Proposal

APrIGF 2022 Session Proposal Submission Form
Part 1 - Lead Organizer
Contact Person
Mr. Michael Karimian
Email
Organization / Affiliation (Please state "Individual" if appropriate) *
Microsoft
Designation
Director, Digital Diplomacy
Gender
Male
Economy of Residence
Singapore
Primary Stakeholder Group
Private Sector
List Your Organizing Partners (if any)
Microsoft, Private Sector.
CyberPeace Institute, Civil Society.
Part 2 - Session Proposal
Session Title
Protecting the Healthcare Sector from Cyber Harm
Session Format
Fireside Chat
Where do you plan to organize your session?
Online only (with onsite facilitator who will help with questions or comments from the floor)
Specific Issues for Discussion
Attacks on healthcare are attacks on people. These attacks, whether perpetuated by cyber or kinetic means, are attacks on all of us. They can have potentially devastating humanitarian consequences as they prevent access to and the delivery of essential services. Unfortunately, this situation has worsened since the start of the COVID-19 pandemic. Medical staff and healthcare facilities, already under immense pressure due to the strains of the pandemic, suddenly had to deal with increasingly sophisticated cyberattacks. In a number of cases this has resulted in a direct impact on patients, whose treatments were delayed or postponed.

In the midst of the pandemic, the Government of the Czech Republic, the CyberPeace Institute, and Microsoft decided to partner to identify the critical gaps that need to be addressed to protect the healthcare sector from cyber harm. Our organizations are committed to increasing both the resilience of and protections available for the healthcare sector through a multistakeholder approach, whether at the practitioner, technology industry, or state and international levels. Our partnership reflects not only our shared commitment to support, contribute, and advance the implementation of UN cyber norms, but also our belief that a multistakeholder approach to protect the healthcare sector is the only way to meaningfully increase its resilience.

Through a series of thematic workshops, we brought together healthcare practitioners, and cybersecurity, policy, international law, and regulatory experts to identify lessons learned and good practices to protect this vital sector.

This session will share recommendations from the workshops which can inform discussions everywhere; from ambulance dispatch rooms to the UN General Assembly Hall. We hope to inspire and strengthen a culture of cybersecurity and resilience in the healthcare sector, thereby protecting an area of vital importance for us all.
Describe the Relevance of Your Session to APrIGF
Under the theme of inclusion, particularly in the contexts of capacity building, digital rights / human rights, and the multistakeholder model, and under the theme of trust, particularly in the contexts of cybersecurity, cyber crime, cyber norms, and digital cooperation, this session will cover:

- Impact on frontline healthcare workers
- Practitioners' perspective
- Strengthening national resilience & lessons learned
- Capacity building & scenario-based resilience planning
- International law
- Diplomatic measures
Methodology / Agenda (Please add rows by clicking "+" on the right)
Time frame (e.g. 5 minutes, 20 minutes, should add up to 60 minutes) Description
5 minutes Introduction and scene settiing
15 minutes Impacts and solutions identified by the CyberPeace Institute
15 minutes Impacts and solutions identified by the Digital Asia Hub
25 minutes Open discussion with the attendees
5 minutes Speaker reflections, next steps, and closing
Moderators & Speakers Info (Please complete where possible)
  • Moderator (Primary)

    • Name: Pavel Mraz
    • Organization: Microsoft
    • Designation: Digital Diplomacy
    • Gender: Male
    • Economy / Country of Residence: Czech Republic
    • Stakeholder Group: Private Sector
    • Expected Presence: Online
    • Status of Confirmation: Confirmed
  • Moderator (Facilitator)

    • Name: Michael Karimian
    • Organization: Microsoft
    • Designation: Digital Diplomacy
    • Gender: Male
    • Economy / Country of Residence: Singapore
    • Stakeholder Group: Private Sector
    • Expected Presence: In-person
    • Status of Confirmation: Confirmed
  • Speaker 1

    • Name: Nayantara Ranganathan
    • Organization: Digital Asia Hub
    • Designation: Senior Research Fellow
    • Gender: Female
    • Economy / Country of Residence: India
    • Stakeholder Group: Civil Society
    • Expected Presence: In-person
    • Status of Confirmation: Confirmed
  • Speaker 2

    • Name: Charlotte Lindsey
    • Organization: CyberPeace Institute
    • Designation: Chief Public Policy Officer
    • Gender: Female
    • Economy / Country of Residence: Switzerland
    • Stakeholder Group: Civil Society
    • Expected Presence: Online
    • Status of Confirmation: Confirmed
  • Speaker 3

    • Stakeholder Group: Academia
    • Expected Presence: In-person
    • Status of Confirmation: Proposed
  • Speaker 4

    • Stakeholder Group: Academia
    • Expected Presence: In-person
    • Status of Confirmation: Proposed
Please explain the rationale for choosing each of the above contributors to the session.
Pavel Mraz: Prior to recently joining Microsoft, Pavel led the Government of the Czech Republic's work on protecting healthcare from cyber attacks.
Charlotte Lindsey: Charlotte is an expert in the application of International Humanitarian Law (IHL) to cyberspace and spent a decade as a Director at the International Committee of the Red Cross (ICRC).
Nayantara Ranganathan: Nayantara is a researcher and lawyer working on the politics and cultures of technologies. She studies, teaches and writes about the political economy of data, and its relationship with the law.
If you need assistance to find a suitable speaker to contribute to your session, or an onsite facilitator for your online-only session, please specify your request with details of what you are looking for.
An online facilitator will be required to help with questions from the audience.
Please declare if you have any potential conflict of interest with the Program Committee 2022.
No
Are you or other session contributors planning to apply for the APrIGF Fellowship Program 2022?
No
APrIGF offers live transcript in English for all sessions. Do you need any other translation support or any disability related requests for your session? APrIGF makes every effort to be a fully inclusive and accessible event, and will do the best to fulfill your needs.
No
Brief Summary of Your Session
Throughout 2021 and 2022, the Government of the Czech Republic, the CyberPeace Institute, and Microsoft brought healthcare and cybersecurity
communities together through the organization of multistakeholder workshops, each one addressing a critical topic related to the protection of healthcare
sector from cyber harm. During these workshops, key recommendations, lessons learned, and good practices were collected from a diverse group of
experts, practitioners, and stakeholders. Based on what we heard and learned in these discussions, we have developed this Compendium of Multistakeholder
Perspectives on Protecting the Healthcare Sector from Cyber Harm that offers healthcare institutions, governments, international organizations, and other stakeholders a useful resource to support their efforts to safeguard the healthcare sector from cyber threats.

This session explored the workshops' findings and recommendations, which are available online: https://blogs.microsoft.com/eupolicy/2022/07/28/protecting-critical-infrastructure-from-cyberattacks/
Substantive Summary of the Key Issues Raised and the Discussion
The session covered the following topics:

Threats to the healthcare sector:

Why is protection of the healthcare sector from cyber harm so important.
The experience in Asian & Pacific India when it comes to cybersecurity and healthcare sector.
The CyberPeace Institute's data on the evolution of the threat and harm, including the impact cyberattacks against healthcare have on individuals.
The important factors & trends in how cybersecurity risks are understood across Asia and the Pacific, including where some economies can still be considered emerging markets for data.

International responses:

The latest UN responses to healthcare cyberattacks.
The Microsoft and Czech Republic Healthcare Compendium project as an effort to translate UN commitments into operational realities.
The UN's recent designation that medical facilities are critical infrastructure falling under the protection of applicable cyber norms of responsible state behavior; how to promote greater accountability for malicious cyber behavior internationally; and the role of diplomacy and international law in this space.
The differences between more developed and less developed countries in the region.
The concrete steps stakeholders at all levels can take to increase resilience of the healthcare sector, whether through capacity building, updating international and national legal frameworks to the digital reality, or connecting the operational realities and demands at national level with diplomatic outcomes at the global level.
How to bridge the existing gaps in strengthening resilience of the healthcare sector across countries in Asia & Pacific and beyond.
Conclusions and Suggestions of Way Forward
Here are five key recommendations from our reports that governments and critical infrastructure providers should tackle as a priority:

1. Cybersecurity must be understood as a continuous process
Technology and its uses continue to develop at speed. We need to recognize that there will always be important systems in need of protection against malicious actors with harmful intentions and sophisticated capabilities – we will never be able to say that we have accomplished cybersecurity online. Risk management needs to be at the heart of any approach we take.

2. Focus on harmonized regulation that spans sectors and countries
Cyberattacks can have spill-over effects and cross-sectoral impact based on the use of the same underlying technology. Harmonization and alignment are key, which is why the NIS2 Directive aims to streamline risk management and incident reporting across critical infrastructure sectors. Emerging sector-specific legislation, for the financial services or energy sectors, for example, should ideally build on the NIS2 baseline requirements and agree to guarantee consistent and effective regulatory frameworks.

3. Increase information sharing and capacity building efforts
Cybersecurity responsibilities are distributed among many regional, national, and industry actors. Often these entities do not communicate outside their own sector or country. However, attackers do not respect borders, and we need increased information exchange on best practices and defensive actions. Greater collaboration between public and private actors is key to ensuring success in this regard. Similarly, there is an urgent need to address the cybersecurity skills gap. The Global Forum on Cyber Expertise as well as private sector initiatives can play a critical role in further advancing these efforts, domestically and internationally.

4. Establish a culture of cyber resilience
While governments can advance protections for the sector through legislation, there are actions that critical infrastructure providers can take to strengthen the security of their operations. “Box-ticking” cybersecurity compliance is no longer enough. Organizations must invest in continuous cybersecurity protection to thwart ever-evolving threats. This includes implementing horizontal, not hierarchical, IT security team structures within organizations to break down organizational siloes, and to ensure a swift escalation of an issue and a timely response. Organizations should educate all employees on the role they have to play in preventing cyberattacks through good cyber hygiene.

5. Hold malicious actors accountable
Perpetrators of cyberattacks rarely face consequences for their actions. While attribution can be politically sensitive at times, more efforts are needed both nationally and internationally to sanction bad behavior. Recent discussions at the UN have made it clear that international law applies to cyberspace in its entirety.
Number of Attendees (Please fill in numbers)
    • On-site: 40
    • Online: 25
Gender Balance in Moderators/Speakers (Please fill in numbers)
  • Moderators

    • Male: 2
  • Speakers

    • Female: 2
How were gender perspectives, equality, inclusion or empowerment discussed? Please provide details and context.
The session recognized that the project has drawn mostly on experiences of practitioners from Europe, North America, and even Singapore, where cybersecurity maturity is relatively high. The session intentionally examined the differences between high-income, medium-income, and low-income countries and communities, and gender divides and urban-rural divides.
Consent
I agree that my data can be submitted to forms.for.asia and processed by APrIGF organizers for the program selection of APrIGF 2022.