Session
DC Internet Standards, Security and Safety (IS3C)
Bastiaan Goslings (SIDN, vice chair IS3C WG 8), Janice Richardson (InSight, chair IS3C WG 2), Kristina Mikoliūnienė (council member RRT Lithuania), Steven Tan (Team Lead safer internet CSA, Singapore), João Moreno, IS3C Project Lead IoT, Elif Kiesow Cortez Director Quantum and AI, WG 9 chair), Nicolas Fiumarelli (LACNIC/ISOC, WG 1 chair).
Wout de Natris
Janice Richardson
Mark Carvell
9. Industry, Innovation and Infrastructure
12. Responsible Production and Consumption
Targets: The deployment of security-related Internet standards and ICT best practices directly results in the far more secure development and manufacturing of ICTs, resulting in a far more secure and safer use of the Internet and IoT for all end users. This allows for further and safer economic development and innovation. The deployment of security-related Internet standards and ICT best practices also leads to responsible production, which includes the ICT-industry,which is able and often responsible to deploy the standards, which leads to a more secure and protected consumption.
Roundtable
Interactive consultative session comprising two parts (60 + 30 minutes): Part 1 (60 minutes): Short opening presentation by two experts from ICT industry and consumer protection agency on the challenge of increasing greater awareness amongst consumers of the benefits of purchasing ICT products that are secure by design. (10 minutes) Interactive discussion with onsite and online audience to identify how to ensure consumers understand the importance of buying digital products that are secure by design. (40 minutes). Summing up of main points of agreement (10 minutes) Part 2 (30minutes): Short opening presentation by an expert from the Dutch Institute for Vulnerability Disclosure on the practice of responsible disclosure and the experience of successful examples in mitigating risks to consumer security and safety. (10 minutes). Exploratory discussion with session participants on merits of this approach and how it might be formalised at scale regionally and globally. (15 minutes) Summing up of general points of agreement and next steps to develop the required framework of cooperation. (5 minutes)
The deployment of the latest generation, security-related internet standards and ICT best practices is at best a moderate success for some and up to dismal for many. IS3C endeavours to speed the deployment up by raising awareness how deployment by the ICT industry can be stimulated in a positive way. By providing reports on the current situation, including recommendations and best practices. It also provided toolkits that can assist in procuring ICTs and today will provide a set of arguments that can convince decision-takers in organisations to either deploy or demand deployment through procurement procedures. It’s plans for the future contain the organisation of workshops on ICT procurement, IoT security by design and “The Hub”.
IS3C’s new tool providing arguments that can sway decision-takers to decide positively on deployment, is presented at the IGF in Riyadh, just like our animation film on closing the skills gap in tertiary cybersecurity education’s offer and industry’s demand.
In a highly interactive consultative session the topics of cybersecurity standards and consumer awareness and protection are brought together. Together they will discuss how consumer organisations and consumer protection agencies can contribute to the adoption of security by design principles in the global ICTs market. In this part of the session IS3C will discuss how consumer (protection) organisations can contribute to the more wide-spread deployment of the latest cybersecurity standards. The session will consider in particular: i) new ways of empowering consumers towards a level of awareness that allows them to make a well-informed choice in buying ICT products that are secure by design; ii) the value of comprehensive independent testing of the security of ICT products entering the global market; iii) whether there is a role for regulators to ensure producers, suppliers and service providers comply with the latest cybersecurity standards, in order to increase the ability of their consumers to protect themselves when they use their devices and services and; iv) are there ways in which the two very different organisations could cooperate in the future that leads to secure by design ICTs?
IS3C has ambitious plans for 2025. It will share them with you in this workshop. Of course, there will be ample time for discussion and questions.
In this IS3C Day 0 workshop the deployment of the latest generation, security-related internet standards and ICT best practices will be presented from different angles. The main part consists of a roundtable discussion on how consumer organisations and consumer protection agencies can contribute to a more secure and safer internet. How can they ensure that consumers better understand the importance of buying digital products secure by design.
The workshop’s agenda is:
1. The launch and presentation of IS3C’s latest toolkit and report titled ‘To deploy or not to deploy, that’s the question. How to convince your boss to deploy DNSSEC and RPKI’. (10 minutes)
2. The premiere of IS3C’s short film on the cybersecurity hub made by students and staff of the Pixel Blue College, Alberta, Canada, followed by a call to join the Hub. (10 minutes)
3. The consumer debate has the form of a round table (40 minutes). In this interactive discussion with onsite and online audience we discuss how can we ensure that consumers better understand the importance of buying digital products secure by design. The second angle is, what could be the role of consumer advocacy and protection organisations in putting pressure on the ICT industry to produce and/or provide secure by design products, software and services? The panel will also reflect on the potential role of IS3C to raise awareness with these organisations.
4. Finally, IS3C will announce its plans for 2025 (15 minutes)
5. Questions (15 minutes)
Report
1. Tertiary cybersecurity education curricula need to align with the demand coming from the cybersecurity industry. 2. Consumer organisations and consumer protection organisations have a role to play in showing the (lack of) security of ICT systems, devices and services. 3. What are the societal impacts of ubiquitous IoT devices, insecurity by design and the impact of quantum computing in the near future?
1. Join the Cybersecurity Hub and develop the cybersecurity curriculum of the future: https://qrco.de/is3ccyberhub 2.The kick off meeting for consumer organisations is early in 2025. 3. IS3C starts its research into the societal and political impact of the potential impact of quantum computing in combination with ubiquitous IoT systems and devices. The report is presented in Lillestrom.
This interactive workshop was opened by Wout de Natris who is the coordinator of the IGF’s Dynamic Coalition on Internet Standards, Security and Safety (IS3C). Wout explained that IS3C’s overarching aim is to make online activity and interaction more secure and safer by achieving more widespread and rapid deployment of existing security related Internet standards and ICT best practices. Further information about IS3C is available at https://www.intgovforum.org/en/content/internet-standards-security-and-safety-coalition-is3c and https://is3coalition.org/ .
IS3C’s policy research and best practice analysis since its launch in 2020 has focussed on three priority areas: i. security policies for the Internet of Things; ii. education and skills gaps relating to cybersecurity; and iii. public and private sector procurement practice as a driver for deploying security standards. It is now time to put theory into practice through creating capacity building programmes so that the guidelines, policy recommendations and tools developed by IS3C based on its research analysis, can be implemented worldwide.
With this aim in mind, IS3C working group leaders presented in this session the following proposals for action:
- the establishment of a Cybersecurity Hub that will bring together industry and education experts to address gaps in cybersecurity skills;
- the dissemination of a list of the most important security-related Internet standards, and a narrative for promoting the adoption of RPKI and DNSSEC;
- the creation of a new IS3C workstream to examine the role of consumer protection agencies in advancing greater security online, and make recommendations;
- the roll out of a project to analyse the societal impacts of ubiquitous secure by design Internet of Things (IoT) and post-quantum cryptography (PQC).
i. IS3C’s Cybersecurity Hub proposal
Janice Richardson, Chair of IS3C’s Working Group 2 on Education and Skills (read here for IS3C WG 2 plan and mission statement: https://is3coalition.org/working-groups/) explained the background to the proposal to establish the Cybersecurity Hub. There has been a tectonic switch in the cybersecurity landscape with the growth of cyberattacks and the rise of generative AI has made it much easier to attack many of the applications that are used daily. Organisations have increasingly moved their business to the cloud and this has also created points of fragility and identity-based attacks are growing considerably. It is important therefore to educate Internet users about how to address these risks.
IS3C’s study on education and skills, published in 2023 (https://is3coalition.org/docs/study-report-is3c-cybersecurity-skills-gap/), showed that industry was increasingly concerned that young people are graduating from tertiary education without the necessary cybersecurity skills. Industry looks to the tertiary education sector to act in addressing these skills gaps.
Furthermore, all Internet users need to be made much more aware of the fundamentals of effective cybersecurity. Young people need to understand the architecture of the Internet and the architecture of the cloud, if they are really going to help find innovative solutions.
Educational curricula need to address these needs and it is important to improve the collaboration and the sharing of resources between industry and the tertiary education sector in order to do this. It is also necessary to address the lack of diversity and gender balance in the cybersecurity sector: if we do not have more women and people from different racial and cultural backgrounds involved in cybersecurity, it will not be possible to understand fully where the security breaches are occurring and how to address them.
IS3C’s solution for addressing the security skills and knowledge gaps, the lack of collaboration between industry and the education sector, and the low level of diversity in the cybersecurity industry, is to establish a Cybersecurity Hub as a place where people from all walks of life, including young people, who are interested and involved in the cybersecurity system, can meet, exchange ideas and develop solutions to address these skills gaps. IS3C extended at IGF 2024 an open invitation, with a promotional video https://is3coalition.org/cybersecurity-hub/ to join the IS3C team in January 2025 when they will be holding meetings in preparation for establishing the Cybersecurity Hub during 2025.
ii. IS3C’s tool for promoting the deployment of RPKI and DNSSEC
Bastiaan Goslings of the .nl registry SIDN and a leading expert in IS3C’s Working Group 8 on RPKI and DNSSEC deployment presented this new IS3C tool which provides a non-technical narrative for decision-takers on the need to deploy operationally these two key standard (see: https://is3coalition.org/docs/how-to-convince-your-boss-to-deploy-dnsse…). This IS3C workstream was supported ICANN and RIPE NCC.
Although RPKI and DNSSEC have been available for several years as fundamental standards for the secure routing of Internet traffic, deployment is not optimal. While there has been some growth in their deployment, the level of implementation has been inconsistent and variable across different operators and geographical regions. In order for these two standards to achieve greater impact globally in increasing Internet security, their deployment needs to be increased substantially and more consistently worldwide.
Bastiaan emphasised that addressing this problem is fundamental to the security of the global routing of Internet traffic across the Internet’s domain name system which all Internet users, corporate businesses and public organisations rely on for trusted online communications and secure access to online services and content. IS3C’s Working Group 8 chaired by David Huberman of ICANN aimed to do this through developing a different positive narrative for decision-takers that would augment the existing supporting technical documentation.
Bastiaan explained that the IS3C working group identified several barriers to adoption and implementation that this new narrative would need to overcome. These include a widespread perception of technical complexity associated with these standards, and the expectation of additional major costs if they were adopted with resulting pressure on corporate resources. There are also assumptions that there are major knowledge and expertise requirements in order to operate these standards, as well as the need for additional management and control software and hardware.
Many of these barriers and constraints are due to lack of proper informed awareness raising, education and training of engineers. Moreover, ICT managers often fail to understand the strategic security considerations and objectives for both public and private sector organisations, consistent with national security priorities, which RPKI and DNSSEC are instrumental in supporting. It needs to be better understood that the reputation of organisations as trusted partners for secure online services and related infrastructure, depends on the deployment of these key standards.
The IS3C narrative setting out the benefits of RPKI and DNSSEC is therefore a tool for creating a better understanding of the long-term strategic value of adoption and implementation, and of the significant contribution they make to creating a safer and more secure online society.
iii. New IS3C workstream proposal on the role of consumer protection in advancing greater online security.
Wout de Natris explained that in the previous 12 months IS3C has consulted experts in the consumer protection field on the merits of examining how consumer protection bodies and regulators could actively contribute to achieving greater security online, through for example labelling schemes and testing of Internet-related consumer products. The feedback from these preliminary discussions has been that this would be a valuable workstream for IS3C to establish, with the potential aim of developing guidelines, toolkits for consumer organisations, and recommendations for best practice.
Kristina Mikoliuniene of the Lithuanian communication regulatory authority RTT explained the regulator’s role in Lithuania in resolving consumer disputes about security, in child protection and in acting as an independent auditor for trust services and electronic identification. RTT operates one of the ten national safer Internet hotlines and has a cooperation agreement with Interpol. They have also engaged collaboratively with Internet platforms and service providers, including Google, YouTube and Tiktok.
Steven Tan of the Singapore cyber security agency CSA, emphasised that it is important to work with industry on promoting cybersecurity awareness, for example to push ICT providers in adopting stronger security measures. He explained that if the national regulatory framework sets minimum security expectations, providers and developers of devices and services have no choice but to comply. This helps make security a standard practice rather than providing a competitive edge for individual suppliers in the market.
Adopting this approach of balancing national regulation and industry recognition, Singapore for example launched an Internet hygiene portal and a cybersecurity scheme for IoT products, alongside initiatives such as industry certification and security labelling of devices. Steven said that such schemes drive greater compliance with cybersecurity standards which can exceed minimum security requirements while also enabling businesses to develop market advantage. He said that this mix of regulatory requirements and incentives motivates industry to keep adding improvements to the security of devices and applications.
Kristina agreed that over-regulation can stifle market investment and inhibit innovation: RTT supports this broad approach of balancing regulation with incentives for industry.
With regard to international cooperation, Steven Tan said that in addition to common security standards and more effective and faster responses to cybersecurity incidents, governments can play a crucial role in sharing cyberattack information, coordinating responses, and collaborating in joint initiatives. These cooperative initiatives help to build collective resilience and ensure that no country is left vulnerable due to being isolated from cybersecurity responses.
CSA for example has developed a close working relationship with industry players such as Microsoft, Google, APNIC and the Internet Society. This kind of collaboration, coupled with government-led information sharing efforts, enhances cybersecurity capacities through information sharing, training and joint research initiatives. For example, working together to make IoT devices more secure will lead to the alignment of common security baselines which in turn ensures that consumers have access to safer products.
These international partnerships also help to address cross-border cyberattacks more effectively, making it harder for attackers to exploit gaps in security levels between different regions. Such international cooperation leads to better protection, greater trust, and more resilient digital services for everyone; governments need to work with industry to create a united front in creating greater digital trust.
Kristina agreed that international cooperation is vital for creating greater consumers safety on the Internet, through for example learning from the mistakes of others so that the same mistakes are not repeated in every country because of separately held views or attitudes to the same issues. The market analysis which RTT undertakes includes researching the experience of other countries, as well as sharing Lithuania’s experience with responding to cyberattacks etc.
In terms of a model for such cross-border cooperation, Steven Tan suggested that working groups such as those created by IS3C provide a good starting point. These should involve government policymakers, industry leaders, standards-setting bodies and consumer groups, with the aim of collaborating on global frameworks for the Internet and applications security, ensuring that solutions would work across borders in support of a common global Internet and avoiding the risks of fragmentation and balkanisation.
Steven added that a further step would be to establish workshops in regional fora where experts can discuss security challenges in order to mitigate the incidence of cross-border cybercrime. Capacity building initiatives would also be key in sharing best practice and supporting technology transfers, with the aim of ensuring that no region or country is left behind in achieving a safer and more secure Internet.
Kristina added that it is very important first of all to clarify and define the problem to be addressed through such cooperation because the Internet has so many different layers, and in every layer there are some different problems, and then identify the experts and key actors to involve in the work, to undertake the necessary lobbying for adoption of solutions, and which tools to use in the process (such as internet.nl for testing security resilience etc).
iv. IS3C project on social impacts of IoT security by design and post quantum cryptography (PGC).
Wout de Natris announced that IS3C will start a new project in early 2025 that will be led jointly by the chairs of Working Group 1 on IoT security by design and Working Group 9 on emerging technologies, which will examine the societal impacts of IoT security and post quantum cryptography. This IS3C project is supported by the French Internet registry Afnic.
Nicolas Fiumarelli, chair of working group 1, summarised the work undertaken in 2022-23 to compile a comprehensive analysis of national IoT policies and regulatory documents from 22 countries in all regions (see: https://is3coalition.org/docs/saving-the-world-froman-insecure-internet…). Analysis of these documents identified over 400 different best practices relating to security.
A major conclusion drawn from this analysis was that nations particularly in the Global South lack enforceable IoT security policies because many are voluntary or fragmentary ones. Global adoption of the security by design principles is therefore hindered by this inconsistent regime of policy standards.
On the positive side, IS3C’s research identified examples of promising solutions such as the cybersecurity labelling schemes introduced in Singapore and Finland which empower consumers by providing clear information about products’ security features. This in turn drives manufacturers to prioritise security in their product design and development.
Nicolas said that these systems require robust independent testing mechanisms to ensure their effectiveness. Consumer empowerment such as that provided by labelling schemes, must be complemented therefore by strong regulatory frameworks. IS3C Working Group 1 will continue in 2025 to update and add to its repository of data on IoT security polices worldwide with the aim of promoting greater regional adoption of best practices for ensuring greater safety and security of IoT devices and related network applications.
With specific regard to Working Group 1’s contribution to the joint project with Working Group 9, João Moreno explained that he will lead in analysing the societal implications and consequences of the current levels of IoT security, the impacts of threats such as hacking. The aim will be to identify what needs to change in order to strengthen the levels of security so that society is safer in the era of ubiquitous connected objects.
Dr Elif Kiesow Cortez described the involvement of IS3C Working Group 9 on emerging technologies (information to WG9 https://is3coalition.org/working-groups/) in this joint IS3C project. The working group will commence its next phase of work in early 2025 on post quantum cryptography (PQC). The Afnic-funded project research will therefore have two intersecting areas of focus: one dedicated to the societal impacts of IoT security and the second of the impacts of post quantum cryptography. Following a combined analysis of these domains, the project will proceed to undertake a multidimensional analysis of societal, legal, economic and environmental impacts.
Elif emphasised that it will be important for the project to facilitate stakeholder engagement and dialogue about the societal implications and issues, such as digital transformation, economic competitiveness, future proofing against emerging threats and defining the optimum way forward for the secure global deployment and roll out of these technologies through effective international cooperation. IS3C intends therefore to submit a workshop proposal for this purpose at the next IGF in Norway in June 2025.
The project’s principal outputs will be a report setting out policy recommendations, both at the state level and at the organisational level.
Conclusions – the way forward for IS3C
In his closing remarks, Wout de Natris reviewed the significant progress that IGF’s Internet Standards and Safety dynamic coalition had made since its launch at the virtual IGF in 2020 with the mission to make the Internet safer and more secure. The coalition’s initial focus had been on three specific policy areas: security by design for the Internet of Things; gaps in education and skills relating to cybersecurity; and procurement practice as an under-used driver of deployment of security standards.
In 2021, IS3C presented its plans on how to address those three challenges. After relying wholly on voluntary contributions by experts, the first sources of funding for the coalition’s work came through in 2022 which provided support for the research activities and the publication in 2023 of IS3C’s first three reports with recommendations and guidelines in 2023. The scope of the coalition’s work has expanded since then with additional areas of cybersecurity policy focus, including the deployment of specific standards (RPKI and DNSSEC) and emerging technologies (AI and quantum).
The ongoing challenge to secure funding for IS3C’s research projects, and to ensure that IS3C’s outputs of policy recommendations, best practice guidance and toolkits are disseminated as recognised IGF outputs, has led to internal discussions about how organising the coalition in a different way might help to overcome these operational challenges. IS3C leadership team comprising the Coordinator, the Working Group chairs and the Senior Policy Adviser Mark Carvell, is now reviewing two options for the way forward for sustaining the future conduct of IS3C’s work.
Firstly, the leadership team has decided to apply for IS3C to become an Internet Society special interest group. This will enable IS3C to spreads its wings beyond the IGF community and attract funding for projects and develop the outputs as capacity building programmes (which is not an IGF function) while still retaining its status as an IGF dynamic coalition.
The second option currently under consideration by IS3C’s leadership team is to incorporate the coalition formally as a not-for-profit foundation with an oversight board that would consider strategic issues including funding structure. This could possibly be supported by a membership fee and donations which the coalition is not able to accept under its current financial arrangements.
Wout thanked all presenters, co-moderators, technical IGF team and the scribes before he closed the meeting.