IGF 2020 Launch of DC Internet Standards, Security & Safety (DC-ISSS)

Time
Friday, 6th November, 2020 (09:10 UTC) - Friday, 6th November, 2020 (10:40 UTC)
Room
Room 1
About this Session
This session includes: an opening presentation on the DC-ISSS objectives; formal presentations; presentations on the working Groups: i) security by design; ii) education and skills; and iii) procurement models for driving the deployment of security standards; an interactive discussion.
DC

Dynamic Coalition on Internet Standards, Security and Safety (DC-ISSS)

Other - 90 Min
Format description: It is a virtual meeting, a combination of presentations and open debate.

New Online Format
Other (please, explain in the Description field below)
Theme
Description

The session is the first meeting of this new IGF Dynamic Coalition which will promote global adoption of the recommendations of the IGF’s Pilot Project Implementing standards for a safer Internet in 2018-20 published in the report Setting the Standard for a More Secure and Trustworthy Internet. The session agenda will include a presentation on objectives and management structure, and the participating stakeholder experts will finalise the overall workplan and first year priorities, and confirm the establishment of thematic working groups for the first phase of the coalition’s work.

Those interested to join the work program, please join the mailing list here: https://intgovforum.org/mailman/listinfo/dc-isss_intgovforum.org

Relevance to IG

The aim of the Dynamic Coalition on Internet Standards, Security and Safety (DC-ISSS) is to achieve rapid and more widespread deployment of Internet standards and ICT best practices relating to online security and safety. Consistent with the IGF’s evolving role as an inclusive, multi-stakeholder forum for consensus-based policy incubation, and global champion of best practice, the DC-ISSS will bring together expert stakeholders from the technical community, civil society, government policymakers, national regulators, corporate and individual users. Their aim will be to establish the conditions for wider, more effective and more rapid adoption of key standards and best practices relating to security and safety.

Through the network of stakeholder community liaisons which the DC-ISSS intends to establish, the adoption and deployment of recommended security and safety standards and practices will be tracked and evaluated as tangible outcomes of the IGF community’s work in addressing the long-standing gaps and deficiencies in global online security and safety.

Relevance to Theme

Achieving greater online security and safety is a priority for many governments and business organisations, and for the technical community, civil society and individual personal and corporate users of digital technologies and services. The vulnerability of many existing and future Internet-related devices and applications to security threats and the spread of online harms and criminal misuse, is widely recognised as largely due to relevant standards and practices not being effectively deployed worldwide in order to mitigate and prevent these risks. This undermines the trust of private, corporate and public sector users in the Internet and its related digital technologies and applications, and has created the serious risk that the positive social, economic and development benefits of transformative digital technologies will not be fully realised for all communities worldwide. The primary goal of DC-ISSS is to bring together experts from all the relevant stakeholder communities in order to make online activity and interaction more secure, trusted and safer by ensuring that standards and best practices play their full role in addressing these challenges. It will achieve this by delivering recommendations and evaluating their adoption by decision-takers.

Organizers

DC-ISSS leadership: Wout de Natris Mark Carvell Marten Porte

Speakers

Jon Albert Fanzun, Swiss Federal Ministry of Foreign Affairs

Rachel Azafrani, Microsoft

Olaf Kolkman, Internet Society

Ghislain de Salins, OECD

Raymond Onuoha, Research teacher and consultant in digital policy

Janice Richardson, Expert in Information literacy at Insight S.A.

Yurii Kargapolov, Chair of ISOC IoT Special Interest Group

Alejandro Pisanty, professor in chemistry at universidad NAcional Autonomico de Mexico

 

Onsite Moderator

Wout de Natris, De Natris Consult

Online Moderator

Marten Porte

Rapporteur

Marten Porte, Porte Consultancy

SDGs

GOAL 4: Quality Education
GOAL 8: Decent Work and Economic Growth
GOAL 9: Industry, Innovation and Infrastructure
GOAL 16: Peace, Justice and Strong Institutions

Presentation
1. Key Policy Questions and related issues
WG Security by design - Internet of things: What are current best practices? To detect divergence in national policy and provide advice on global harmonisation. Identify barriers for deployment of best practices and provide policy to overcome these barriers. To identify IoT attack and threat vectors. To create a best practice proposal on IoT-legacy.
WG Education and Skills: Examine whether current education curricula include Internet security, safety, governance and architecture and provide a best practice policy for ICT education programmes. Bring together experts with the aim of establishing collaboration. Agreement on how to disseminate and promote the outcomes of the WG, taking into account national and regional differences. Provision of guidance for vocational training programs, e.g. relating to procurement decisions and deployment generally of Internet standards and ICT best practices.
WG Procurement, supply chain management and business case: Prepare practical guidance on incorporating relevant security standards in procurement objectives. Compile best practice guidelines to support purchasers to make better decisions. Promote a framework to increase consistency amongst national public sector purchasers and regulators. Resolve gaps in knowledge on security standards on the national level. Advocate inclusion of security-based procurement in government digitalization strategies. Consider liability regimes with penalties to strengthen compliance with security standards recommendations. Establish a continuous role for the IGF as multi-stakeholder observatory to monitor and review security standards deployment.
2. Summary of Issues Discussed

Before this DC-ISSS launching workshop several preparatory meetings have taken place to decide on the most urgent topics to start work on. These were presented in the day 0 workshop #19 'Let's Work!' and the comments made have been taken into account. This launch was used to present on the urgency of deploying security related Internet standards and ICT best practices in general, after which the working program and main policy questions were presented. All the debates had taken place in the previous sessions. The work programme of the DC-ISSS is seen as ambitious but has full agreement on the three identified Working Groups and the identified topics and questions within the Working Groups, as presented above here.

3. Key Takeaways

1) The main recommendations considering the slow deployment of Internet standards and ICT best practices have been identified and agreed upon. Participants in the DC have turned then into specific topics and a workplan that addresses: a) the steps towards the identification of current best practices; b) the ambition to present policy recommendations.

2) There is broad stakeholder support and participation for the three workplans, that in the coming year are expanded to absent stakeholders.

3) The work starts in the last week of November.

6. Final Speakers

Wout de Natris

Jonas Grätz - Hoffmann

Olaf Kolkman

Raymond Onuoha

Ghislain de Salins

Mark Carvell

Yurii Kargapolov

Janice Richardson

Alejandro Pisanty

7. Reflection to Gender Issues

Short report: The DC-ISSS was successfully launched in this session. Gender issues were not a topic in the DC. Differences on the national and regional level have been mentioned and taken into account. Due to cancelation, declining the invitation to speak and the offered speakers, gender balance unfortunately has not been reached.

 

8. Session Outputs

Report IGF 2020 Launch of DC Internet Standards, Security & Safety (DC-ISSS)

Friday, 6 November, 2020 - 09:10 to 10:40 UTC

DC-ISSS leadership:

  • Wout de Natris
  • Mark Carvell
  • Marten Porte

 

This session marks the official launch of the Dynamic Coalition on Internet Standards, Safety and Security (DC-ISSS). Wout de Natris, Chair of the DC, presented the goals of the event and of the DC at large: make policy recommendations and connect both existing stakeholders and new stakeholders. A picture was painted on the status quo of the implementation of Internet standards and the reasons that have led to this. For this, the connection was made to the report that came out of the 2019 IGF pilot project on Internet standards deployment, which investigated both causes and possible solutions of slow standards deployment, of which three were selected, by the DC-ISSS participants, for the initial work of the Dynamic Coalition:

 

  1. Security by Design - sub-group IoT security;
  2. Education and skills;
  3. Procurement, supply chain management and the creation of a business case.

 

Following the introduction, four experts gave a short presentation on the importance of a safer internet and the deployment of security standards.

 

Jonas Grätz-HoffmannOffice of the Special Envoy for Cyber Foreign and Security Policy, Federal Department of Foreign Affairs, Switzerland – spoke about the importance of digital governance for the Swiss Government. He also warned of the fragmentation of global rules and standards and the Internet as a whole. He stressed that the Dynamic Coalition could become a key milestone in strengthening the IGF in new ways in terms of creating concrete, actionable outcomes.

 

Olaf Kolkman - Principal, Internet Technology, Policy and Advocacy, Internet Society – spoke about positive examples of standard deployment and the reasons behind them. Based on a book by Everett Rogers, ‘Diffusion of Innovations’, he explained that the deployment of innovations generally goes through five stages:

  1. Knowledge/awareness is necessary;
  2. The innovation needs to seem useful to the potential user;
  3. Decision will be made on deployment;
  4. Implementation phase;
  5. Confirmation that the innovation works and you keep using it.

 

For the persuasion phase, five factors are at play:

  1. Relative advantage;
  2. Complexity;
  3. Compatibility;
  4. Try-ability (without breaking the system);
  5. Observability.

Security standards have serious issues on all these five factors. The relative advantage is often missing, especially for first movers. We see deployment especially lacking when complexity is high. Also new standards are often inherently incompatible with other standards. On top of that, big challenges exist with being able to try new standards and observing that a standard has been implemented. Initiatives should focus on improving these five factors.

 

Raymond Onuoha – Associate Member, African ICT Foundation – showed the challenges that exist in standards deployment in an African context. One report showed the importance of network security as a shared responsibility. Therefore, initiatives exist to avoid duplication of efforts and to bridge capacity deficits. Furthermore, the necessity of capacity building was stressed, which can be considered by Working Group 2 of the DC-ISSS. Lastly, he highlighted that national governments are key actors for promoting best practices and facilitate information sharing.

 

Ghislain de Salins – Digital Security Policy, OECD – gave a presentation on IoT security by design. He explained the work being done in the OECD and the importance of IoT security. Also, the different stages in which vulnerabilities can appear, such as in the microprocessors, meaning that a once secure product is not necessarily secure forever. Also, an issue with IoT products is legacy products, or products that are no longer updated by the manufacturer. One of the issues is the misalignment of market incentives. The OECD designed a policy tool kit which goes from raising awareness to liability legislation.

 

Presenting the DC-ISSS

In the following part of the session Mark Carvell recounted the road taken from the pilot project around the IGF in Berlin to the current session. He stressed the commitment to sustain the momentum, including a series of individual stakeholder consultations on key issues and priorities for the first phase of taking the work further under the auspices of the IGF and thus bring the topic of deployment to a next level. The goal is to use the IGF framework to deliver tangible policy outcomes.

The themes of the three DC-ISSS Working Groups were then presented:

WG1: Security by Design: Sub-group 1 - Internet of Things

Yurii Kargapolov – Chair of IoT Special Interest Group, Internet Society – laid out the proposed work for the working group on Internet of Things. He stressed the importance of protecting websites against the most common vulnerabilities and of enhancing the trustworthiness of platforms. It will also be important to avoid duplication of other IoT-related initiatives. The first aim of the working group will be creating guidelines of best practices. Secondly, the working group will aim to identify current barriers to deployment and how to overcome these barriers. Another topic that was touched upon was the disclosure of vulnerabilities which is necessary for safe IoT-devices.

 

Participants asked if there will be more working groups on security by design. These are foreseen and can be activated by request or when it is necessary to do so.

 

WG2: Education and Skills

Janice Richardson – International Advisor, Insight S.A. Luxembourg – presented the goals for the second working group on education and skills. She stressed the importance of including Internet security in education and skills programmes. She explained that some of the information or communication technology courses, e.g. at university and the vocational level, currently do not include digital security, which is problematic. The working group will identify best practices. In addition, the security of online learning platforms is important, but might be addressed in another working group. In conclusion, she believes that educational curricula should include greater coverage of Internet security, safety, governance, and architecture depending on the level. Rather than working on public awareness, the working group aims to reach relevant organisations such as ministries of education and universities. Other outreach options were also discussed.

 

WG3: Procurement, Supply Chain Management and the Business Case

Alejandro Pisanty – Universidad Nacional Autonomico de Mexico (UNAM) – illustrated the difficulty of having many competing standards. He explained that many rules are being created but often not followed up on. This working group on procurement, supply chain management and business case will look at how the normative role of the government can be used to increase deployment of standards. The purchasing power of the state and large corporations should be put to good use to include these standards in their purchasing requirements. One of the goals will be to create a comprehensive practical guide on incorporating relevant and optimal security standards in procurements, including SMEs. Also, knowledge gaps and inconsistencies between countries should be bridged. Best practices are to be shared by the participants, as well as bad practices from the past.

 

Closing remarks

The three remaining themes, a) regulation, b) human rights and consumer protection, and c) responsible disclosure of vulnerabilities will start at a later phase of the project, as soon as it is opportune to do so. This is the same for other sub-themes in WG1 on Security by design, e.g. for websites, platforms, data storage, software, etc.

 

The Chair concluded the session by thanking all speakers and inviting everyone who is interested to join and share their knowledge and ideas. It was also requested that people who are interested in chairing one of the working groups get in touch with the leadership.

 

Furthermore, the need for funding to actively support the work within and progress of this Dynamic Coalition is stressed by the Chair. He concluded by highlighting the progress that has been made on this topic within the IGF framework. Now the real work on content will start. A special thanks goes out to the Swiss Federal Ministry of Foreign Affairs for its support in making the launch of the DC possible.

 

The working groups will meet on Tuesday 24 November (WG1), Wednesday 25 November (WG2) and Friday 27 November (WG3), all at 12.00 UTC. More information and the link to sign up to the mailing list can be found here.

 

10. Voluntary Commitment

All three WGs are filled with experts, from around the globe and all stakeholder groups, who have expressed their willingness to contribute. (See the DC-ISSS mailing list.) Since the launch the group has grown further.