these people, and they feel kind of fatigued by all of this attacking that's going on. But they said over and over and over again, give me common sense things that I can do that are in my control. Right? I expect the government to protect me from nation states. That's not my job. But what I can do? Just get into that where they're at and giving a messaging that responds to the moment that they're in is great. >> CAROLIN WEISSER: I would like to ask if there are any questions in the audience? I will start with the gentleman in the first row and the lady here. Please introduce yourself shortly, and if you direct the question to someone specific. >> AUDIENCE MEMBER: It's general. I want to know if you know focused campaign for a person of the usage system like a police officers, judges or prosecutors? Because I think that it's important that they know the risk in the internet. Because most of the times they don't understand cyber crime. So that is the question. Sorry for my English. >> MICHAEL KAISER: Is that a campaign for them to be safer online or a campaign for them to understand better the risks of the people that are coming through the system? >> AUDIENCE MEMBER: More about cyber crime. >> JORGE BEJARANO: In Colombia, we have very good cyber police in Colombia. They have campaigns about using tutors and of course, their web page to let other people know about the cyber crimes. Because, of course, this is a very technical... we have a lot of technical words there and many people don't know what is that word? We need to go back to the beginning and try to explain to people what kind of crimes we have. What can you do if you are affected by an incident. You need to know what kind of preventative actions you can do. So the police have a specific campaign inside the police, and as I know, they have like communications plan in which they have like weeks where they want to talk more about one topic, because it is probably there are an interest on promoting that kind of topic. So they want the people to talk about the topic, and they want to promote the kind of communication with the people. >> Dr. MARIA BADA: I want to add something, because I think it re lates to your question. Another important issue, and we discussed about it, is the reporting mechanisms, they usually report or relate to initiatives of the police. And that's another issue when it comes to creating effective campaigns. Linking law enforcement prosecutors to the national campaign end users. To linking them all together. I think that's very important. >> MICHAEL KAISER: I can add a little bit about the United States. The United States has 14,000 local police departments, right? That's a problem right there, you know? Larger departments, I can't speak to prosecution or judicial end that much, I have cyber units, right? Most of them started originating on child pornography issues. I think they're coming to the awareness more that almost every crime has digital elements now. You know, because everybody has a phone in their pocket or a computer at their home. Maybe if they were a burglar, maybe they were doing a Google map search. It's all out there. So they're getting more aware of that, and I think they're doing a better job. The other thing that's happened in the United States, and I'm not sure if this happened anywhere else, police departments have become targets of the cyber criminals. So the departments themselves have had to harden their networks, right? And these are small departments. They're not huge. There have been ransomware attacks, anonymous attacks on police departments when people are unhappy with the trajectory of an investigation, there's a pretty famous case in Steubenville, Ohio, there was a sexual assault, and someone went in and stole the video of the attack that was happening at the party and posted on the internet. There's an awareness of needing to protect themselves. How secure is your police department? Right? Let's start there. And then let's move out. Maybe that's an incentive? >> CAROLIN WEISSER: We have another question. The gentleman? And then in the row before. Maybe collect those two questions? >> AUDIENCE MEMBER: Hello. I came from Portugal. I work with young people, so it's first of all, it's interesting to hear, and I totally agree about how important it is to use peer education in cybersecurity campaigns. Secondly, I would like to address the issue of the messages that mainly reflect on fear. I think when I go to schools, sometimes kids aren't really aware of the consequences, but even then, when I tell them the consequences, it's like it's been said, sometimes the emotion or the feelings about doing the changes or accepting the security doesn't really help. So my question is, is there a way of changing the parenting? For instance, using the fun factor? Since they are kids, they would be interested in doing it just for fun. Thank you very much. >> CAROLIN WEISSER: And that gentleman? Yeah. >> AUDIENCE MEMBER: Hello. I'm an ISOC ambassador from Indonesia. My question relates to cyber security awareness campaigns for all demographics, because I noticed that a lot of cybersecurity campaigns today focus on younger kids and the younger demographics. Can you share best practices to get more adults? I'm talking about 50 years of age and above... to be more aware of issues and to be safer online. I think they're much more susceptible. A lot of them in Indonesia, they believe the phishing messages, e-mails, and that kind of things. >> Dr. MARIA BADA: So related to the messages, you're absolutely correct. Campaigns have been using actually fearful messages, which are proved not to be effective. Actually, they have the negative effect. They tend to create and cause stress, so that makes users just ignore the message. So you're absolutely right. When it comes to children and parents, we've seen... I've done a lot of work in raising awareness for children in the school environment and talking to parents as well. And again, when children don't really realize the risks. And it's absolutely normal. But parents don't either. So also, there is actually a big gap between the communication, between children and parents. So usually if a child has a negative experience online, they will not communicate that, necessarily, to their parents. That's actually a very important issue. How do you bridge that gap of communication? Mike, do you want to answer? >> MICHAEL KAISER: A couple things. First of all, the senior issue the older folks, I think that's a really good issue. Larry just issued a guide for senior citizens on how to stay safe online, trying to take some of the core messaging and making it more friendly to seniors. It's connectsafely.org. It's a great document. Out of Canada, it's not only on security, but there's a phenomenal film called cyber seniors and it's hilarious and funny. They teach them to use Facebook and Twitter. There's a message in that about how the younger people can teach older folks how to use the internet. By the way the senior citizens know a lot about judgment right? We accuse them of clicking on things they shouldn't, but a lot of research shows that they have a lot of good judgment and can filter that stuff better. Maybe there's an interchange. On the kids, I think there's a couple of things. This is one of the problems in cybersecurity education. People say have a mascot. You have to have a movie star. The truth is, those may be true and they all help. I'm not saying they're bad. You have to have something that's relevant to them. You have to speak relevantly. I totally agree with the fear-base. When we created the stop think connect, we have an exercise where if you have a message that's fear-based, we'll never use it. Which led us to the whole aspirational messaging. Keep a clean machine, own your online presence, things that are empowering and make you feel that you can control it. That's one. We just did research with 13 to 17-year-olds and I want to go back to your point, but we asked them what's the most thing you're concerned about? Unauthorized access to my accounts. That is a straight-up security issue. So you need to know what their concerns are. Often as adults are, we tell them what the concerns are. Be concerned about sharing too much information, meeting a stranger, posting something that will keep you from getting a job in the future, right? All real issues. I'm not saying they are not real issues, but if they're not interested, they're not going to listen, right? So that's one. On the parenting thing... on the kids thing, this research that we did is on our website. We also saw that 40% of the kids that we interviewed 13 to 17-year-olds said they would turn to peers for help with online problems. So that's an avenue right? If you say I'm going to go into schools and I'm going to teach you how to help your friends, as opposed to lecture them. You're teaching them how to help their friends, right? At the same time you're building their resistance and you're probably building their resilience at the same time, which is the core of all cybersecurity, resistance and resilience. So maybe teaching them to help their friends is an avenue you want to look at? >> JORGE BEJARANO: Only regarding the first question, in Colombia, I answered that most of you knows sesame street? No? So we did that with sesame street, and we did a TV series called monsters... monster in the net. Focus on children between 3 and 7 years old, and we never use words like risk. Never. Because children doesn't understand the word, "risk." So we were doing like positive reinforcement about good habits and behavior on the net with that kind of series. And I think it was great. We built a portal, we bring material for educators and material for their parents to work together after the TV series. I think it was a very good project for that kind of age group. >> MICHAEL KAISER: See we all learn stuff when we come on those panels. >> CAROLIN WEISSER: It was very productive. It was a capacity building exercise for the panelists itself. I would like to raise awareness for one more thing. If you could put on the slide. A lot of information on our cyber security capacity portal. A lot of information for best practice and knowledge and cybersecurity, a lot of information, etc. And as I mentioned cybersecurity capacity building. I also would like to flag that on our Twitter account @capacitycentre, you find a short online survey. We would really appreciate if you would participate in the survey. It would support our research. It's in the very early stage, and I think as more people give their input, especially people who are here and experts, it would be beneficial for our research. You can find a very successful paper that Maria published last year which got a lot of attention. Otherwise, I think our time is exactly out. We have another... we have time for one more question? I'm sorry. Okay. Sorry. >> AUDIENCE MEMBER: I'm a consultant. Looking at it from the outside, I'm not involved in these sort of actions, what I tend to see is that there's a canyon, a big ravine, and you are standing on one side shouting to the other side, you're unsafe, you're unsafe, be ware, you're going to fall into the canyon. And they're standing to you with their backs not listening, looking at the internet and how great it is. But the people standing there... so the first question is how do you envision to build a bridge over that canyon to reach them? And the second one is people standing there with their backs to you will forever be standing there without any consequences. You can be unsafe online without any consequences even when your bank account is emptied for you, the bank will put it that, that sort of thing. So there's no cons consequence. Is it time to impose a consequence about not being safe? How could that be envisioned and realized in some way? Thank you. >> MICHAEL KAISER: So you've asked a classic cybersecurity education and awareness question. No, it really is. I don't think there's... I know other people might have thoughts about this. But there's a couple of issues here. I'm not sure that consequences would ultimately change behavior. There are consequences if people drive improperly and people still do that. There are consequences if you smoke cigarettes and people still do that. You have to look at what level of eliminating the bad behavior is your target, because you will never get rid of it all. And we know that people, and this is just people always think I think Maria's the one that will get hacked, not me. So I don't have to worry about what I do, she has to worry. That's a human nature issue. These are all things. But it partially brings me back to building on something that you said. You can't look at sib security education and awareness and say I'm going to get this message in front of somebody and it's going to be done. We look at making cybersecurity second nature. That's really the goal. Living in a traffic culture has become second nature to us. Any country in the world, any of us could go out and cross the street and if there was no stoplight, we could do it safely, right? Occasionally there might be an accident, but you know? How did we get there? How did we learn how to do that? So I will ask you, think about this question in two ways. How many of you have children who are young who you're teaching... have young children? Okay. Not too many people. How many of you were young children? [ Laughter ] Should be a larger sample. Okay. How many times did your parents hold your hand at the corner and tell you to look both ways before crossing the street before they let you cross the street on your own? Thousands of times. This is about developing habits that eventually lead to your being able to negotiate the web by saying that e-mail looks horrible. I'm not going to that website. I don't like the way they're asking me to access this website. I'm not doing that, right? I don't like the information that they're asking me here. I'm making good choices because I've been trained to be... to have good habits right? Not because I'm following a set of rules. Not because I'm following don't click on that link or my password has to be 97 characters. We've done it with driving. I don't know why we can't do it with this. I think that's a great example. Teaching kids from very young, instilling these concepts. I think in the United States we think about teaching kids exercise is good, eating a balanced diet is good. You learn about that over a lifetime and that there is a positive thing in there. The only thing I would say about consequence is you would have to find the consequence that means something to people, right? And if you could figure that out, then maybe there is something there. Maybe that's worty of research. What is the negative outcome of online... doing somebodying online that get you to change. >> Dr. MARIA BADA: Can I provoke that? You're going into the negativity. Not mentioning the consequences, but the gains? People tend to actually prefer convenience over security. If it's complicated, I would ignore the security aspect and I will just... But yeah, I'm more in favor of positive messages. >> MICHAEL KAISER: Me, too. We shouldn't assume that consequences work, and I don't know that fear... fear-based messages work for people that are already paranoid. We don't know the answer to his question, though? We don't know if there is a place where this could happen and like, yeah. If you don't know how to cross the street, you could get killed. That's a pretty severe consequence that everybody understands. Whether that motivates a 4-year-old or motivates the parents to teach a 4-year-old... don't get me wrong. I am not for a fear-based messaging. I am for powerful, empowering messages. >> CAROLIN WEISSER: Are there anymore questions? Yes please? >> AUDIENCE MEMBER: Thank you. My name is Alan dewine. We're a pre-start up organization focused on privacy and security in the education market. One observation I would like to hear your comment on, very good talking about working on increasing and improving awareness in cyber hygiene among children and adults. In education, they are involved increasingly in different kinds of online academic efforts, games, etc., that are imposed on them, in effect, by the school. They're agreeing to privacy policies that way that may or may not reflect functionality or good security practices that actually keep data security and the privacy policies actually reflecting what is actually done. What's your observations in that area? >> JORGE BEJARANO: I have a huge concern about the privacy in the young people, connecting with that. Younger people is less conscious about privacy, and probably they don't care about it. So we need to work very hard not by only trying to force them to fulfill like, you know, this is the policy and you will fulfill this and this and this and this. Beneed to raise the level of consciousness in young people. And if you are getting things free, you are the business. We need to know that nothing's free. So we need to connect that and try to bring the message and raise the consciousness. >> Dr. MARIA BADA: Talking about young people, maybe we are older here, but maybe the idea for privacy for them is different. It was interesting what Michael said. It raised concern for them, people have authorized access. So they don't want people to have access to what they don't want to. But maybe other things they are willing to share. It's interesting, because it's more about trying to teach them, okay, what you don't want them to have access? Make sure to protect us. >> AUDIENCE MEMBER: The points are good and well taken but they miss the point I was trying to make. Often in the school setting, the schools choose products for the students to interact with. They don't have a choice to evaluate. This is school. >> MICHAEL KAISER: Nice to see you again. Haven't seen you in a while. >> AUDIENCE MEMBER: Hi. >> MICHAEL KAISER: So I will say that first. This is the kind of issue that can't be answered only through education and awareness. Certainly there needs to be much more transparency in the tools that schools are implementing for their students. That transparency is probably as much for the parents as it is for the students. As you say, if you're talking about a third grader, you can read them a privacy policy but they just want to press a button. But the parents should be playing a role in understanding. I think schools have an enormous responsibility to ensure the integrity of the data that's being collected about the children and the school. Not only the integrity of what and how information is being used, but where is it going? Is that cloud provider secure? What would happen if they sold their business to somebody else? Does that nullify... there are so many complicated issues there. And I think the student data privacy issue, which is very hot in the United States. I don't know if it is in other parts of the world, but it is unresolved, and I haven't heard that many sessions here at IGF on that issue. Maybe there have been and I didn't see them. But to the IGF folks, this is a discussion that maybe should be happening globally, right, among all of you and all of us, maybe that's something to propose to get on this agenda. Everybody sees the technology as aiding the classroom right? There's a generally accepted principle, right? Is that how you would say? But they're not looking at the consequences or the other thing. So I think you're raising an important point. I don't have an answer for you, but I think it's the right question. >> CAROLIN WEISSER: Next please? >> AUDIENCE MEMBER: Hello from Austria. I wanted to take more on the point that was made before, positive messaging versus creating fear. The example of children crossing the street, you use fear. In Austria, you have a big sign that says drive safely or you will die and your family will die and you will never see your kids again. It is not our responsibility to make the user feel good. It's our job to keep them safe. So why not use fear? [ Laughter ] >> MICHAEL KAISER: I think we went too far the other way in the fear messaging, so if you look at the history, it started out too fear-based. Are you saying that you think it is okay that some of it is fear-based? Yeah. You know, so I would flip it over a little bit and say, when we did our stop think connect, we didn't look at fear messaging, but we looked at proof points. What's the kind of information. If I knew, for example, that 80% of the people who didn't have a long password, you know, were 10 times more susceptible to identity theft, that's not necessarily a fear message, that's a proof point where I can put myself into that environment and say okay. I can reduce my risk, right? The difference between traffic safety and the internet is you're probably not going to die on the internet. It's not the same outcome that you're trying to prevent. You're basically, there's zero tolerance for failure because one failure in crossing the street, whether it kills you or not will have serious consequences. If the car's going more than 10 miles an hour, you're in trouble. Proof points that are relevant? You know, young people who posted things about being at a party were more likely to have difficulty getting a job? Those are thing s that are quite clear. Don't use the internet. That's the kind of thing. Don't use the internet, it will never be safe. There are messages out there that we have to combat, because the internet is greatly beneficial. You might have more on this. . >> BARBARA MARCHIORI DE ASSIS: I want to... also that... the bigger part of the countries right now is expand broadband access. If it comes to the message don't go to the internet, then I won't do anything related to cybersecurity. We want people to be online, and especially for... Colombia has SMEs, and it's important to be careful about the negative. It's important to also make sure, go online in a safe way. >> Dr. MARIA BADA: Just to mention that I had that experience in schools when I was doing awareness raising. When we were describing the possible risks online, children were mentioning that they had Facebook accounts. So after the sessions, they were like okay, I'm going to delete my Facebook account. So that's actually the outcome. And I could see it. It made me think of how we can change that. Because again, it created fear. And that would lead to not using social media, not using the internet, and that's not what we want. I've heard actually throughout this week, many workshops were discussing about, you know, we want global internet access from all groups, all ages, all sex ss not the safe one. How do we do that? We have to educate and educate people and make them aware of risks but in an effective way. If you asked me to give you the answer of what, how that would be effective, I don't know. It would be a challenge to answer. >> MICHAEL KAISER: Let me quickly say, if you want to know how to be effective, the best way to do it is to talk to the people you're trying to educate and find out for them what risks they would respond to, right? Like what... we know in the United States, the number one thing people are concerned about is identity theft. There are many other things they're at risk of. But they are concerned about that. That's maybe their thing. The risks are omnipresent. They're everywhere. Figure out what the people in your country are concerned about and then create a message that wraps around the risk they're already thinking about and build off of that, right? That's how I would handle risk. >> CAROLIN WEISSER: Yes, please? >> AUDIENCE MEMBER: Hi. I think I just quickly wanted to add to the conversation that fear messaging becomes tricky in a country where internet is already propagated as the root of all evil and immoral and puts at risk a lot of children and women and so on. In a country like Pakistan, fear messaging would be extremely counter productive. >> MICHAEL KAISER: That's a great point. >> CAROLIN WEISSER: The next question. >> AUDIENCE MEMBER: Louise Bennett. Yesterday I came to a workshop on collaborative security, and I was very impressed by the woman from Cyber Green, and the key message that she was making, which I think was really important was you should think in your messaging, if I behave like this, what am I doing to someone else? Actually most people don't want to help their friends, their neighbors, and so on. And I thought that was a very powerful message that she gave, and I wanted to know what you thought about that. >> Dr. MARIA BADA: I think it relates to what I was describing before, looking at cultures before developing a message. In the eastern world, we tend to be more individualistic, so we defined, I don't know, cyber security from our personal experiences. But in the cultures such as in Africa, they tend to be more... they tend to relate security in more of a group setting. So, I think that the message such as, you know, if you are... if you are safe, you can help others would work in certain cultures, but it might not work in others. It goes back to looking at differences in different countries. >> MICHAEL KAISER: I just add that when we did our Stop Think Connect research the first message was safer for me, more secure for all. And we used that message not in a core way, like, you know, update your software. But we use it when we talk a lot. We use it in media. We use it in writing. We use it in a sub text message. We have a lot of public service campaigns in the United States, and that personal responsibility equals... like friends don't let friends drive drunk sort of message. When you talk about sort of how do you incentivize people, knowing that not only am I making myself safer but I'm making my friends safer. I think for a lot of people that's very appealing. >> JORGE BEJARANO: I want to add something very short. I just remembered the hashtag we used in Colombia. The power is yours. You decide how to use that power in the digital environment. If you make the right decisions, you will have a useful and very good result from the interration with that digital environment. But if not, there will be consequences. But you have the power. That's one of the messages we used in our courses and also in the campaigns. Because we wanted to highlight that. >> CAROLIN WEISSER: I would like to add something to that as well. What I like about this approach, because it works on different levels, on an individual level and in like businesses. Maybe it's ats bad for the community around you. And up to the national level. I think it's a very interesting approach because it's like something which is maybe also... I think it's very strong in Asian cultures in Japan. Something that I want to benefit someone or I want to hurt someone is good. >> BARBARA MARCHIORI DE ASSIS: I thought it was interesting, within our projects at OES, we noticed how useful the technique is in our region. When you train people and we want to encourage them to... the trainer became like ambassador of this. So please make sure to it really works in Latin America. And we're trying to do this more now. >> MICHAEL KAISER: Having a good messenger. >> BARBARA MARCHIORI DE ASSIS: Creating more messengers. >> CAROLIN WEISSER: Anymore questions? Yes, please? >> AUDIENCE MEMBER: Just listening reinforced that we share the responsibility making sure that we create awareness globally. And that this forum has a unique opportunity to carry that cybersecurity awareness campaign to make sure that you educate those that are going to be connected in the future is not just about connecting the unconnected, but also making sure that they understand what the risks are and have a shared responsibility of the future security threats that we face. Thank you. >> MICHAEL KAISER: That's a great point. And a little disclaimer, DHS is our federal partner in the United States along with industry, so we're always happy to hear from our friends at DHS. The unconnected have an opportunity well beyond the people that are already connected. We didn't start doing cybersecurity education awareness until the mid 2000s right? People already connected and had already established bad habits. If you have the opportunity now to give people who are getting online now to give them good habits while they're getting the technology for the first time, you may feel like you're behind but on cybersecurity, you are ahead. >> BARBARA MARCHIORI DE ASSIS: We feel the same way. Sometimes we hear we don't have so many people connected, so we have other priorities. I say well, you are improving connectivity in your country. Take it as an opportunity. Everyone is already safe. So we started working with this at the beginning, and that's exactly what I have been trying to encourage the member states to start invest in cybersecurity since the beginning. >> CAROLIN WEISSER: Anymore questions? I saw a hand in the back? It's gone? Maybe just, to comment on your comment, those people who come online now are so vulnerable. It stops them to get what we said before, like fear and security. If they hear this is something which can harm you, someone who is already a victim and already a vulnerable and not feeling powerful, this has a huge impact and all the positive things we were talking about don't count anymore if someone doesn't trust that and you see how powerful the applications are for health and socio-economic participation, empowerment, all of these things, I think it's crucial and key that all developments I mentioned have an awareness in the cybersecurity aspect, otherwise, yeah, the efforts are useless. Not useless. Now we're really at the end. This morning I had a workshop that was one hour, so I was focused on that. Thank you so much for the very interesting discussion. We got a lot of expertise from different regions and from the research. Again, if you would like to be engaged in this and contribute to the research, go to our Twitter account or the cyber security capacity portal for more information. And thank you very much. [ Applause ] [ . > MODERATOR: Hello, I think we're going to start. Someone said we don't need to break down silos. We just need places to meet and discuss points. That is we have invited organizations around the world that are actually cooperating in a successful or near successful way or perhaps in a less successful way and striving to be better. And hopefully we will have people who want to learn from our experiences. We're going to try to extract in this 90 minutes some best practices and incorporation. They will be questions that people can answer. You can see that we have no panel, no presentationpresentation. And I'm going to start with a couple of questions. And everybody is allowed to answer, but of course, I have organized people from the technical community, civil society, and they will be here. And the only thing I've asked them is not to present on who they are or what they are. We're going to try to find their best practices. I'm going to cut someone short on a long answer because we only have 90 minutes to come up with the best practices. Think of something new to the idea. No one on the stage, no presentation. We will see how this works, and we will put online these results. So the first question is who represents government in this room? A show of hands please? >> MODERATOR: I see seven people representing government. >> WOUT DE NATRIS: Who represents civil society? >> MAARTEN SIMON: 11 people. >> WOUT DE NATRIS: And who is here representing the technical community? >> MAARTEN SIMON: I see 11 people representing the technical community. >> WOUT DE NATRIS: And who is representing something I haven't mentioned yet? NGO or international? >> MAARTEN SIMON: Five people are representing something else. [ Laughter ] >> WOUT DE NATRIS: That sounds very good. So we have something else in the room, and that is also very diverse. If I go from there, you all started out somewhere. A longer time ago, at the beginning of the internet, when it was commercialized, others perhaps more recently with more regular or newer problems that we run into over time. I'm just going to ask some people to reflect on what was the cause that your organization came into being and who would like to start? Please raise your hand and the microphone will be walked up to you. Every time please state your name and affiliation, please. >> AUDIENCE MEMBER: Hi. I'm Barry, and I'm here talking about an organization called MMMAB working group. We started out with just messaging, trying to do something about all the spam that you got in your inbox and expanding that out to the malware and then things that if you click on them they take over your computer. It was a bunch of companies who provide e-mail services and software and use e-mail services who needed this problem fixed, and that's where we came from. >> WOUT DE NATRIS: And you're around since? >> AUDIENCE MEMBER: Since about 2003 or 2004. >> WOUT DE NATRIS: Thank you. >> AUDIENCE MEMBER: And I represent... I'm not quite sure I like the term represent. We're all associated. I'm with the ITF, and that, of course, is the standardization organization for core internet technologies, and we've been around 30 years now. Some of our documents have been around even longer. So basically formed around documenting the technical solutions around the core of the internet. >> AUDIENCE MEMBER: Hi. I'm president of In Hope, the international help lines for child sexual abuse online. The reason we came to be was the fact that when the internet became bigger, we saw the problem of child sexual abuse material being on the internet. And mainly the industry said we don't want this on our networks. How can we deal with it? >> WOUT DE NATRIS: Please. Ma'am? >> AUDIENCE MEMBER: I have to stand up. Sorry. My name is Christine. I'm here, could be wearing several hats. I'm from Brazil. Around since 1997: I have active roles on teams. I'm trying to create a team in Latin America. I think Martin could talk more. >> AUDIENCE MEMBER: I'm Martin. We have existed since 1989 and brings together internet response and security teams from all stakeholder communities. >> AUDIENCE MEMBER: Hello, everybody. My name is Paul. I'm here for internet jurisdiction policy network. You asked a question why we were created, it was born in 2012 out of the need. There was a need for a space that not only bridges the different stakeholders, but also the policies of human rights and cybersecurity in order to find solutions to the jurisdictional province on the internet. >> AUDIENCE MEMBER: The state department has been around for hundreds of years but my office has only been around for five and a half. We were created to help implement something called the international strategy for cyber space that was put forward in the early days of the Obama administration. It covers not only cyber security and also cyber crime, internet security in cyber space, internet governance, internet freedom, development issues, and defense. We realized that we had a lot of excellence in dealing with the strategies. And the office was created to help coordinate those efforts from a policy perspective, not a particularly technical one. To coordinate them across the U.S. government, how we were addressing these issues in global communities, but also be a belly button, shall we say, for coordinating the efforts with our international partners. >> AUDIENCE MEMBER: I'm with the dutch registry. I'm not going to explain why we were created and when, but there's an initiative that we have been involved in called abuse hub. In short what it does is it collects abuse information and processes it and distributes it to parties concerned who are mostly ISPs and hosting companies. Why? The individual ISP and hosting companies made huge costs to collect the information but it was not specifically for them only. A huge amount of information that they had to sift through and get the information that was relevant to their customers, the effected PCs and other equipment. It cleans up the information and sends it to the specific ISP or hosting company. There was a common problem that was... that could only be solved by a collaboration and it was created about three years ago. >> AUDIENCE MEMBER: Hello. I'm David, from the global expertise. It was launched in 2015 at the global conference on cyber space. The goal or the reason why it was launched is because on the global level, best practices on cyber capacity building, to bring them to the global level to make them available and accessible. We're a very young platform, for now, like 1.5 years. There's a lot to do in this area. >> AUDIENCE MEMBER: Hi. We are the oldest regulatory organization in the world. Capacity building through the western hemisphere. Member states are from Canada to Chile. We will promote national strategies, national exercises. We had an excellent panel on awareness raising campaigns. Working on research and expertise. And of course, actually, our presence here, the idea of our presence of other firms and working with other partners. Our member states recognize importance of working with other actors, private sector, technical community, academia in order to break the silos issues. >> AUDIENCE MEMBER: Hello, my name is Juan Gonzalez, department of homeland security, office of cyber security. They work closely with the state department as the lead. We do a lot of the internal domestic U.S. operations in response to cyber incidents. >> AUDIENCE MEMBER: Hi. Michael Kaiser. We're founded in 2001, actually directly after the 9/11 attack in New York because, by industry to work with our partners in government, because they realized there were infrastructure elements to that attack. They were forward-thinking people who looked ahead and said we've got to do things to educate people to protect cyber security and we have to do it by working together in collaboration, because that's a major silo that has to be addressed in our area of education awareness and there are many other areas that can be addressed in that way. >> AUDIENCE MEMBER: Hello. Where do we come from? Our community started back in 1989 kind of as a group exchanging experience building in the internet in Europe. And yeah, we've... well, I don't think we've been breaking down silos. We started off as one big family so the silo is being built around us. >> AUDIENCE MEMBER: Hi. My name is Carlos, and I represent the government. And I am engineer and lawyer. I'm interested in collaborations around the world. To promote a culture of security and preventions. >> WOUT DE NATRIS: Anybody else like to join in? Okay. Then I think it's time to do our first identification of what leads to best practices. I think what we saw here is that everybody has responded to some sort of a problem or some sort of a cause to start changing things. And somebody took ownership of thaw that problem. I think we've identified that also. Organizations in this room have taken ownership of that challenge in front of us. And my next question is going towards that challenge. Because nothing becomes a success out of itself. So you basically often have to get through barriers to get people to cooperate. And I would like some of you to reflect on the challenges that you have run into and how did you get over them to make cooperational success? That may lead to insight for others if we know how to name them and put them in the role of best practices. Who would like to start with the challenge? Michael? >> AUDIENCE MEMBER: I think the biggest challenge coming from the technical community and communicating with people and what you would call other silos or other stakeholders as we normally refer to them is understanding that they might have a different perspective on the worlds you live in and that's really a start. Realizing that somebody might see things differently. Once you've got depth covered, you start building the dialogue. But first of all realize who you are talking to and where they are coming from. >> WOUT DE NATRIS: So an open ear and open mind. Who else? >> AUDIENCE MEMBER: I think that many of the challenges are very common to any kind of collaboration. So there is trust or lack of trust in the beginning, so that's one of the challenges that you have to solve. How do we get the different parties to trust each other? Most of us will recognize that in the end, that's an individual process. Trust is between people not organizations. So you need some time to develop relationships between the people who are at the table. There has to be a shared sense of urgency and responsibility. At a certain time there has to be a division of roles and tasks and responsibilities. And I think the challenge of all challenges in many of these cases is you need means, money. We see all of these good intentions, but the willingness to pay is difficult to find. I agree with you. That is one responsibility that very often an individual organization has to take this first step in. Okay. We find it important. And very often another organization or a few step in. And then what just mentioned, there's a good example of that. It started with us, the ridge strayer. So members pay a fee and now it finances itself. But you need a few people that really believe in the cause and are willing to stick out their neck and risk some money and get things going. >> WOUT DE NATRIS: Thank you. Before we respond, who recognizes what he is saying? That at first it's about trusting one another as people and not as organizations? Who recognizes that in their projects? Nearly everybody agrees with that. What about the financing? Not everybody agrees. What's your experience? >> AUDIENCE MEMBER: Of course, different organizations work in different ways. For us, for instance, it's about like the implementers coming together and trying to do something. They have their jobs and they have their ways of building software. For those people to be interested in making a fix or making an improvement. >> AUDIENCE MEMBER: But somebody has to finance that in the end. >> AUDIENCE MEMBER: Yeah, but it's indirect. It's not that our organization, for instance, needs money to do some particular improvement. The vendors who build a browser, they feel that they need to serve the customers better. And that's why they come together to make standards. I it's not a direct, it's an indirect situation. >> AUDIENCE MEMBER: Maybe it's more direct than you think. We believe in your cause so we send people and we pay them salary, hotel costs and the trip. So I think you proved my point. >> WOUT DE NATRIS: Do others want to go back to the first question? Okay. We'll start up front and go to the second row. >> AUDIENCE MEMBER: When we're talking about cooperation, the point that I want to make will touch on the cost. What we usually see are people... and overcomplicating how much you need a very big budget. And of course you need budgets. Usually people ask for someone to make something. And in a national avenue, most of our projects are voluntary in basis. You have people volunteering their time. You have them volunteering a little bit. But you don't need like a big project for people to cooperate. It's much more willingness and this is more project of cooperation to create trust. We have been running a specific project in Brazil for 13 years now. We just have our time. It's all volunteers. We engage people from private sector, universities, operationors, ISPs, and it's a project that has been creating a community of trust in the technical capacity. You slowly create trust. We also see a lot of people that want the recipe or they want to sign an MOU and cooperate. And that's not really how it happens. So I think it goes for trust, but it also goes for everyone putting in a little bit of money and not necessarily like huge costs. >> WOUT DE NATRIS: Please state your name. >> AUDIENCE MEMBER: Sorry. Christine. >> AUDIENCE MEMBER: Um, Martin. One thing that I wanted to add is outside of cost, there's also scope. So when First got started initially, it was five members and those five members could work together very easily because they knew each other and they could do anything. They had very big goals. Today First is over 350 members across the world, and there are many governments there that may not want to share a lot of information with each other or those organizations that don't really see sharing with each other as a primary goal. So one of the things that we see we have to do now is we have to build smaller groups within First, which we call special interest groups, where people actually get together in a smaller group to solve one specific problem. And quite often that problem isn't contested. As they work on the smaller problem, they get to know each other and trust each other better. So that's growth and something that we have seen be very successful. >> WOUT DE NATRIS: Thank you. >> AUDIENCE MEMBER: >> AUDIENCE MEMBER: I want to pull on the able to share. That is a part that I have been thinking about a lot. Everything has to be discussed openly and I'm wondering how much we're losing? Occasionally I hear rumors that there are people who don't want to talk about this because they would have to do so openly. And how can we solve that? That would be an interest ing. >> AUDIENCE MEMBER: Is that the technical community? Is that people chip in a little bit each and every one on commonly perceived technical problems that make the internet run? And what the last person was talking about is something that expands normal boundaries of corporations like competitors exchanging information that may harm each other where one is unwilling to cooperate. That takes more effort to get together than where everybody agrees on the common problem. Is that something that this room recognizes in any sort of cooperation that you've had? Or is it just coincidence? >> AUDIENCE MEMBER: I'm from in hope T dutch hot line. Actually, it is who owns the problem, actually. If we look at child sexual abuse material, in the beginning, ISPs said we don't want this on our networks, but we also don't want to be the judge of material. So they established the dutch hot line, which was the first in the world to deal with this material, to check it out. Then we engaged the problem that the police thought it was their job to do it. The fact that we do it anonymously made us more desired than the police. Now we see the problem that the internet service providers look at it like hmm, is it still a problem? So we're also in regard to funding looking at a situation, which I think is a common problem of the whole society, and we should deal with that. But we find it very hard to get funding because everybody is pointing at everybody like okay, why should I pay that much? Why can't he? So we hear internet service providers or mobile providers say ask apple for money. It's their computers. So it's still hard to break down those silos when it concerns that. >> AUDIENCE MEMBER: Hi from the state department. Trying to pick up on a few things that people have said and hope that what I say has some applicability not just for governments for the six of us or whatever are in the room with governments but is applicable to others as welt. We found it was difficult to move very, very far ahead in programmatic efforts to combat cyber security from the technical or policy side. When there was competition or concern about turf or concern about resources and money and there seemed to be not common cause, necessarily. People didn't feel like they were moving towards a common goal. And so, you know, unfortunately, we've had several incidents in the last ten years that have given us more to common cause, which isn't good, but we have used it to find a way to have higher level attention in the government. But I think that applies businesses or organizations as well who might not have thought that the cyber security thing was a problem for them. So for higher level attention, also creating a mechanism for collaboration that takes the coordinating role out of any of the vested interests and creates a neutral party to help bring the parties together and be more of a team. So the international strategy was not written by any one particular agency in the U.S. government. It was coordinated by a neutral party, the White House still. And brought all the players together so they all had buy-in and input from the very beginning. I think while it was a very government thing to say, I hope there's some applicability for other kinds of organizations. >> AUDIENCE MEMBER: Barry Lemi talking about MMMOG, talking about whether the IETF is missing something by being as open, the IETF has a different focus than an organization such as MMMOG. We need the standards to be open and we need the work to make the standards open. MMMOG is looking at best practices. And when you're building protocols to secure the networks, you do that in an open process. When you're trying to develop best practices, you need to be Frank about what the problems in your own networks are, and what the problems on your own networks is. And companies are not too willing to be open about that publicly. So we have a more closed environment where the deal is that you're open about it within the organization, and then that's used to develop best practices to recommend to other organizations about what to do in their networks. >> AUDIENCE MEMBER: I think that common cause is another word that we had to put down. I see Michael Kaiser and Marco and others. So everybody wants to talk. Very good. >> AUDIENCE MEMBER: I will be really quick. I want to reinforce a couple of points. We act as a neutral third party and we see other neutral third parties. It dove tails into another issue around anonymity. In order to break down their silo, they were able to scrub data coming from one place and give it to another place because they knew the other place really needed that data. Here is all the credit cards that got lost in a recent data breach, we're not going to tell you which one, but they're your credit card owners and you should have it. You don't know where it came from but now you have it and you can act on it. And having an intermediary is important. Let me say about the common cause, I think it's absolutely critical that we work in a public private partnership. We start with a narrow focus. All work and trying to educate people going off like spokes on a wheel, right? Come together, work together. Share the IP that comes out of that process. Share the expense of delivering the message out so you don't have to give money to one place. People can use all of their resources to do the things. So there's a lot in the common cause. And the new trailty, there has to be an expert in the middle. >> WOUT DE NATRIS: Thank you. They are a great example of such neutral organizations. When abuse hub was in its incubation, the ministry of economic affairs asked ECB to be the Secretariat and provide the neutral table where everybody could sit down and discuss the common goals. And there they built the trust to do it a couple of years later. That is something that we need to do have many times. I'm putting my hat back on. >> AUDIENCE MEMBER: Just about cost. We had a session on capacity building projects. And one of the things that we have, I identify with them is that the funds are decreasing. There are actually key organizations and donors like the United States and Canada that have to actually be the response to especially developing countries, and they need to recognize that actually they need to chip in. And what we have seen in the region, the funds are there. There is a need to coordinate and see how they coordinate spending on cyber security issues. Many agencies just spend money on the same things. They just don't go making the expenditures. Trying to reinforce what Michael was saying, the importance of partnerships, we recognize that within our countries, for example, in Brazil. It's a nonprofit organizations, and it's a successful model. It's excellent service. That model could be replicated in other countries. So that's not another example of how developing countries take advantage of that common cost. At the end, it's who is going to pay the bill, and where is it going to come from? And the answer is the funds aren't there. >> WOUT DE NATRIS: Next? Here and then here. >> AUDIENCE MEMBER: I will keep it short. I think besides the common goal there are two elements that would add for being corporation successful, and that's some sort of equality between the people who are cooperating with each other, and getting resales. That is also very important element to make it work. >> AUDIENCE MEMBER: Thank you very much. The internet by and large is privately owned. The infrastructure is privately owned. The place that we're looking at, cyber security and cyber crime is largely commercialized. So I want to challenge your notion of the comments is that some people will have a commercial advantage over others by having certain information about vulnerabilities because they need to outperform the others whether that's a virus or firewall company. As much as I want to share it, I wonder how far the sharing is worked against by commercial interests. We all want to make the internet a better place but some people want a large sum of money, and I think that's knowledge about cyber security. >> AUDIENCE MEMBER: This is Paul from internet and jurisdiction again. I wanted to add one nuance to this notion of having a common cause. Especially in the context where we talk about multi-stakeholder cooperation, one element that is often underestimated is the importance of framing the issues and framing in a way that transforms the issues that the actors have with each other into a common problem. Very often this is something that is overlooked and where not enough time is allocated. One of the reasons for efficiency in multi-stakeholder cooperation in bridging groups is precisely taking the time to find common framing, defined shared vernacular so we all talk about the same thing. And this is the prerequisite to have a shared vision of what can be achieved. So this, I think, is something that is often overlooked. >> WOUT DE NATRIS: One example... I'm asking a question to Paul. Can you give one example where you noticed that it didn't work? And another one where you said okay. We discussed it and then it went forward from your experience? >> AUDIENCE MEMBER: We are addressing the jurisdiction issue, right? I think for addition, historically, the problems is that the companies or the governments promised the companies, Civil Society had problems with how the companies were dealing with those issues. So if you have the triangular relationship between the categories of actors, each was in a confrontational mode and most happened on a bilateral thing. Through dialogue it has become clear that they have problems in common. And if we want to preserve the nature of the internet, we need to find solutions. So I think our experience was that there was a real transformation and we had the global internet and jurisdictional conference two weeks ago. There was a key message basically that the actors understood that they have a problem together that can only be addressed through cooperation. >> WOUT DE NATRIS: Thank you. Okay. >> AUDIENCE MEMBER: I wanted to jump in and give a concrete example. The work we did in Brazil was not easy. It was to implement the very technical thing that was board certified management. There were a lot of problems and people who didn't want to implement because of cost. They were afraid that the telecom regulator would find them if they would do something. There were some consumer protection organizations that were thinking that someone was taking out their liberty of choosing what port they wanted to send mail on. As a framing, we participating coordinating technically. The one who implements all of the direction that is the most stakeholders. It's formed by civil society, academia, technical community, government, non-government members who are elected, and we usually are the ones that people look for to be the neutral ground. You have all of the stakeholders in that ground. It is helpful. So at the end, at the end of those years, we talked with judges, with prosecutors, with consumer protection organizations, the government organizations so the consumer protection gave official statements saying that that would not be a problem and we have other people working with the technical community. We have some other organizations that join in because you want to understand what were you doing? So it was a very fruitful work. It is difficult. Usually the technical community thinks it takes too long and is not worth it, but it is. After we had this discussion, now is when you have to discuss other topic s, they point to the model of seven years but now it didn't take seven years. It takes like a year or less. So I think it's worth the time to get to stakeholders, which means getting everyone to understand and really having the discussion to discuss okay, We have a common goal. Everyone has an angle. The businesses don't want to spend money. The civil society thinks that someone is doingdoing. >> AUDIENCE MEMBER: And it's a process of years, but it does pay off. >> AUDIENCE MEMBER: Yes. >> AUDIENCE MEMBER: Maybe, well, I think one of the major components of many of the examples we have heard is the sharing of information. The larger the group, the smaller the willingness to share. Michael mentioned an example and gave maybe the impression that commercial interests are bad but I don't think he meant that. I think he gave an example that there is a chance that the... there are possibilities where security information is being shared. I love the phrase if you have to be secret about your security, your security probably sucks. So when there's a security incident, people are very unwilling to share that information with a larger group. As a vulnerability, we want to fix it first. But then there's a low willingness to share the information because there was a hmmm-up. We don't want anyone to know that we did something wrong. We fixed it but don't want to talk about it. I think one of the obstructions in this kind of collaboration where it's about sharing sensitive information is that first, maybe damage can be done to your organization, and after that, the risk is taken away, damage can be done to your reputation. Another typical example where there is sometimes a possibility to share information is in the relationship between governments and private organizations. We have our national cyber security center. We collaborate with them as many other they are limited by law and other factors, most of the time by the simple fact that they are not supposed to share information. But they have to act upon it. >> WOUT DE NATRIS: We have a remote comment or question. >> MAARTEN SIMON: It is a question for Michael. How can we assure the security on a private network? >> AUDIENCE MEMBER: >> WOUT DE NATRIS: It's a question for Marco. Raise your hand to get the microphone. >> AUDIENCE MEMBER: I got distracted. >> WOUT DE NATRIS: Repeat the question, please? >> MAARTEN SIMON: How can we assure the security on private networks? >> AUDIENCE MEMBER: How can we secure the security of private networks? If it's truly private, then the part of securing it is mostly physical. But a private network, is in essence, by design, secure, until somebody breaks in because then it's no longer private. [ Laughter ] >> WOUT DE NATRIS: Okay. I hope that answers your question. I'm going to go to the next question I have, and I would like to ask you to reply in one sentence. I think on this topic we could be here until tomorrow morning and probably still not stop talking. What was the major break-through in becoming a success? What was the biggest hurdle you had to take? I will start with Barry. Looking back, what did you have to breakthrough to become a success? >> AUDIENCE MEMBER: A success in sharing... I don't know that I would call it a breakthrough, but it was realizing that allowing people to share freely within the organization and trust each other to keep it within the organization and using that to make recommendations that benefit outside was the key for us of not acquiring people to share information publicly, but to feel free to do it within us. >> WOUT DE NATRIS: So trust and making sure that it doesn't escape from the organization? Okay. >> AUDIENCE MEMBER: So I'm not sure these are break-throughs either, but where we're being mostly successful is where we can get the different parties together that it's not just say the browser window and someone that does things and runs networks under and who build, you know, devices that operate on the traffic in the middle and so on and so forth. So that's the really crucial thing for us, at least. In doing anything that you get different parties in there. >> WOUT DE NATRIS: Making sure people come to the place where it's at. >> AUDIENCE MEMBER: I think that would be the moment that we had an agreement with dutch police law enforcement about handling the material and analyzing it. The police felt threatened in their position. Now we have a protocol in place that is legal. We have a protocol in place with the public prosecutor that they will not prosecute us until we follow certain protocol and regulations. >> WOUT DE NATRIS: So establish protocol when necessary. >> AUDIENCE MEMBER: I think in the case, it's a difficult question to ask. My observation is it is probably. If you organize this, we will finance the starting of it. That was okind of recognition that gave the conviction that they were on the right track and should really get this thing on. >> WOUT DE NATRIS: So some support at the right moment in time by a key actor. >> AUDIENCE MEMBER: I think that issues such as trust and recognition are very important. This is an ongoing process is being able to involve a critical mass of actor s that agree on a framing of an issue and are willing to work together. I think this is really important to reach this sort of critical mass of actors. >> WOUT DE NATRIS: Thank you. >> AUDIENCE MEMBER: I would say in the case of what I would call successes, the common vulnerability successes are where we created the framework, the opportunity, and the location, and someone really passionate stepped in and used the stools because we were the best place to get the job done. That is what led to success for us. >> WOUT DE NATRIS: Thank you. >> AUDIENCE MEMBER: In the case of this, number one is to gain trust, not to break the trust, and learn how to share information and foster people sharing the information. Another key was as we are tied into or perceived as a neutral organization, multi-stakeholder, that helped a lot too gain the trust. But you cannot betray that trust. You need to do hard work to maintain that. >> WOUT DE NATRIS: So an anonymization of data. >> AUDIENCE MEMBER: We act as a place where people share data with us. We anonymize sensitive parts and share when needed. People know we will not break that trust. We share data that we collect in some projects that we have, but we help other people when they have data breaches or other problems with security and we act as a neutral point. >> AUDIENCE MEMBER: I want to touch on maybe an example in the cyber crime area more. And utilize the creation of the 24 by 7 network of law enforcement counterparts who... we utilize an existing framework within the G8 for connecting law enforcement representatives and encouraging them to voluntarily share information, but using the framework of the G8 and the Budapest convention as an overarching frame. But then saying this... we're joining this network is voluntary. But B, here is the incentive for doing so. There's a reason you might want to join because not only can you come get assistance from others but you also get information from others when, you know, you might need it for something. So the incentive is close collaboration. An overarching framework, voluntary, and incentive for getting... you get something back for your participation in this network or organization or whatever it may be. So that's one example, perhaps, from the cyber crime world. Sorry to do this, but I feel like we have sort of organically created a panel here, the non-panel here. And I want to encourage our friends in the back half of the room to join the conversation and provide some examples that we might not know about. >> WOUT DE NATRIS: That was my next question, but thank you for putting it up. Also thank you for mentioning law enforcement, because that hasn't been mentioned yet. And the G8 is another way that information is shared. >> AUDIENCE MEMBER: I just want to add in case it's not known to folks that it's not now just the G8. The goal is to build it out in the 100-some countriescountries participating in a voluntary collaborative basis. >> WOUT DE NATRIS: Do we have more questions? Please pass the microphone. >> AUDIENCE MEMBER: I have a question for the GFC. What role do funds play in the breaking down tales on cyber security and cyber crime? >> AUDIENCE MEMBER: Okay. What is mentioned is there are several elements that are important, and I think what is important the most key elements I think is what we try to facilitate is knowing what the needs are of members, and also to be flexible. It's a dynamic area. In the end, it is true that funds are a scarcity. So I think it's really important, and that's why we... one of the ambitions is to put cyber capacity building higher on the political agenda from private organizations, from governments, to make more funds available. And the second thing is if you have funds, you also have to be ware that you don't have any overlaps. So another thing that we do is to try to get some sort of overview of who's doing what on what topic, and maybe in the future, we can make better use of funds. That would be one of the goals. But yes, funds are really important and they will be more and more important in the future, and I hope we will have more from the global level. >> AUDIENCE MEMBER: Maybe other ideas. The recognition that our member states have given the empowerment of private and civil society actors. Of course, funds are important, but you reduce a lot of the cost, especially on capacity-building projects, you reduce a lot of the costs when you work together. >> AUDIENCE MEMBER: I want to jump quickly back to something that was said. You have to create value if you want to incentivize people to take part in anything, there has to be value to them. Obviously, funds do play a role. But I also want to link back a bit. And I have another question. When it comes to incentivize people, then the old rule of thumb is stimulate where you can, regulate where you must. How far would you say is sort of having the involvement of a ministry in funding also might be perceived as soft regulation? The ministry is stimulating knowing that the next step would be regulating. I wonder if that played a role there? >> AUDIENCE MEMBER: I'm very willing to answer that question. It's true. Maybe not in this particular case, but I think we're from the same country. This is a policy that our ministry very often applies, and I think it's a good policy. They're reluctant to... what's the word? To regulate. So they stimulate. So if the private sector doesn't react, then they will regulate. And they know and the private sector knows that regulation is always less effective than if we solve the problems ourselves and this is less effective than solving the problem together. So I think it's the right approach. So okay, let's try to solve the problem together. We're willing to contribute by providing information, providing funds, providing staff, whatever. The problem will have to go away and there will probably be collateral damage. It's a recognizable approach. Sometimes I find it a pity that such light pressure from the government is necessary to get the private sector moving. But it seems to be a fact of life in certain cases. >> WOUT DE NATRIS: Now I'm going to turn to the back. Who is here actually to learn from this discussion and to bring this home? What is it that you would like to learn? Anybody? The panelists would like to learn, but we knew that from all the comments. Who would like to share their experience or question to this natural-born panel? >> MAARTEN SIMON: Maybe refresh. Who heard something new and said hey, I'm going to try this? >> AUDIENCE MEMBER: Nick from the UK government wanted to government. Nick is going to come in anyway. See you tomorrow. >> NICK: Nick, UK government. I have heard some interesting stuff. What I've picked up is the importance of recognizing the value to your partner when you're trying to sort of stimulate an initiative and collaboration. The importance of trust. And that certainly is something I know myself when I used to do investigations and you're trying to engage with, you know, sort of industry players, ISPs, sort of cyber security professionals and developing that trust. I understand that you may need to step outside your own comfort zone. I think the only thing the UK government has probably learnt in the last four or five years or so is the importance of transparency about what you're trying to achieve, and I think someone mentioned that earlier. Transparency about what you're truly trying to achieve and how you're doing that as well. If you're transparent and open and sometimes those are very difficult things for governments. If you're transparent and open as far as possible, people will be more willing to come on board and except the occasions when you can't be truly open. So I certainly picked up on sort of those things. And those are things that we will take back and consider when we do our multi-stakeholder outreach, our policy development processes and initiatives. >> WOUT DE NATRIS: Thank you, Nick. The word transparency from the government point of view. Another response? >> AUDIENCE MEMBER: You're absolutely right. If I look at my line of work, we also work together with organizations like Facebook, and they have, like has been said before, big risk in their name being damaged. So it's not only transparency, it's also integrity. So every time when we report through either Facebook or another platform, we have to make absolutely sure that the image is unlawful or they might get the blame for taking down the material. So we need to be really transparent about what we're doing so they can trust us. >> WOUT DE NATRIS: Thank you. Just to come back somewhat jokingly so we can go to the pub and have a beer. When we announced this workshop and fed it through several channels, we got a lot of responses from Pacific island states, Africa, south America, from Asia, and all of these people said I can't afford to the IGF. And actually, they were very much interested to learn what to do because they were facing these sort of challenges that we're discussing at this moment. That's why we've got to try to make some best practices based on your input and see how we can share that or perhaps expand on it in some way in the future. So something will be done, and it will reach the right channels that we started out with. So it is not just us discussing it here because we can afford to be here and it does not mean that everybody else can. I have a final question, we will try to do a wrap- up. And I'm looking for help. What is the thing that you would really like to achieve at this moment, which you are at this moment not able or not able enough to do. I'm going to start with Michael, because you still like to tackle a challenge right now. And what do you need to achieve that? Raise your hand and get the microphone. >> AUDIENCE MEMBER: I think a challenge in the education awareness space, and I'm sure people have challenges in other spaces but the continued connectivity between all of us doing the work. And how do we work together on a global scale that builds on the successes that we have had in many countries around the world not just the United States? How do we share that information in ways? And how do we build a community together? Even with this fantastic internet, it's still hard to learn who everybody is, to develop relationships over long distances and to have the opportunities, IGF being one of them, to come together and share in an open way and find ways to partner and collaborate. Maybe it's part of human nature, so that's part of it, too. I think that's a challenge that we would love to continue to work on. We're open to working on. And do it in open, neutral, sharing, collaborative, towards the best end for everyone kind of way. >> WOUT DE NATRIS: Just one question. You're involved with stop think connect and I understand you're reaching out to as much countries as possible to adopt that approach? >> AUDIENCE MEMBER: Not just adopt the approach to really make... you know, the simple like what's a problem you have to solve? The problem you have to solve is every single person who uses the internet needs to know how to use it safely and securely. And not one of us will do it on our own. We have to do this together. So that's the challenge we always face. >> WOUT DE NATRIS: That's an important thing to note. That's an important challenge. I'm going to Marco. You work with law enforcement, I know from experience, from my past life. Are there challenges there that you still need to breakthrough? Or are you happy with where you are? >> AUDIENCE MEMBER: There is always more to wish for and always more to build on. I think we have come a long way, especially with law enforcement in managing the perception and expectations and actually get them to participate. Law enforcement now sees RDRs as a partnership and the communities as a group that can actually make a change and participate to drive the change. So that's an important part. To come back to more easier, earlier overarching question is like what would you sort of put back on your wish list? And this is really for people to keep sharing and make sure that people can learn from our mistakes. It was brought up very early in the past. It's often security incidents. A lot of these things just happen by sheer stupidity. And it's really hard to sort of admit that you're stupid, but please do so, and please share that for other peoples to learn from so that would be the top of my wish list. Keep learning. >> WOUT DE NATRIS: Thank you. Who would like to be next? >> AUDIENCE MEMBER: I'm sure that there are many challenges that I could answer, but I will pick one. We have as governments in our infinite wisdom over the course of years have instituted laws for very good reasons at the time to... in the case I'm using to stop information sharing, essentially, or prohibit it. And it has become a legal impediment to information sharing between companies or between companies and government or between government and the public. And so what I would say is rather than finding laws that would continue to... that would restrict or regulate, finding ways to either create laws or adjust existing laws to enable information sharing. That's a challenge we have. >> WOUT DE NATRIS: Thank you. >> AUDIENCE MEMBER: Actually, I can add to that. We see enormous amounts of material on the internet and we cannot do it by human resource alone. We know we have a lot of techniques to solve the problem, but there are laws against it because it can also be abused, these techniques. I would love to use the techniques to get the material from the internet, but then again, you have the privacy laws. So here's a challenge. >> WOUT DE NATRIS: Is there a challenge for the oldest organization in this room, the IETF, that you still would like to conquer? Or are you totally happy? >> AUDIENCE MEMBER: No, there's still work to be done in the internet security area, for some reason. One challenge that is in my mind right now is it's easy when you have clearly separated things that we will provide you guys this and some other people something else and they're not going to conflict. But many things that we develop have sort of consequences elsewhere. As an example, we have been... the work has been progressing further on more encrypted communication. We worked on more efficient communication also. And that has impacted network operators and their ability to do traffic management. And trying to deal with the changes as we improve technology is sometimes challenging. So that's an ongoing thing for us. >> WOUT DE NATRIS: Real world found you, in other words. As a question, who thinks in your own private silo, you have open doors that are easily accessed by other organizations? Who thinks that is working right? Okay. Maybe I have to rephrase. Your work within your silo because that's what we're talking about here. Do you have your front door open? And do other organizations walk in to discuss the tough topics with you? Now can I see your hands please? Okay. How many? Two? >> MODERATOR: I have seen 13 hands. >> WOUT DE NATRIS: Don't name names, just raise hands. So that's a fairly sufficient. >> MODERATOR: Six hands on that side. >> WOUT DE NATRIS: So the others are happy with where they are. I think we reached sort of a natural conclusion and within time. I will ask for help in trying to define the best practices and scoring topics and specific definitions and names and bullets. So I'm going to see if we can come up with something which will undoubtedly need a lot of improvement. Because I don't have the assumption that we can do it all here, but I think it's the start of a discussion that may help move forward in those places where they're still struggle, what have you found? >> MODERATOR: I have written down a lot of keywords. Let's start with trust. I think that's the one that came up most. It was set that for trust you need perspectives about each other. You need to know each other's perspective. You need equality. Yep. You want transparency and transparency is also sometimes hard because it might fight your commercial interests. That's why integrity is also important. You need anonymization. And it's important to check if you're not threatening positions of, for example, law enforcement, but other organizations to make sure that they are willing to trust you and to work together. And therefore it's important to step out of your comfort zone. It's important sometimes to have neutral bodies between organizations that need to work together. And of course it's important to have aligned goals and a common cause. And it's important to show to all different parties how value is created for everyone and to make sure that everyone gets something out of collaboration. Apart from that, money is important, and to get money sometimes it's important to have an overview of everything that's happening and make sure that no one is doing the same work in different ways for the same amount of money. And next to money it's also important to get recognition and a little push sometimes. So, I think what's important is that, you know, transparency is also a big risk. And not only for the reputation, so there's a risk by being transparent for your reputation, but there's also a risk for the damage of the organization. And if you don't share, the loss might be the bigger risk of that part. So what else is if companies are convinced to work... organizations to work together voluntarily. It's important to realize how sensitive the issues are. What was also said is it's important to stimulate before regulate. So a quote was stimulate where you can, regulate where you must. And also it was clear that stimulation was often the first step by, for example, when a government funds something that might indicate that if there's nothing going to be done, regulation is going to follow. I think the last thing I heard which I found interesting was that we need critical mass to make something a success. So I think that's some of the things that I heard that sort of came back by different comments. >> WOUT DE NATRIS: Thank you very much. And I think he deserves applause for this. [ Applause ] We've got final remote participant question. >> GERARDO PEREZ: >> GERARDO PEREZ: For the record, it was the first question. >> WOUT DE NATRIS: I think we did something here which may have never happened before nowhere on the panels, no presentations, no slides, did you think this set-up worked? That we actually pulled out information which is valuable to the rest of the world? Or should we do it in a different way if ever next time? Were you comfortable in this setting? And did you hear the things you were hoping to hear or expecting to hear? So I think we did something right. So with that, I would like to thank you very much for your participation. I would like to thank everyone for making notes. Our remote assistance, even the camera man and everybody doing the transcript. And I hope you have a great IGF and stay here and a safe trip home. With that I thank you again for your participation in this. [ Applause ] Copyright © 2016 Show/Hide Header