IGF 2018 WS #14 Stakeholders Promote Risk-Based Voluntary Security Framework

Organizer 1: B Wanner, U.S. Council for International Business
Organizer 2: BERNAT Laurent, OECD
Organizer 3: Karen McCabe Karen McCabe, IEEE
Organizer 4: Carolin Weisser, Global Cyber Security Capacity Centre

Speaker 1: Amanda Craig, Private Sector, Western European and Others Group (WEOG)
Speaker 2: Gregory Shannon, Technical Community, Western European and Others Group (WEOG)
Speaker 3: Carolin Weisser, Civil Society, Western European and Others Group (WEOG)
Speaker 4: Belisario Contreras, Intergovernmental Organization, Latin American and Caribbean Group (GRULAC)
Speaker 5: JUAN MANUEL WILCHES DURAN, Government, Latin American and Caribbean Group (GRULAC)


Sarah Geffroy, AT&T

Online Moderator

Judith Hellerstein, Hellerstein Associates


Barbara Wanner, U.S. Council for International Business


Round Table - 90 Min


1. Amanda Craig, Microsoft, will provide the business perspective on the value of voluntary, risk-based cybersecurity frameworks developed through public/private interaction, such as business input to the OECD’s 2015 Digital Security Risk Framework and the NIST Framework and their subsequent implementation. She also will explore the ISO/IEC 27103 technical report, a mapping of ISO/IEC standards to a high-level cybersecurity framework, as well as ISO/IEC 27101, a new project for technical specification describing how a country or sector can develop their own cybersecurity framework. 2. Greg Shannon, CERT Division, Carnegie Mellon University’s Software Engineering Institute, and Vice Chair of IEEE Internet Initiative, will discuss how incorporating automated security assessments and formal assurance methods to improve defensive cyber-deterrence enhance over-arching cybersecurity frameworks. He also will explore how IEEE created a platform to enable information exchange among developers and other stakeholders and how this platform disseminates the latest best practices and tools for securing critical systems.. 3. Carolin Weisser, Content Portal Manager, The Global Cyber Security Capacity Centre, Oxford Martin School, will focus on capacity building issues, drawing on the findings from the Centre’s research based on deployment of the Cybersecurity Capacity Maturity Model (CMM) around the world. The CMM looks at cybersecurity capacity through five dimensions considered crucial to building a country’s cybersecurity capacity, which include everything from policy and strategy, to cyber culture and education, to legal/regulatory frameworks, standards, and technologies. Ms. Weisser also will explain how the Centre’s cyber harm framework addresses these dimensions. 4. Belisario Contreras, Cyber Security Program Manager, Organization of American States (OAS), will build upon Ms. Weisser’s presentation on capacity building challenges, detailing how several members of the Organization of American States (OAS) have implemented risk-based cyber-risk management plans. He also present key findings of the OAS regional report and plans to ensure security of the financial sector. 5. Juan Manuel Wilches, Commissioner, Comision de Regulacion de Comunicaciones, Government of Colombia, will discuss how Colombia is working with the OAS in establishing and developing a national cybersecurity framework as well as the implications of Colombia’s recent acceptance as a global partner at NATO.


Both organizers and speakers have been invited to participate to ensure a diverse representation of government, intergovernmental organizations, private sector, and the technical community. We also have sought to ensure diverse regional representation, through the participation of the Government of Colombia, the OAS, and Oxford University as well as gender balance. The onsite moderator, two speakers, the substantive rapporteur and the online moderator are all female. Co-Organizers come from four stakeholder groups -- private sector, Intergovernmental organization, academia, and the technical community. First-time IGF session speakers include: Sarah Geffroy, AT&T; and Amanda Craig, Microsoft.

The workshop is designed primarily for stakeholders whose approaches to cybersecurity may be in infancy or as yet undeveloped, but also appropriate for a broad-based audience. Stakeholders from business, government, intergovernmental organizations, and the technical community will discuss their respective approaches to cybersecurity. These approaches emphasize a risk-based approach, public-private partnerships, global alignment, and technology flexibility. One element common to many cybersecurity frameworks – to be examined by the technical community -- entails “building security in” from the start through secure system development and design principles. In addition, a speaker will consider capacity-building challenges faced by many developing countries and small organizations. The agenda is as follows: 1. Cybersecurity Challenges Create Need for Collaborative Solutions: Importance of Multistakeholder Participation 2. Why a Voluntary, Risk-Based Approach Is Optimal 3. The Importance of Finding Consensus Among Global Stakeholders: International Standards and Trade 4. Design Principles to “Build in Security” from the Start 5. Addressing Capacity-Building Challenges: What Policies/Support Are Needed for Implementation? 6. Wrap Up

The Moderator was selected not only for her substantial expertise cybersecurity frameworks, but also for her experience moderating Roundtable discussions at global conferences. Drawing on this background, the Moderator will work with the co-organizers and speakers in a series of pre-IGF preparatory teleconferences to orchestrate a coherent "flow" to the discussion, which also respects the 90-minute time constraint. Speakers will be asked to identify two or three key points they want to make to address their specific topic; the Moderator, in turn, will interweave these points into a series of questions aimed at encouraging both expert commentary as well as discussion among the speakers and between the speakers and in-person/on-line participants. The Moderator will preview these questions and anticipated "flow" of the session with speakers in advance of the IGF so speakers can sharpen their comments and, if needed, gather additional statistics or supporting evidence. PowerPoint presentations will be discouraged. The emphasis will be on fostering an inclusive and informed conversation between the workshop speakers and with both in-person/online IGF participants. The pre-IGF preparatory process also will entail (1) confirming on-site discussants, who will attend the workshop and be prepared to ask a relevant question as a means of "breaking the ice" and encouraging other audience questions; and (2) reaching out to and confirming the participation of online discussants, particularly from emerging economies, who the Moderator will invite to offer comments or pose questions via the Online Moderator.

Ensuring a secure, stable, resilient, and accessible cyberspace is critical to realizing economic and social prosperity and ultimately attaining sustainable development throughout the world. This has been the key message of previous IGFs and the basis for convening the Best Practices Forum (BPF) on Cybersecurity. This workshop will build upon the work of the BPF Cybersecurity as well as take forward key messages of the 2017 IGF High-Level Thematic Session, “Empowering Global Cooperation on Cybersecurity for Sustainable Development and Peace.” In particular, we will aim to educate, inform, and help to break down siloes to facilitate cross-stakeholder and cross-sectoral cooperation in developing voluntary, risk-based security frameworks that will enable a nimble response to challenges in cyberspace.

Online Participation

The pre-IGF preparatory process will entail reaching out to and confirming the participation of remote discussants, particularly from emerging economies, who the Moderator will invite to offer comments or pose questions via the Remote Moderator following each agenda topic. In addition, the co-organizers will explore with Roundtable participants the potential for establishing remote participation hubs, particularly in emerging economies, delving into technical capabilities and needs that could be addressed by the business community. For the workshop itself, online participants will have a separate queue managed by the Online Moderator. Questions and comments will be rotated between the online queue and the in-person queue at the microphone. The Moderator will work closely with the Online Moderator during the pre-IGF preparations to establish effective means of communication between them to ensure the timely insertion of a remote question/comment. The Online Moderator will be strongly encouraged to participate in pre-IGF training provided by the IGF Secretariat as well as the preparatory teleconferences, the latter to thoroughly familiarize herself with the workshop substance. The Online Moderator also will be "backed up" by the workshop organizer, so that any unexpected technical problems or communication issues with the Moderator can be addressed expeditiously.