The International Telecommunications Union (ITU) estimates that by the end of 2018, 51.2% (3.9 billion people) of the global population will be online^[1]. The next three billion Internet users will likely come from the Global South especially Africa, Southeast Asia, and Latin America. This influx of new users are predicted to use the Internet in innovative ways to address different needs^[2]. Whether they do or not^[3], this will require a rethinking of the global Internet governance frameworks, to place human well-being, sustainable prosperity and collaboration as the basis for cyber peace. The path to this peace is through digital cooperation as manifested in the multi-stakeholder model practiced in the Internet Governance Forum (IGF) and other similar organisations.

As we consider the governance issues, we appreciate that we have a responsibility to all constituents who must live with the consequences of our decisions and actions. Groups that have been historically overlooked such as women, people living with assorted challenges especially in developing nations, and generations to be born should be given special consideration. To do this, we must be forward looking, review trends, incorporate multiple stakeholder perspectives while simultaneously understanding the past, present and future environments. A new framework must incorporate justice, respect for the dignity of life (including integrity and ethics), human rights, equity and access to knowledge.

A crucial role for the IGF is to support the Global South, especially Africa, to significantly improve its’ current cybersecurity posture. The Global South needs to focus on three key areas ⎼ capacity building, policy implementation (including investment) and recurrent expenses. There are three aspects of cyber capacity building that should be considered ⎼ building awareness about cybersecurity and risk management; training and implementation of lessons learned; and building the cyber pipeline towards the creation of sustainable streams of capable people.

At its’ core, cybersecurity is about risk management. However, the preliminary results of an ongoing study we are conducting show that many individuals in top management positions, do not have a real understanding of this, like what others have found^[4]. Given the relationship between the scale of cybercrimes (it is estimated that in 2017, African economies lost $3.5 billion USD^[5]) and the general lack of cyber hygiene and insight, concerted effort is needed to raise the awareness of cyber maleficence and how best to prevent and mitigate it. We find that organisations are more likely to conduct themselves by the standards of international good practice have either international affiliations or are in highly regulated sectors such as Banking and Finance. It is important for organisations especially in the Global South, to share information about attacks with their peers, members and stakeholders to mitigate risks. Regular cyber training that can help create a culture of cyber hygiene and understanding of risk management, will help to reduce the amount lost to cybercrimes and other cyber malfeasance annually.

The rate of technology change demands regular and flexible training that evolves with technology. According to Alvin Toffler, “the illiterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn and relearn.”^[6]Some organisations, routinely send people to train- however there is a difference between attending a training session and implementing the lessons learned. In regard to training, we have observed that:

1. The people sent may not be the people that are best suited to help the organization move forward in enhancing their cyber defense – honest, transparent and fair mechanisms to help decision makers make the optimal decisions on who should participate in what training, and when, are required.
2. Unfortunately, the primary purpose of attending a training session is not always the training per-se but the indirect benefits that accrue from “attending” ⎼ organizations should limit payments to core overheads, and instead make direct payments to service providers and avoid cash pay-outs to participants.
3. Though organisations send many people to be trained, participants often keep the knowledge accrued to themselves – organisations must evolve mechanisms that oblige beneficiaries to “step-down” the knowledge they have acquired to their colleagues, thereby deepening the organisations institutional knowledge base. Such peer based train-the-trainer situations create social pressure on the primary beneficiaries to pay more attention during the external training because they know they will subsequently impart what they have learnt to their colleagues.
4. Often travel for expensive foreign training occurs even when such training can (should) be acquired locally. African countries must endeavour to provide basic training locally while aspiring to develop the capacity for intermediate-level training locally. We thus expect that at some point in the relatively near future that only exceptional higher-level or specialised training will require foreign travel. It is imperative that Africa empowers a critical mass of local computer knowledge as soon as possible. One of the paths to empowering this desired critical mass of local knowledge is by building the capacity of local IGF affiliates to provide introduction/ basic capacity building activities, and trigger local ecosystems that can migrate up various capacity building value chains.
5. Drills are irregular and ad-hoc – deliberate programs of various cyber drills complimented by online/ e-tutorials to bolster capacity building are required to complement and enhance local capacity building efforts. The IGF needs to initiate change management processes relating to Bug Bounty programs and Vulnerabilities Equities Process (VEP). For software or related solutions to become robust they must be “immunised.” For immunisation to occur the software, or process, must be exposed to “friendly” hackers who will subject the product or service to real world rigors and document any failings in a credible VEP so that solutions to identified flaws can be addressed in a timely manner. Such mimicking of nature requires a significant mindset shift from an excessively secretive disposition to a more open posture which the IGF should encourage.

Among organisations that devote resources towards cybersecurity, many of their staff lack the capacity, training or authority to adequately fulfil their roles. We found that there is often an assumption that having basic protections in place (firewall, VPN, and antivirus software) means that an organisation is protected from all cyber threats. For the global south to fulfil its’ digital promise, we must take action to increase positive cyber capacities. Our ongoing study indicates that the single most important challenge is human resource capacity. Capable staff with poor equipment will always do much better than incapable staff with excellent equipment. To address this, the IGF and its affiliates must encourage:

1. Management, especially in the Public sector, to tie certification and training to perks and promotion while effectively monitoring the results – the IGF should facilitate related advocacy given that its members will be prime beneficiaries.
2. Raising, for example, the profile of cybersecurity, and other technology roles, noting that cybersecurity is NOT an Information Technology (IT) issue per se but a corporate risk management issue. If IT Projects experience massive breaches, then associated organisations and economies lose credibility and stakeholder confidence. Unfortunately, such risks are often not fully appreciated until after a major breach. The IGF needs to support the development and implementation of confidence building initiatives to foster stability (not stagnation) and trust in cyberspace.
3. The creation of national cyber capacity pipelines from primary schools to secondary schools through Higher Education Institutions. Such pipelines will help ensure that the loss of a single individual does not cripple an organizations’ cyber defense activities and that the haemorrhaging of professionals (as experienced in many global south economies) does not stall the development of needed cyber based economies. In many organisations, we find that there is a level of frustration that talented and capable individuals whom these organisations have invested in, leave and take their skills with them. There are examples of countries that have taken this pipeline approach and have created “an ecosystem that feeds itself, rather than an ecosystem that feeds on itself”^[7]. The IGF can form a clearing house for sharing global good practice to ensure that decision makers avail themselves of insight into what works and challenges to be mitigated.

Technology, good and not so good, moves significantly quicker than most governments can respond. As noted by Barry Raveendran Greene, “Cyber-criminals operate at the speed of light while law enforcement moves at the speed of law.”^[8] The rise in cyber related malfeasance against governments, organisations, and citizens in the global south is due in part to inadequate infrastructure that includes laws, policies and related processes. A 2016 report by the African Union and Symantec found that the majority of African States (30) did not have specific legal provisions on cybercrime and electronic evidence in force and only 20% had a basic legal framework in place^[9]. The implications are that activities that are crimes in certain jurisdictions, are not crimes in the ones that do not have the requisite laws in place. This undermines trust, digital cooperation, cyber stability and cyber peace. This also undermines the private sector as the engine for sustainable development and economic growth. Beyond national policies, organisations also need to have cyber policies in place and implement them. There seems to be a misconception among decision makers that once a policy is in place, action will be taken. However, we have observed that this is not always the case.

It is important to examine the recurrent expenditures that are associated with sustaining cyber infrastructure. Stakeholders need to assess the total cost of ownership of any cyber investment, because too often the focus is on capital expenditure, not recurrent expenditure. Experience across the global south demonstrates that more consideration needs to be given with regards to maintenance, upgrades, and “refresh” given the turnover of decision makers and haemorrhaging of technical specialists impacting institutional memory and operations.

Multi-stakeholder driven initiatives like the Internet Governance Forum (IGF) can provide the critical global frameworks that are key to developing and driving digital cooperation for sustainable and inclusive cyber peace based on natural universal principles of justice, equity and respect for human rights. The IGF should seek to position itself as the “translators and shock absorbers” of choice between various stakeholders including but not limited to Political/ Policy/ Paymasters who often seem to demand immediate solutions at no cost, and the Technical community who sometimes seem to seek unlimited time and budget to solve the problems at hand. Furthermore, as many us will attest, decision makers and the technical community often use different jargon and have difficulty understanding each other. This presents the IGF with the opportunity of evolving into a bridge, and bridge builder, between stakeholders. In doing so, the IGF will have reinforced its relevance and ensured its survival. These are legacies we will all be honoured and grateful to have contributed to.

^[1] ITU: https://news.itu.int/itu-statistics-leaving-no-one-offline/

^[2] Pisa and Polcari: https://www.cgdev.org/sites/default/files/governing-big-techs-pursuit-next-billion-users.pdf

^[3] Arora, Payal: The next billion users: Digital life beyond the West. Harvard University Press, 2019.

^[4] Serianu: Demystifying Africa’s Cybersecurity Poverty Line. 2017 : 88. http://www.serianu.com.

^[5] Serianu: Africa Cybersecurity Report-Kenya Cybersecurity Skills Gap. 2018 https://www.serianu.com/downloads/KenyaCyberSecurityReport2018.pdf.

^[6] Oxford Essential Quotations (4 ed.) Edited by Susan Ratcliffe https://www.oxfordreference.com/view/10.1093/acref/9780191826719.001.0001/q-oro-ed4-00010964

^[7] Ferreira V.: How Israel became a cybersecurity power ⎼ and what Canada can learn from it. In: Financial Post. 2019. https://business.financialpost.com/investing/how-israel-became-a-cybersecurity-power-and-what-canada-can-learn-from-it.

^[8] Barry Raveendran Greene bgreene@senki.org

^[9] African Union, Symantec: Cyber Crime and Cybersecurity Trends in Africa. 2016 : 96. https://www.thehaguesecuritydelta.com/media/com{\_}hsd/report/135/document/Cyber-security-trends-report-Africa-en.pdf.