IGF 2020 - Day 5 - DC Internet Standards, Security and Safety

The following are the outputs of the real-time captioning taken during the virtual Fifteenth Annual Meeting of the Internet Governance Forum (IGF), from 2 to 17 November 2020. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 



    >> MODERATOR: Welcome to the launch of the information internet standard security and safety.  I would like to remind you all that this meeting is being recorded and will be available at IGF YouTube channel. 

     The discussion is being hosted on the Internet Governance Forum Code of Conduct and United Nations rules and regulations.  Private chat is enabled and raise hands also.  If you would like to have a question or want to have the floor, send your requests using Q&A, raise hands or the chat box.

     So have a nice session.  Thank you.

     >> MODERATOR: Thank you very much, Joalo, and for the Secretary for supporting the session in a great way. 

     I see that one of the panelists is not there yet.  So if you could keep an eye on the signing in, then he can be put on because he will be presenting in a few moments.

     Ladies and gentlemen, thank you for being here.  Welcome to the panelists and presenters and thank you attendees for joining in on the session this morning.  We will show you the agenda and also Mark who is co-moderating is part of the leadership. 

     Here is the agenda that you can see that we were going through today.  We had a cancellation.  Rachel Azafrani from Microsoft had a flight rescheduled and is on a flight right now and sends regrets for not being able to participate, but she stressed she would be working on the working group on IoT in the future and ensuring Microsoft's participation there.

     We will go through the presentations, and we ask you to use chat actively and to the Q&A that you see at the bottom of your screen to start a discussion.  And if you think things should be different, please share that with us because that is the sort of information that we are looking for. 

     We will have an open discussion after the final presentation of the working group, and you will have ample time to share there.  As said, raise your hand, use the Q&A, and we will make sure that to give you the word where possible and we'll end with some final remarks on next steps and funding. 

     So first, let me welcome you to the official launch of the Dynamic Coalition on Internet Standards, Security & Safety, or the DC-ISSS as we are sometimes called.

     My name is Wout de Natris, and together with Mark Carvell and Marten Porte, I'm part of the leadership of the DCISSS. 

     This coalition has a clear goal:  To speed up the deployment of security and safety-related internet standards and ICT best practices. 

     This task will lead to different end goals.  For example, to identify, analyze, and present best practices.  To create and present policy suggestions for diverse stakeholders.  To connect different stakeholders and make sure they interact on the topic and work towards agreements on next steps beyond the IGF.  To spread messages to and thus involve relevant stakeholders currently not involved in internet governance.  To provide instructions for training programs at the nation level. 

     Let me first take one step back.  Where does this all come from?  And why is this such an important issue?

     When the internet was created, the creators of the internet and the standard that make it work did not have security in mind.  There was no need.  They all knew each other, they were working at universities and at the Ministry of Defense in the U.S. and they knew each other, and they trusted each other so why put in security. 

     There were no websites.  There was no external data storage.  There was no cloud computing.  There were no connected services or connected software or IoT devices, et cetera, et cetera, et cetera. 

     Only when the internet opened up in the mid 1990's to the general public, slowly but surely the limited security became apparent and opportunities for abuse and harm clear. 

     Spam, fraud, espionage, phishing, all terms that we had never heard -- well, we all heard of espionage, of course, but not involving the internet all became possible because of this lack of security in internet standards.  And standards are what make the internet work.  The public core of the internet, so to say.

     Internet technicians went to work and created new standards or additions to existing standards like the DNS securing the naming system.  RPKI securing the routing.  There's DCP 3, BCP 38, et cetera, et cetera. 

     They fixed different sort of problems, but they are not unlike band-aids for wounds.  However, there seems to be one common feature to all of them.  Adoption by the internet industry is extremely slow. 

     And the same goes for making secure websites or creating better software or securing data or manufacturing secure IoT devices.

     Let's look at it from the totally different angle.  The ICT industry is one of the best facilitators of cybercrime.  It is not a nice thing to say, but unfortunately in reality this is something that must change in order to support digital transformation, to sustain economic development, and to make the internet safer to use for all end users across the globe.

     And this state was not something that I just make right now.  It comes from a study we held in 2019 and early 2020.  Because at the time of the IGF in 2019, the study was undertaken into the reasons behind the slow adoption that also looked at possible solutions.

     It was not hard to find common and more or less agreed upon answers as presented in the report of the IGF pilot project on the this issue entitled, Setting the Standards for a More Secure and Trustworthy Internet that was published early March of this year. 

     There is consensus that there is no business case for deployment.  There is no standard demand for internet standard security so there is no offer.  There's no carrot, there's no stick, and pressure and nothing where incentives are concerned.  All investments, if you do deploy, but there is no return on it.

     The results is a non-level playing field between industry organizations contemplating deployment and those who do not.  So that's another strong disincentive. 

     Deployment is entirely voluntary with hardly any benefits if you do.  Internet standards and ICT best practices are not part of legislation so also there from that side there is no pressure.  And besides, they are virtually unknown beyond the technical and industry community as some experts participating in the processes of creation.

     And so they are very easy to ignore.  As a result, there is no real societal pressure on industry to deploy these important standards.  When consumers don't ask for and companies do not ask when they buy, there is also no incentive to deploy.

     So let us conclude there is a collective action problem.  Where serious action is undertaken, the raising of security awareness is focused mostly and sometimes only on the end user who has no role in the most important message to be taken, deployment of internet standards and ICT best practices.  They have no role there. 

     But now, let's move forward and see how this all can be changed.  The IGF pilot project identified six main issues as providing possible solutions to these problems.  The first is procurement and creation of a business case.

     The second, the role of policy makers and regulators.  The third one is security standards by design.  The fourth, human rights and consumer protection.  The fifth is education and skills.  And the sixth, the creation of a global testing and reporting program. 

     Identification of issues which we have just done is one step.  But translating them into action is another.  And this is what the DC-ISSS will work on.  That volunteers have worked over the past few weeks and selected three of the topics for this new Dynamic Coalition to start work on its first phase of work. 

     The first is Security by Design and subgroup on IoT security.  The second on education and skills.  And the third is procurement, supply chain management, and creation of a business case.  And here you can see the influence of the volunteers working because in the business case supply chain management was added.

     The volunteer experts have also added focus to the topic and searched for where value can be added to initiatives that are already being undertaken on these topics. 

     All three working groups will be presented on shortly.  And this will include their goals and first steps towards achieving the goals. 

     But first, we have four presentations that underline the importance of a safer internet and the importance of deployment of standards from different angles.

     Following that, we will have presentations in the three working groups and there will be time for your questions and comments.

     And please use the chat room to actively to use the comments and start discussion.  In the final part of our session today, the first step is introduced and the funding requirements to support the group program will be explained.  But first, it is my honor to present the speakers that we stress again, we need your ideas and your expertise.

     The first presenter that I can introduce is Jonas Gretz Hoffmann of the Office of the Special Envoy for Cyber, Foreign, and Security Policy of the Federal Department of Foreign Affairs Switzerland.  And I can add, the organization graciously have funded us to make the work that we are doing currently possible, for which I thank you as well. 

     The floor is yours, Jonas. 

     JONAS HOFFMANN: Thank you very much, Wout, for the ability to speak here today at the launch of this Dynamic Coalition.

     Thanks also for painting the bleak picture about internet standards dissemination.  I think things are changing, and not the least this Dynamic Coalition is a vivid example of how things are changing, and we need to move this forward together. 

     But I have to apologize for Jon Fanzun, my boss who is the Special Envoy for Cyber in the Federal Department of Foreign Affairs.  He had to unfortunately cancel his participation at the last minute. 

     But let me quickly try to outline why we as a government are engaging in this Dynamic Coalition on his behalf and why we deem it important to further internet standard safety and security.

     The importance of international digital governance for Switzerland has been underlined by the digital foreign policy strategy that has been adopted by our government this week.  The strategy aims to ways to profile of Switzerland in digital governance.  And even before the strategies traditionally Switzerland has been engaging actively in international discussions that define norms and tools for secure digital space. 

     We are, for example, currently represent with the national expert in the UN Group of Governmental Experts and our Ambassador as well to the UN in Geneva is sharing the ultimate working groups that discusses norms and responsible behavior and the application of international law to cyberspace, among other things.

     Furthermore, we are also contributing to the OECD's work within the working priority on the security of the two products.  And I'm happy that we Ghislain will be part of the work on this section.  I think common regulatory approaches can be a key factor to achieve greater security while avoiding fragmentation of markets. 

     Yet our new strategy also underlines that we are facing an enormous challenge of ensuring a free, open, and secure cyberspace for everyone. Not the least that States do not often agree on a common cause of action.

     The risk of a fragmentation of global rules and standards and the fragmentation of the internet is real for us.  The strategy, therefore, holds that we cannot achieve and secure open and free internet in isolation by just working with States but that we have to engage closely with the private sector and that we need to work with Civil Society and the technical community as well. 

     Against this background, Switzerland has launched the Geneva Dialogue on responsible behavior in cyberspace.  The Geneva Dialogue aims at supporting a global dialogue of the business sector focused on developing best practices and requirements for the security of digital products and services.  The partners of the dialogue are corporations such as Microsoft, Siemens, Kaspersky, Cisco and other global players.

     We will present the first results of the Geneva Dialogue next week Wednesday here at the IGF on 11 November at 11:20 UTC.  So I look forward to your participation. 

     Another priority of our strategy is strengthening the IGF by working towards an IGF class as also outlined in the UN secretary General's development for digital cooperation. 

     In our view, this Dynamic Coalition can become a key milestone in strengthening the IGF in a revolutionary way and make it more outcome focused.

     So what concrete outcomes do we expect, because that was one of the questions.  I think what this Dynamic Coalition should aim at is to translate best practices, standards and recommendations for the applicable and acceptable and relevant to a very broad set of stakeholders. 

     In our discussions in the Geneva Dialogue, we often came across the notion that existing standards are too complex to implement, that stakeholders do not understand them and therefore they are not really being implemented. 

     Of course, the regulatory approach is also necessary, but Ghislain will speak about this in more detail, I guess.  We think also there is no need to duplicate, but there is need to validate this work, make it relevant, and get it approved by more and more stakeholders. 

     So that would be our view on this Dynamic Coalition.  And I thank you for granting me the floor. Thanks, Wout.

     >> MODERATOR: Thank you very much, Jonas, for these kind words, and the high expectations also that come from it.  That is also what we surely seriously realized that we are embarking on an ambitious program.  So thank you for your words. 

     I would like to introduce Olaf Kolkman, who is principle at Internet Technology Policy and Advocacy at the Internet Society, also ISOC. 

     So please, Olaf, please step in and give your presentations and views on this Dynamic Coalition and the work we embark on.

     >> OLAF KOLKMAN: Thank you, Wout.  There are a lot of internet standards that improve the internet.  There is the security of the internet.  And because of the voluntary nature of the adoption of internet standards, some get deployed expedient, and some take a long time to find their way into the internet. 

     So some of these expedient -- examples of expedient deployment are ACME or systems behind let's encrypt which now secures millions of websites.  And the deployment of Quick, a new transport protocol with new security baked in, so to speak, which was deployed to over the internet in very short time span.

     I have worked on standardization and deployment of DNS security, the improvement of routing security and lately the deployment of security of internet time services.

     And in the two decades that I have done that, it has been sort of a humbling experience.  What I would like to do is share a few thoughts. 

     And those thoughts are inspired by a 1962 book, "The Fusions of Innovations," which is a book by Everett Rogers.  And he thought about the deployment of innovations, whether those were television sets or detergents or whatever.  He was a marketing type of guy.

     I believe that the deployment of standards are the building blocks that -- essentially internet standards are very much like the deployment of innovations.  And so you can learn something from this '62 book.

     On the internet, deployment is decentralized and voluntary.  It's what Everett calls an optional innovation decision.  And for an innovation to be deployed, any decision maker -- and that could be the person who buys detergent or a washing machine or deploys software in a piece of network -- will go through five stages.

     First, the person needs to have knowledge of the innovation.  Knowledge about an innovation spreads in social networks with shared values, and it spreads best when the values are shared but there is sort of lack of awareness.

     So in order to create, you know, a drive for standards deployment, you could work on awareness building about certain building blocks or standards.

     And then that individual decision maker will need to be persuaded that the innovation is of use for that person.  And then there will be some sort of a decision, sometimes that is a decision that is made by the individual.  Sometimes that individual will have to include other people in the decision who then will need to go through the same process of knowledge and persuasion.  And then there is the implementation and then the confirmation that the innovation actually works, and you keep using it.

     Well, during that persuasion/decision phase, the deployer of the innovation has five factors that they take into account.  And this is still from Rogers. 

     First, it's the relative advantage.  Will I have some advantage from using this innovation?  Or with a lot of security standards, there is actually the case that there is no relative advantage whatsoever.  And Wout, you refer to that. 

     In the case of deploying for instance, genetically modified seeds, you have a higher yield and that gives you a relative advantage compared to the rest of the market.  In the case of security standards, you're fighting against a network effect.  You don't want to break the rest of the system so that imposes a cost when you have to fix problems that come from implementing the security innovation.

     And then there is a complexity simplicity argument.  Is this easy to do?  If it is easy, you know, people are more likely to do this.  This is one of the pieces of the let's encrypt standard, the Acme standard and the let's encrypt project.  They reduced the complexity of deploying security on websites gigantically.  And that made them a success. 

     And then there's compatibility.  Do I need to change a law to introduce the innovation?  Do I need to buy new gear or is it just a software install of something.  And then there's try-ability. 

     Can I try this without breaking my system?  Can I do this in my lab?  Can I easily do this in A/B testing in my production environment, those type of things.

     And then there is the observability of the deployed innovation.  And obviously security standards are often not observable.

     So I would say that in all of those five factors that go into the decision process, security has, you know, an issue against it.  And I'm mentioning this because I believe that the group should be somewhat aware about what it will try to do. 

     Where will you put your energy?  Will you put it into, you know, the knowledge sharing?  Will you change the decision-making process?  Will you, for instance, help with observability or try-ability of a certain standard? 

     Observability could be, for instance, something like the internet initiative where people can actually see that their innovation, that their security thing actually works.  Sometimes that is an element of getting further.

     Value creation.  Something that we are trying to do with MANRS is create a little bit of an extra value by people being able to demonstrate that they agree to -- and MANRS is the Mutually Agreed Norms and Routing Security which is a program in which ISP signs up, take a few actions, and thereby demonstrate that they are a little bit more secure than others.  And we open hope that that will give them a competitive benefit.

     So think about what will be the effective strategies that fit the distributed nature of the internet where the mutual dependencies and the network effect is into play.  I actually after two decades of work on deploying security on the internet, I don't really have an answer.  And I am really looking forward to this DC to identify some elements of this answer.  And with that, over to you, Wout.

     >> MODERATOR: Thank you, Olaf.  Yes, we are feeling the weight of your words as we speak.  Thank you for this insight because it does exactly show what the challenges this DC faces are, and the very broad range of experts that will be needed to bring this forward.

     Having said that, I'm going to introduce the next speaker.  As already said, Rachel Azafrani of Microsoft is being held up in the air so she could not participate. 

     I'm going to Ghana to Raymond Onuoha who is an associate member of the Africa ISD Association and works for two universities in Africa.  So, Raymond, please join in and share your views on this Dynamic Coalition from an African perspective.

     >> RAYMOND ONUOHA: Thank you, Wout.  It's a privilege to share my thoughts at the launch of this Dynamic Coalition. 

     My name is Raymond Onuoha, I'm a tech policy fellow at the Lagos Business School here in Nigeria, and I focus on some of the institutional and policy challenges in the internet economy.  Of course, Africa working also with regional policy think tanks in the region, ICT Africa and also the African ICT Foundation conducting some research to facilitate evidence base to inform policy making in the application or adoption of these technologies across Africa. 

     With respect to internet security standards and safety, like Olaf had already highlighted, I will come to that level especially speaking to the operator paths.

     But overall the Internet Society has played a champion role, ironically, leading the drive with respect to the development of the standards across Africa.  Which is a bit different if you compare -- if you contrast that to other regions where the governments are taking some of the champion initiatives. 

     So the ISOC and the African Union Commission had around May 30, 2017, published some sort of guidelines with respect to infrastructure security for Africa where they noted that especially at the regional level the internet being designed as a collection of networks must therefore with regards to its security be carried out not in isolation but in the form of a shared responsibility.

     So it is a collective responsibility implementing some of these best practices for internet security even as it affects the African region.  And so that coalition that was formed initiated a multi-stakeholder condition structure with the Ability of Cybersecurity Collaboration And Coordination Committee, the ACS3C which at the continental level will help minimize the duplication of efforts in this regards and so thereby helping to facilitate coordination and information sharing amongst stakeholders. 

     Especially in key areas that affect the region where resources will actually be needed in order to bridge some of the gaps as well as advise policy makers within the African Union.  Original strategies for bridging these gaps, especially in critical areas which this particular area is a key capacity deficit area within the region that is lacking significantly across the region.  And is most related to the skills and educational working group of this particular Dynamic Coalition. 

     So at the launch of this coalition is very critical to invite some of these thoughts and thinking while we drive the initiative at this level in order to align with what is very much critical in need.

     (Break in audio)

     >> MODERATOR: Raymond, we seem to have lost you.

     >> RAYMOND ONUOHA: Without skills if, you don't understand the technology there are best practices and that is -- can you hear me?

     >> MARK CARVELL: We lost the last two minutes of you, so if you still remember what you said.

     >> RAYMOND ONUOHA: Oh, sorry.  So I was talking about the key deficit area with regards to internet security and standards as it relates to Africa, which is the capacity building that relates most to the skills and educational working group of this particular Dynamic Coalition.

     So like the first speaker has also mentioned, if you don't understand the vision you can't really adopt it.  And if you can't adopt, you can't develop any standards for application. 

     And so also beyond the regional and also at the national levels, it will be the imperative of national governments to facilitate information sharing and promote best practices because they are the key legislators within country.  So beyond guidelines, beyond norms, if you are talking about a possibility with respect to the internet infrastructure ecosystems in the region, then the national governments will have to champion the accountability as they are the ones that can actually pass laws on the internet infrastructure security and standards. 

     So it is important that these laws adhere to global agreed principles which includes responsibility, cooperation, multi-stakeholderism, and also the fundamental rights of people. 

     But a critical deficit with regards to at the national level for Africa is at the single instrument or regional wise on the Africa region, the convention has not had a lot of process with respect to the stratification.  So that will be a strong first step towards creating an African structure in which the internet ecosystem can develop. 

     And finally, at the operator level, just piggybacking on what Olaf had highlighted in his presentation in respect to the MANRS, which seems to be the most visible global initiative that defines the critical measures to meet network desired requirements with respect to routing, the minimum system security and all the related issues. 

     So these are some of the imperatives at the regional, national, and also the operator level that are very key.  Especially as it relates to Africa.  So we need to invite some of those players as we go forward, even as we carry out the advocacy work within this Dynamic Coalition so as African region will also be carried along, especially bridging the specific capacity building areas which is really lacking as it relates to cyber security.  So thank you, that will my submission.

     >> MODERATOR: Thank you very much.  And I think you have shown some of the ideas that we could actually start striving for, but also the challenges that we will face.  And we will welcome you to join the work and perhaps bring in the experts that you know from the continent so that we can work on this topic.

     The final presentation as an introduction to this Dynamic Coalition is from Ghislain de Salins.  He is the Digital Security Policy at OECD, and he will tell something about his work that he is actually doing at this moment, research that he has done on the Internet of Things security. 

     So please, Ghislain, I give the floor to you.

     >> GHISLAIN DE SALINS:  Thank you, can you hear me?

     >> MODERATOR: We can hear you, thank you.

     >> GHISLAIN DE SALINS: Okay Good evening or good afternoon to all participants of the coalition.  Can you see my presentation as well?

     >> MODERATOR: We do, thank you.

     >> GHISLAIN DE SALINS: All right, that's great.  All right.  So thank you, Wout. 

     As he was saying, I'm Ghislain de Salins.  Today I will give you a brief introduction on the work we have been doing at OECD on the digital security of products.  And I will put the particular focus on the issue of ICT security by design as I understood it may be one of the areas of focus of interest for the Dynamic Coalition in the coming months.

     So first let me introduce the OECD very briefly.  We are an international organization, we focus on economic and social prosperity.  We are mostly an intergovernmental organization.  Our analytical work is done through the support and the input of delegates from our 37 member countries.  And our primary target audience is policy makers.

     We also are a multi-stakeholder.  Organizations, businesses, society, and the technical community participate in our work actively.  And in particular, they do within the OECD's working party on security in the digital economy, SDE, which carries out the work of the data security policy.

     So it was said before by previous speakers it is true that the digital security of products, and of IoT in particular, has become an area focus for policy makers stakeholders more broadly in the recent years.  I'm sure you are familiar with the work of the GCAC and with the Paris call for trust and security.

     There has also been interest by the G7 on the G20 in this topic.  And even more recently, there was a report a few months ago in the U.S. by the Cyberspace Commission which is attached to the U.S. Congress.  And they identified digital products as a key area.  And they also considered that the status quo was going to get -- and it was time to call for more practical developments by policy makers and stakeholders. 

     So as a result of this increased awareness of interest, we at OECD launched a work stream on the digital security of products.

     >> MARTEN PORTE: Could I quickly interrupt?  Sorry. 

     Is it correct that we are still on the first slide?  I believe it might not be showing correctly.  If you could maybe try one more time to see if we can get the presentation current.

     >> JONAS GRTTZ-HOFFMANN: We see the editing mode.  If you click through the slides in the editing mode, that should work. 

     >> GHISLAIN DE SALINS: Is it there now?

     >> JONAS GRITZ-HOFFMANN: Now we see the screen that you see as a presenter.

     >>We can see it like this, it does work.

     >> GHISLAIN DE SALINS:   Sorry, I don't know how to change it.  Can you see it?

     >> MARTEN PORTE: Yes, we can see it.  You can go on like this.  Not perfect, but it is okay to read.

     >> GHISLAIN DE SALINS:  Which slide now?  Timeline?

     >> MARTEN PORTE: Yes.

     >> GHISLAIN DE SALINS: Are you seeing the timeline now?

     >> MARTEN PORTE: Yes.

     >> GHISLAIN DE SALINS: We launched a work stream and as you can see we are almost finished with the process. 

     We are finalizing two reports.  And they should be published in January, and I will make sure to disseminate them to the Dynamic Coalition as soon as they are available.

     If we look into the substance a little bit.  It is important to understand if you look at IoT security created by design is the prioritized topic and one of the most important area, but it is not the only aspect of IoT security.  It is only one aspect. 

     As you can see on the screen, it is by usually design guidelines and they are focused on the device itself and the role the manufacturer can play.  And then the design phase of the life cycle. 

     Actually, you may have data security gaps that emerge in any other areas that you can see on the screen.  In other parts of the ecosystem and other stages of the value chain.  We have seen recently, for instance, the impact of the vulnerabilities in the microprocessors that affected a lot of products. 

     And very importantly, you also have what we call latent vulnerabilities that are discovered once a product is already on the market.  And they can only be fixed by security updates.  So basically, they have nothing to do that much with security by design. 

     And so an IT product that would be secured by design would not be necessarily secured once and for all.  There is a need for a continuous maintenance of security throughout the life cycle of a product.

     Another very important gap is the end of -- what we call at the OECD the end of life gap.  It's the gap between the end of use and the end of life, which means the end of support, of commercial support by the IoT manufacturers. 

     It is -- it was already a very big gap in other products.  You may remember the attack in 2017 that targeted -- it was very efficient on Windows products that were out of life, end of life. And many experts consider that end of life will be even more issue with the IoT leading to what some have called the internet of forgotten things.  And it is a very big security issue.  So that was for the holistic perspective. 

     Now if we look at security by design itself.  As you can see, it is actually a multi-layered concept.  So most guidelines focus on the product features themselves.  So, for instance, IoT products should have stronger mechanism like password for instance.  One more the guidelines focus on the processes and policies that are put in place by the supply side actors. 

     So, for instance, that would mean that the IoT manufacturer should have the vulnerability policy and vulnerability handling process.  And another important aspect by design was the committed role of third-party evaluation.  In fact, many IT manufacturers claim that the product is secured by design, but the only way to evaluate that is through third-party evaluation.  And that includes certification and testing and other mechanism like audits.

     So just this slide was to show you that security by design is not so easy to grasp and expands many areas.  So that was for the theoretical aspect. 

     Now if we look a bit at the data we have and what can we learn about IoT security.  And the fact is, actually security by design guidelines for IoT are available but they are not widely used.  And there is strong evidence that IoT products are not designed with enough security. 

     You may remember in 2016 the Mirai malware that infected millions of IoT devices and they were then enrolled into a bot net and used to launch a mass of DDos attacks.  In 2018, a study of the UK showed that 90% of the manufacturers lack or didn't have a vulnerability disclosure policy. 

     Now, why is this the situation?  What is that the situation?  Well, it was said before by previous speakers that, indeed, the most security standards in particular security by design guidelines are voluntary.

     And actually, there are many economic factors that prevent the supply side actors to adopt the guidelines.  These factors include misaligned market incentives.  If you are the manufacturer, you would often value time to market, cost-effectiveness, or usability of the product over digital security.

     There are also very significant information asymmetries.  Without labels, it is almost impossible for consumers to assess as a level of digital security of an IoT product, and they can't compare the products based on digital security either. 

     So even if the consumers value security, there is no way for them to really make an informed decision on the market.

     Another very important aspect is externalities. So if you take a DDOS attack, for instance.  The victims of a DDOS attack are not the owners or the manufacturers.  But the manufacturers and owners are the ones with the financial risk.  So basically there is absolutely no connection between the IoT value chain and victims of a DDos attack. 

     And, of course, IoT products are used to create Bot nets to launch DDos attacks.  And so basically that paves the way for more hazard and that means it is very hard to achieve an optimal level of digital security when you have these elements I just mentioned, externalities, misaligned market incentives, and information asymmetries. 

     There are the key challenge that need to be solved.  And the question is, how do we do it?  And so that is my last slide. 

     At the OECD, we designed a policy tool kit.  And as you can see, takes the form of a pyramid.  The idea here is that we need to go beyond the traditional dichotomy between the west side and the other side. 

     And as you can see actually, there are many, many policy tools that can be used to address this issue and to incentivize that option of security standards deadlines.  Of course, raising awareness and developing skills, I think everybody agree is very important. 

     But there are also increasingly an agreement by experts that it will not be enough.  Raising awareness will not be enough to fix the problem I just mentioned about the externalities and asymmetries, et cetera. 

     So there is a clear trend of moving up the ladder or moving up the pyramid and try new tools because the tools that are below are not effective enough basically.

     So just this year, there has been a lot of -- there has been a few standards developed on IoT security by ETSI in Europe and by NIST in the U.S. and the charter of trust that are developing standards.  

     Labels are also getting a lot of traction.  It has been labels that have been discussed and launched in Finland and Japan.  And there is discussion in Germany and the EU.

     And if all of them don't work or aren't effective enough, there is also the discussion of drafting regulations that would impose by law some -- that was imposed by law standard but the big question how to do that. 

     There is basically two approaches.  You can impose technical specification, but that carries risk of not being tech mutual and not being approved.  And the other way to do that is through what we call principle-based outcome through regulation like the GDPR.  That would be technology neutral, but the risk of that, it is sometimes difficult to implement, especially for SMEs. 

     And last, but not least, I think expose mechanisms are also very important.  They include insurance liability law, and those tools could be also very effective at mainstreaming security standards and incentivizing users to adopt them. 

     I will stop here, but I would be happy to answer any questions you have.  Thank you.

     >> MODERATOR: Thank you, Ghislain.  That was very insightful words on what we can expect when the report is presented.  And the question to you in the chat has been answered by you in the final words.  So thank you for that.

     It is time for me to hand over to my co-moderator, Mark Carvell, to introduce the presentations on the working group.  So Mark, the floor is yours. 

     >> MARK CARVELL: It's a key moment, I think, and we are hearing about how this Dynamic Coalition is going to make an impact in global and multi-stakeholder. 

     I was really struck by the alignment, for example, from Ghislain's presentation, the pyramid.  Alignment of a lot of the issues that came up in the pilot project, the IGF pilot that Wout led and how we are working through those issues.  And, indeed, I joined Wout on this initiative just before the Berlin IGF

     And I helped to run the session in Berlin.  And I was really struck there about the multiplicity of interest.  And we had breakout groups and so on, and so a lot of thinking going on on how to take forward the recommendations from the pilot project. 

     And since Berlin we have been doing a lot of work behind the scenes.  We have spent a lot -- all on a voluntary basis but sharing a great commitment to take this forward and sustain the momentum and we have undertaken a lot of consultations.  Individual calls, group calls, virtual meetings with a range of stakeholders and government and private sector interest and so on to help define how do we take this initiative forward under the auspices of the IGF in a constructive and focused way that is going to lead to concrete outcomes that could be an exemplar of what the IGF plus when it starts to bed down can achieve in terms of impacts and engagement and recognition by UN Member States, governments of the value of these multi-stakeholder engagements in terms of cooperation and meaningful results and impacts.

     So we did a lot of calls and we -- and the pilot project report, as Wout recounted at the beginning, identified a lot of issues, a lot of areas of focus.  And, of course, we couldn't go into all of those straight off.  We had to sort of think about prioritizing.  

     We did a survey of the stakeholders that we had contacted that had expressed interest on what in the first phase, if you like, of the Dynamic Coalition the work should prioritize and set up in terms of working groups and so on.

     We have arrived as a result of the survey and wider consultations, we have arrived at establishing three working groups on three key issues. 

     Security by Design.  And within that, a lot of technology, a lot of innovation going on, a lot of impact on networks and different devices, technologies and what should it focus on.  And Internet of Things came forward as we are calling it a kind of subgroup as a first area for the working group on Security by Design to start with Internet of Things and devices. 

     The second working group on education and skills.  And a third one on procurement.  And initially we are thinking government procurement.  But the discussions we have had, as Wout hinted at at the beginning, we should look at the wider private sector supply chain issues. 

     And, in fact, the pilot project report did flag big corporate entities.  How can they be drivers of take up of standards and so on.  So it's procurement, supply chain management, and the business case, creating the business case.

     I liked Ghislain's phrase about misalignment of market incentives.  It's that kind of area.  So we've got these three working groups.

     The other issues we anticipate will probably surface as additional areas of activity or working groups maybe in the second phase. 

     Issues like consumer protection, global testing, and the role of government in addition to procurement.  Does regulation have a place here in terms of incentivizing deployment of standards? 

     And no doubt, the three working groups in the first phase will start to feed constructively into thinking about wider government involvement in the whole sphere of activity.

     So there are three working groups.  And we have got three speakers to speak on each of them for you today to give short presentations. 

     Firstly, working group one, Security by Design and the subgroup on Internet of Things.  I would like to hand over to Yurii Kargapolov who has kindly volunteered to speak about the aims and scope of this particular subgroup of the working group on Security by Design. 

     So, Yurii, if you are ready.  Yurii is with the Internet Society, Chair of the IoT Special Interest Group.  I hope I got your accreditation right, Yurii.  So Yurii, please, can I invite you now to speak on the security by design working group.  Thank you.

     >> YURII KARGAPOLOV Thanks, Mark.  I'm Yurii Kargapolov.  And I'm the head of -- Chair of ISOC, special interest group with many years of experience on my other positions in the development of DNS, identity management, IoT, mobile novel portability systems with various functionality as well as internet governance and special topic, trends building are in the sphere of my interests. 

     Let me introduce the introduction the DC1 and DCI leader number one on Security by Design, the subgroup of Internet of Things.

     So stakeholder expert who contributed to the work of the IGF pilot project on the deployment of internet standards recognized the importance of Security by Design is an important way forward to make services software and products more security in compliance with the relevant standards.

     ICT is everywhere around us.  And more and more devices connect automatically to internet.  To form home, as they call it, let the security that those devices and services contain, and we let our security over individual users and the society as a whole. 

     The experts supporting this new recommendation believe that the level of our security, what is it currently, causes serious concern.  These issues, our Security by Design goes way beyond the Internet of Things, of course.

     I want to stress now the four points.  The first is the need for secured website built according to the top 10 best practices of Open Led Application Security Project.  So-called OLASP. 

     The second is more secure and build according to safer software principles.  The hosting of Our data becomes more secure then described in ISA-26001.  And the trustworthiness of our years of platforms depends on the level of security, softwares and et cetera.  It is impossible to tackle the best issues at the same time.

     The stakeholders who have recently consulted and who have volunteered to become members of this, our Dynamic Coalition working group on Security by Design had designed it as a first step to form a subgroup of IoT.  And they are anxious to avoid the duplication of work on IoT standards and policies being carried out elsewhere.  We agreed with the aim of adding value to other current initiatives and processes.

     The first is the guidelines.  And the guidelines, we have compilation of the current guidelines by the Dynamic Coalition ISSS best practice.  Creation of the best practice or work closely with existing.  And the second is solution to barriers.

     Identification of current barriers to deployment.  Creation of solution and implementation of action.  And identification of ways to provide solution.

     The thought is the considerations.  Barriers created by national registration and degradation.  Consumer control or connectivity options.  Promotion through alignment of legislative proposals.

     And fourth is specific IoT issues.  Definition of attack vectors and threats for IoT and creation of best practice for legacy IoT devices. 

     When I mentioned, I mean the sequence of actions may be persistent sequence of actions which using vulnerability detection tools aimed at gaining unauthorized entry and unauthorized access right to digital entities at any point of detected information system. 

     And, of course, I mean the existing blocks in the design of digital entities.  Also discussed the potential end goals and agreed the first sign of success will be participation and diversity.  Adoption by users in economic sectors, for example, gas and electricity and tech sector will therefore be important.

     It will be important to consider the potential roles and other stakeholders such as consumer and trade organizations and organization bodies, et cetera who may not be involved in the internet on the regular basis today.

     The working group may wish to invite them to join in some groups.  It is possible disclosure of vulnerabilities in IoT was identified as an important early issue for consideration by the IoT subgroup. 

     Recommendation by the DC-ISSS that propose options and solutions for possible disclosure of legally dictated.  Working group one held its first virtual meeting shortly after the IGF when the decision will be taken on the plan and timeline and its leadership will be confirmed. 

     The details will be posted on the DC-ISSS e-mail listing.  And, of course, you are invited to join this important work.  That's all.

     >> MARK CARVELL: Thank you very much, Yurii, for running through the objectives and direction of the working group on Security by Design and particularly the subgroup on IoT and the kind of outcomes and so on.  And so everybody has got something to mark in their calendar in terms of joining the working group.  So thanks very much.

     I was going to invite any questions for clarification after each presentation.  I don't see anything in --

     >> MARTEN PORTE: We have one from Jonas on whether working group one will focus on IoT or broader digital security policies.

     >> WOUT DE NATRIS: I was already typing an answer so I will just clarify this way. 

     Subgroup one, Jonas and others will focus on IoT.  And in the future, we foresee that perhaps other subgroups will come in focusing, for example, on security of platforms and security of data or security of websites.

     But that is something for the future.  Where we discuss responsible disclosure, that is one of the six topics that we have identified that could help with the finding solutions for the overall problem of deploying internet standards and ICT best practices. 

     So if that topic comes forward, then perhaps we will start that as working group number four.  And then it will be broader than just IoT.  But within IoT, responsible disclosure was identified as an important topic to address in at first in the subgroup.  So I hope that that clarifies your question.  Thank you.

     >> MARK CARVELL: Okay.  Wout, thank you very much.  Let's move on to working group number two, which is education and skills.

     And I would like to introduce Janice Richardson, who is a digital literacy expert involved in designing tool kits for children and so on. 

     Have a look at the -- she is with the European initiative called Insight.  Have a look at their website. 

     It's mainly Europe, is that right?  And Janice joins us actually from France.  So I turn now to Janice to explain further the objectives and focus of the educational skills working group number two.  Thank you, Janice.

     >> JANICE RICHARDSON: Thank you.  So good morning, everyone.  Well, this is the introduction of the DC-ISSS working group number two, as you've just heard, on education and skills. 

     I'm -- my background is actually in education, technology, and law.  And I have been a long-term university professor or lecturer in these areas. 

     The report of the IGF pilot setting the standards for a more secure and trustworthy internet recommended the inclusion of internet security in education and skill programs as one of the long-term solutions for promoting the deployment of internet standards and ICT best practices. 

     Participants in the project reported that graduate students of courses relating to information and communications technology had not covered online security.  Internet --

     (Microphone muted)

     >> MARTEN PORTE: Janice, you are muted.  We just lost the last 20 seconds, I believe.

     >> JANICE RICHARDSON: It was recommended therefore that the current ICT educational curriculum at the vocational, polytechnic, and university level needed to change in order to meet the requirements of industry and society as a whole as digital technologies increasingly transform many aspects of daily life. 

     For example, multimedia courses and training programs shouldn't only include how to build websites but also how to build a website that is inherently secure.

     At universities, when students take a course on how to execute complex programming projects, security should be an integral part of the course.

     This working group will address this issue with the aim of reviewing current practice in education and training and identifying best practices as a way forward for possible wider policy recommendations that the IGF can promote. 

     The members of working group two, education and skills have identified the two following issues as priorities for the first phase of the work program.  One, a diverse range of programs exists worldwide in the field of ICT education, skills and careers.  Including government initiatives, private sector programs, and government-led programs involving ICT companies. 

     And two, curricula are often set by the individual school or university and this makes it difficult for them to change in a coordinated approach.  While it is also important to allow for national and regional differences.

     The security of online education platforms has been agreed to be an important issue for educational establishments to understand and make provisions for and this became very apparent during the recent COVID crisis.

     This will be considered as potentially an issue for working group one, Security by Design by subgroup on platforms.

     The goals of WG2 include identifying and reviewing current practice.  Defining what is best practice.  Creating an observatory of global best practices and/or cooperation with existing policy observatories and repositories on digital best practice.

     Examining whether educational curricula should include greater coverage of internet security, safety, governance and architecture depending on the educational or training level.  Bringing together experts with the aim of establishing collaboration. Agreement on how to disseminate and promote the outcomes of the working group, taking into account national and regional differences. 

     Wider adoption for the best practices for developing internet security and skills through their inclusion in national ICT educational programs and provision of guidance for vocational training programs to include internet standards and ICT best practices.

     It was agreed in our stakeholder consultations held prior to the IGF that this working group should focus not only on the wider public -- should not focus on wider public awareness raising for which many diverse programs already exist. 

     The working group will consider its work successful if global best practices have been collated and the main outcomes and key messages of the working group have been communicated to relevant organizations.  Ministries of education, universities, and schools through national programs. 

     In addition, it has been suggested that this working group should be represented at events where ICT education issues are discussed and that might convene its own session or workshop at a future IGF.

     Thank you.  And please don't hesitate with your questions or clarifications.

     >> MARK CARVELL: Thank you, Janice.  And if anybody has got any quick points of clarification, I will just check.  I'm not very good at multitasking on the screen here.  But do we have anything?  I'm sure these issues will crop up in the main discussion that is going to involve everybody that is coming up shortly.

     Okay.  If there aren't any quick points of clarification, let's move on then to the third working group it has been decided to establish on procurement and supply chain management and the business case.

     And for this working group, we are very privileged to have joining us from Mexico, Professor Alejando Pisanty who is at UNAM in Mexico City. 

     So over to you, Alejandro, to talk through the aims and projected outcomes of this working group over the next year or so.  Thank you.  Alejandro.

     >> ALEJANDRO PISANTY: Thank you.  I am Alejando Pisanty, Professor at the National University of Mexico. 

     I would like to start the presentation by saying that standards are marvelous, there's so many of them.  A country like mine, which has a very strong internet from the United States industry as well as now imports and factories of Japanese and European automobiles, of course, leads to the situation presented in this cartoon which says there are 14 competing standards so we develop one global standard that, of course, everyone else's use cases and we have 15 competing standards. 

     And naturally this cartoon has been further developed where now you have one standard and 15 competing certifications and so forth.  This is one thing we surely suffer.

     And another thing that motivated me to come into this is things like this tool kit.  When you try to buy a tool kit for a workshop or for your car in Mexico, you make sure that you have both millimeter and imperial measures.  You don't know if you are going to need a 5/16 or an 8-millimeter. 

     You normally will have a Japanese car with millimeter screws over and then the wheels will have an English measure, so you need something in inches.  So that motivates me to move into the standards and also to be skeptical when you talk about them.

     What we have here is also another set of tools.  And great interest in the last weeks.  And then to find it a great honor being in the company of old friends like Wout de Natris, Mark Carvell, and the leaders in ISOC. 

     I have been involved in the global partnership for artificial intelligence, which is a multi- effort delegated by my government in the economic sector.  And what we find there is that people are trying to establish norms and ethical norms and standards for the ethical use of artificial intelligence to achieve goals like avoiding bias that comes from the algorithm itself, the bias from the data and so forth. 

     The concern there will lead to what I have written up is how to make sure these things are actually implemented.  You have all these rules, and no one is reading them when they are writing software for your data purchasing systems and putting them into operation. 

     It is as good as useless that you have these beautiful standards like you have when you have the mission statement for the company based on the laws that says excel in our markets with integrity and you have a corrupt salesman trying to bribe someone.  I mean it is useless there.

     So the point of our working group is to look at the procurement and supply chain management aspects of establishing and acceptance of standards and compliance.  This working group three was -- I'm very grateful to have been part of it. 

     One of the major conclusions in the report on the pilot project of the standards is that the business case for the development of security-related standards is largely absent.  In my understanding also, security-related standards are not only directly designated for security but things that increase the security may also be just pure standards compliance, so people know what is going on, like the technical standards. 

     So the report also considered how government procurement of information and communication technologies devices and services can be a driver for deploying these standards.  This is because governments can play a decisive role not only as legislators but also as a very large customer.  The government becomes normative in a market when this is a very large customer and very strict rules, and maybe it also puts rules on the suppliers on the things they purchase and install. 

     And so we have examples like the apply or explain procurement advice in the Dutch formalization.  In effect, public sector administrations with purchasing power, access to capital in the markets, or more secure device and networks and digital services generally and these can have a ripple effect in the market. 

     The pilot project suggests that the driver of standard deployment also applies at the large corporate level.  Large corporations think of, for example, ISPs and network operators for ICTs, think cloud suppliers and people who are providing services on top of that like video streaming or e-government services.  They can also help by this ripple effect of, in fact, making it harder for suppliers to be selling non-compliant equipment because there is less of a market for it.  And this creates a competitive edge as well for the adopters of the more security enhancing standards.

     Stakeholders who expressed interest in contributing to the work of this Dynamic Coalition makes for the discussion a few months ago, a few days ago, they expressed support for this in particular for this working group program, the purchasing and procurement and supply chain management business case. 

     For also including this wider private sector supply chain management issue.  This is a very important issue in some countries which are acquiring lots of mission or security or national security critical equipment or software or services and they are very concerned that there are leaks or gaps in the supply chain.

     What we envision as initial goals will evolve as we start working and increase our membership.  The principle of the work are envisioned to be guidelines. 

     One would be a set of comprehensive practical guidance issues on incorporating relevant and optimal security standards with clear expositions in what is required in terms of security and examples of standards to be referenced in this guidance.

     And there will be a compilation of best practice guidelines supported by a set of recommendations that will enable purchasers to make better decisions.  We also wish to promote a framework approach.

     It is not only a compilation and it is detailed rules, but more fine works that allow for people to establish more detailed guidelines within national environments or large corporate environments that are still meaningful for interaction with others, this interoperability, for example.

     The idea here being is to reduce the major practice that where you have to buy two sets of screw drivers or wrenches in each country because you may have two measures of nuts and bolts and you never know which you have. 

     Much worse in the ICT case.  The need to address knowledge gaps and inconsistencies in procurement practice at the international level was also discussed and we discussed that the industry is highly influential particularly in developing countries. 

     And, on the other hand, if you don't have a national standard, countries will refuse to adopt it as a mandatory or strongly guideline for purchasing because it will be dependent on a foreign vendor that is not stable, that is not under control of the standard.

     We have to get together with the outreach group to make sure that people are understanding at the most basic level as well as at the detailed standards level. 

     And it will be very important to keep in mind, the uppermost in mind the interests and needs of end users.  How all of the supply chain and procurement which goes on behind the scenes, which takes place in government or large corporations impacts the final user, the individual user.  And also here considering the fact as mentioned that purchasing at the individual level sometimes is completely ignorant of standards and completely oblivious or at least agnostic about standards. 

     As was mentioned, the IoT case, for example, the surveillance cameras, the facility surveillance cameras which are highly insecure, and you don't even know that they could be insecure.  And they come from under the radar of authorities by imported informally through e-commerce. 

     Also suggested, and this will be considered and this is also in the process being looked at, whether the liabilities can help enforce the adoption of standards, whether someone in government is purchasing something that is not compliant with a known standard and therefore weakens the security and doesn't strengthen security as well as it could, then it is called neglect and it's called liabilities by public officials in many countries and subsequently prosecuted. 

     And in the case of a product company, it can lead to civil liabilities or commercial liabilities in the sense that they are causing damage by not preventing it enough.  And the fear of a loss of both as well increase compliance. 

     There will be here some more extensive work proposed based on the work that has been done on privacy how Germany and the US have similar standards of privacies by having completely different approaches.  And because in both cases there is a board liability concern. 

     In one case because of the law in Germany.  And another case in the U.S. because of exposure of a data breach, for example, can bring down the share value of a company.  So these approaches will be considered in our Dynamic Coalition.

     It is therefore underlining the need for all types of stakeholders to come together, and I'm calling you all to help us achieve these calls to help us be able to diffuse the work and disseminate the need for standards and compliance and for realistic standards.

     Spread the word.  They will be endowed with documents and with practices that will help them intervene and shape policies in their countries.  And, of course, to businesses which are either in the selling or the purchasing side to help shape the work coming forward. 

     The first meeting of this working group three on purchasing and supply chain will be on November 27, and we will have announcements for that.  I hope you all are able to come together here.  Thank you very much.

     >> MARK CARVELL: Thank you for --

     >> ALEJANDRO PISANTY: And thank you for supplying the well-shaped document, whatever was in it was my reading and not your writing.

     >> MARK CARVELL: Okay.  Well, you embellished the presentation with the amazing illustrations of a huge heavy tool kit.  I can't imagine doing DIY with that.  Anyway, thanks very much, that was great. 

     And we are getting -- we are starting to run out of time, so I think we better hand straight over to Wout to moderate some open discussion with all of the participants who are with us today. 

     So, Wout, I will hand it over to you now.

     >> MODERATOR: Yes.  Thank you, Mark.  And we are running out of time, there are only eight minutes left. 

     As I had feared up front, we had enough to hold three sessions on all three topics and probably would have filled one and a half hour easily.  And there were some questions in the Q&A which have been answered.  And there is also some comments in the chat. 

     Marten, have you identified that we have time for only one if there is really something sticking out that needs to be discussed.  Otherwise, I suggest that I move into the closing remarks because we are getting very close to our time limit.

     >> MARTEN PORTE: As far as I know, there have not been questions that have not been answered or any comments that would -- now there is one question in the Q&A.  I believe.  Oh, you already answered that.

     >> ALEJANDRO PISANTY: And also expressed interest in the working group, and I'm sending her my e-mail to bring her in.  You are very welcome, Lori.

     >> MARTEN PORTE: Great to here.  Wout, we cannot hear you.

     >> MODERATOR: Thank you, Marten.  I was on mute. 

     Lori and all others, if you go to the IGF website for the Dynamic Coalition on Internet Standards, Security & Safety, you can see that you can register for an e-mail address.  And that way you are formally a member or even informally if you just want to observe, a member of the DC.  And that way you can start participating in the working groups so please go there.

     There is a little overview in the chat when the first meetings are going to be convened that will decide on the way forward.

     I will move into the final section and what is called the closing remarks.  Having heard all the comments, you may ask yourself, how does this important multi-stakeholder initiative continue? 

     As already pointed to, the IGF website there is an indication of the program, of a timeline.  So it's a two, perhaps three-year program leading towards policy recommendations and guidelines with the inclusion of internet security in educational curricula and developing training programs. 

     And the possible establishment of an observatory or repository of best practices relating to Security by Design and procurement and supply chain management security. 

     The next stage are the three meetings.  This is an invitation to you to join.  Because without your expertise, without your knowledge, and without perhaps even the liaison function to introduce us to the right people or perhaps that you are able to introduce us to pivotal people who can make decisions on the way forward or introduce people that have that position is extremely important. 

     So not only the content is important, but also the building of the network is going to be extremely important to have a chance of success.

     This DC is also in search of a volunteer to chair the working groups.  And that is something which will be decided on the working groups.  But if you have interest to become a chair of one of the working groups, please identify yourself in the working groups so that can be discussed.

     To provide the support of the complex issue like faster deployment of internet standards and ICT best practices, this deserves funding.  It is necessary.  It will ensure the smooth continuation of the Dynamic Coalition and the working groups.  And we do not ask this lightly.  But what makes it so important?

     What we foresee is that there is going to be some sort of a secretariat function that will provide the support to the working groups and the experts.  And provide that secretariat and make sure that the smooth continuation is guaranteed. 

     To do research, analysis to help write or co-write proposals.  To build and expand the network which is not going to be something to do easily.  To liaise and coordinate within and beyond the DC.  To organize meetings, presentations, sessions.  To give presentations outside of the DC and make sure that people can give those presentations. 

     To organize training sessions or assist and what else is needed to make this a successful Dynamic Coalition.  We ask some of you present here to consider funding the DC-ISSS to ensure that the first step toward reaching the end goals can be made and work starts happening pretty soon. 

     So let me take one step back and reflect with you where we are now, how did we get here?

     It is only in last March that the IGF pilot project produced a report that provided the conclusions and recommendations that we are discussing today.  And since then, we have taken further major strides forward in this issue.

     Once more showing that working under the aegis of the IGF can actually successfully aim for.  We are now at the point where the work program has been established and a diverse range of stakeholders is actively engaging in the three working groups that have been presented on. 

     And that is a broad section of the internet community.  We have big tech onboard.  We have academia onboard.  We have Civil Society on board.  We have Governance on board.  We have regulators on board.  We have the technical community on board. 

     So in other words, maybe -- and maybe I'm forgetting a few, and I apologize -- but we can see that the interest of -- on this topic is wide and is going to bring in the right sort of knowledge and expertise that we need. 

     So what do we aim for next?  And what do we need to aim for?  The ball lies in the penalty spots, to talk to the soccer analogy.  And the rest of the world sometimes calls football.  But the ball now is in front of us.  And will you help us kick the ball into the net because that is what we need to do.  Please reach out to us for to discuss these funding options because we have the ability and the possibility to actually aim for these goals. 

     We are at the end of the session, and that leads me to thank those participating actively and asking questions and making comments in the workshop. 

     First, I would like to thank you, the presenters, setting the stage and the three volunteers from the DC-ISSS working groups to present on where we are and what the challenges we face are.

     And thanks to the Swiss Federal Ministry of Foreign Affairs for their support in making the inaugural session and workshop earlier this week of the Dynamic Coalition possible.  Thank you very much.

     A big thank also goes out to the participants in the preparatory workshops who made it possible to present the initials proposals we presented on today.  Without you, we would have only had a concept and now we have content with the Dynamic Coalition. 

     We wish you a good virtual IGF and I hope to meet on this Dynamic Coalition and on all of the topics next year in Katowice because I sincerely hope that we will be able to convene next year and I hope to meet you again and in the DC-ISSS and work with you on these topics to bring the goal of deployment closer than where we are today because the internet really needs to become more secure.

     So with that, I end the session.  And I wish you all good health and hopefully see you soon.  Bye-bye.