• Dr Fitriani

    Q: I agree with @Stephane, cyber hygiene and cognitive self defence are important. But “banning obvious illegal business models” can be difficult because regulation can be slow and states can enter trade dispute because of this.

  • Alejandro Pisanty


    Q: Maarten, there is so much happening behind close doors where even with your constraints, security by design only helps the good guys against other good guys. Anahiby, Elizabeth, cheers! Focus should be on the conducts like disinformation etc., then the tools; but address the motivations and m.o. always first. (to Maarten Van Horenbeeck)

  • Stéphane Duguin

    Cyber Peace Institute

    Q: @Briony - Very good point. Exponential digitisation does not help there, and cutting security corner to be the first in the market does not help either. This being said, we see the rise of mash up products (build on API, OS framework), from non secure librairies, so industry That’s where raising cyber hygiene and cognitive self defence is key. And banning obvious illegal business models

  • Maarten Van Horenbeeck

    Q: Reply to @Briony: It’s a great question - the main challenge with security by design is that it requires up-front effort. In other words, it is more expensive than simply building a tool that builds a problem. This means that organizations in countries with greater cybersecurity capability, and in particular education and economic pressure to build more secure products, are likely to do better than developing countries. There are ways to address this: for instance by building security into shared libraries, languages and reference architectures that become “the new norm”, and as a result are picked up by all, regardless of where they operate. But they often require more than simply security benefits to become popular.

  • Dr Fitriani

    Q: Good question @Briony, thanks for raising, I have similar concern, especially if the business is not located within the state, the ability of government to work with business can be limited.

  • Benjamin Ang

    Q: Reply to Sherif Hashem, SUNY Polytechnic Institute Purely from an academic view, cyber incidents - whether intentional or unintentional - which cause sustained power failure or sustained obstruction to medical services or other failures of critical infrastructure and essential services, could all result in loss of lives

  • Briony Daley Whitworth

    Q: I have a question for the industry/cybersecurity operations people: how do the issues of security by design (or lack there of) in existing and new technologies, which Jessica spoke to, interplay with the disproportionate threat landscape for developing nations we’ve been discussing, and how can government and industry work together to solve these issues? Could this lack of security in everyday technologies eventually reach the threshold volume to impact peace and stability?

  • Barth Hogeveen

    Q: As co-chairs of this session, are Indonesia and Australia happy with the current paragraphs on existing and potential threats in the OEWG report? Do you see gaps and omissions? Do the paragraphs build on a strong enough evidence base?

  • Dr. Fitriani

    Q: Quoting OEWG draft report “The technical, investigative and legal capacities required to arrive at or substantiate an attribution finding remain a significant challenge for many States.” >> Is public attribution/call out necessary? It may escalate International tension that bring about global conflict/instability?

  • Sherif Hashem

    SUNY Polytechnic Institute

    Q: In your view, which emerging cyberthreat is more likely to cause a major cyber incident that may result in loss of lives? (to Benjamin Ang)

  • Anahiby Becerril

    Q: Attacks on critical infrastructure of states are a great concern. This year we have experienced an increase in what can be considered critical infrastructure by using platforms and systems that keep us connected, that allow us to monitor our health, work, educate ourselves and develop essential products and services. and probably with the increase in our technological dependence more will be added to be considered critical. How can we prepare for these challenges?

  • Michael Cuddihy

    Q: What happens when countries with developed cyber capabilities ignore the needs of less developed countries. what happens when there is a vacuum? (to Benjamin Ang)

  • Bart


    Q: Looking at existing and potential threats, and building a common understanding, I think the ICT security paragraphs in the ASEAN Regional Forum strategic outlook is a good start of inter-state practice http://aseanregionalforum.asean.org/wp-content/uploads/2020/10/ARF-Annual-Security-Outlook-21.10.pdf

  • Johanna Weaver

    Q: This joint proposal for establishment of a national survey of implementation may be of interest: https://front.un-arm.org/wp-content/uploads/2020/12/updated-december-2020-draft-v02-joint-oewg-proposal-survey-national-implementation.pdf

  • Gunjan Chawla

    Q: Building on Johanna’s question - what are the potential implications of the growing popularisation of ‘Zero Trust Architecture’ in cybersecurity systems for the role of trust in cybersecurity policies of organisations that rely on such technical architecture?

  • John Herring

    Q: Microsoft 2020 Digital Defense Report: https://www.microsoft.com/en-us/download/details.aspx?id=101738

  • Gunjan Chawla

    Q: To Paul: A few concerns on defining ‘offensive cyber capabilities - ’ https://ccgnludelhi.wordpress.com/2020/08/07/what-are-offensive-cyber-capabilities/

  • Paul Meyer

    Q: For Gunjan: you noted the distinction between development vs deployment of offensive cyber capabilities. How can such steps be monitored unless the states concerned are prepared to be transparent about their actions in this regard?

  • Paul Meyer

    Q: For Benjamin: could you please provide some examples of what you mean by “supranational critical infrastructure”?

  • Anahiby Becerril

    Visiting Professor at UNAM-Mexico

    Q: One of the main challenges is to train the actors to prepare and prevent attacks with tools and techniques that we still do not know. In addition to the above, threats largely depend on the development of capacities of each state and its social, economic, and political reality. The use of tarteting in conjunction with the deployment of unmanned aerial vehicles to attack targets in other countries, can lead to escalate a conflict or trigger one, how could we face these challenges?

  • Elisabeth Oluoch Do Canto

    Q: Reflecting on Jeremy’s Comments on the need for global cooperation for standards development. There are a several internationals SDOs that adhere to the paradigm of open standards. Core principles of include cooperation, open/transparent processes, wide participation, consensus based decision making and voluntary adoption. This approach should be encouraged.

  • Dr. Sherif Hashem

    SUNY Polytechnic Institute

    Q: In your view, which emerging cyberthreat is more likely to cause a major cyber incident that may result in loss of lives?

  • Eugene Weitz

    Managing Counsel, DXC Technology

    Q: How can MNCs and States (on a global basis) develop trust to work together on these threats.

  • Paul Meyer

    Q: Do you think the special nature of cyber disinformation operations merits it being treated in a multilateral context separately from cyber operations that have international security impacts? Perhaps it would best to address this problem domestically given the challenges of trying to distinguish propaganda and misinformation from the global free flow of information.