IGF 2020 - Day 9 - WS176 Assurance and transparency in ICT supply chain security

The following are the outputs of the real-time captioning taken during the virtual Fifteenth Annual Meeting of the Internet Governance Forum (IGF), from 2 to 17 November 2020. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 




>> ANDREAS KUEHN: We have not started yet, but I would like our participants to briefly write in the chat, what organizations they are from and where they are based so we can get a bit of an idea of who is currently here and, you know, where they are based if you wouldn't mind doing that in the chat function.

Do you actually see the chat function when I'm in presentation mode ‑‑ oh, now I see.  All right.  Chris Blask from Unysis.  Nice to have you here.  Who else is here?

All right.  We have United Nations are here.

Wooyoung, where are you based?

Katherine, welcome, from Washington, D.C., CISA.

Would you mind promoting the other five attendees to panelist mode?  Thank you.

We have Len from the State Department, based in Austin, Texas.

So I think we have a very exciting workshop ahead of us.  I know we have just 90 minutes and we have already discussed with our panelist and co‑organizers how we get this all done.  I want to start on time.  It's one minute after official starting time.  So I want to do that.

First of all, I want to welcome everyone here.  I hope you already had a wonderful experience with the first virtual IGF so far.  Work to this workshop on assurance and transparency in ICT supply chain security.  It's always exciting to be here and, you know, have this exchange about a very critical topic.

My name is Andreas Kuehn, I'm a senior programmer with the EastWest Institute.  And I'm one of the organizers and will serve as the moderator for this workshop.

The next few minutes, I want to give a brief overview about the workshop itself, some logistics that we need to take care of, but before I want to do, that I want to quickly introduce all of our excellent panelists that we have.  Starting in the east, we have Dr. Amirrudin joining us, he's the director of cybersecurity Asia.

And we have Dr. Katherine Getao, she's the head of Ministry of Information in Kenya.


>> ANDREAS KUEHN: That was a mistake.  I think there were some others who were supposed to come first.  Salah Baina from Morocco.  Welcome.

And then we go further up to Moscow, Anastasiya Kazakova from Kaspersky.

>> ANASTASIYA KAZAKOVA: Hello, everyone.  Excited to be here.

>> ANDREAS KUEHN:  And as we continue to go west, Philipp Amann from CyberPol.  How is the weather in the Hague?

>> PHILIPP AMANN: It's not raining.  Beautiful as always.

>> ANDREAS KUEHN: As we go further, we have Arnaud Dechoux joining us from Paris, and he will help me with the online moderation.  Thank you so much for being here.

>> ANDREAS KUEHN: And then San Francisco, where I'm based.  It's shortly after 1:00 in the morning.  I hope you bear with me with the moderation.  We'll do our best to cover all of those different time zones.

We'll get the panelists more time to introduce themselves.  I want to briefly quickly run through the agenda.  We have a short introduction what I'm doing here.  I will follow up with short framing remarks as the moderator laying out the goals and the overall arc of the workshop and why we thought this was an important topic to address and we have about 25 minutes for opening statements provided by the panelists.  They bring in their expertise and talk about the issues that we thought are of most important of concerns.  And then we open up for about 45 minutes a discussion.  That is the key part of the workshop to really have this exchange that we want to foster here.

Brief closing remarks from the panelists and I will wrap up the workshop and give a little outlook of what comes after that.

Before I go to the framing remarks, some very brief logistics.  As you all know, this is being recorded and streamed on YouTube.  Links are here if you would like to use captions.  That's also available.

Quick thoughts, quick guidance on questions.  Please use the Q&A feature in Zoom to submit your questions and please do so throughout the workshop.  Not only the discussion itself, and when you have something that you would like to contribute, add it there and we will try to get to that.

If you are on YouTube, use ‑‑ you can use Twitter #IGF 176 which is the number of the workshop to submit questions to us.  You also have the option to raise your hands if you would like to make a verbal intervention, ask questions or provide some comments.  Please raise your hands and we will give you ‑‑ we will give you the microphone to speak.

Should you at any time fall out of the Internet and ‑‑ or disconnected, there's the ID number of the Zoom call, and you also find the link for international numbers of the ‑‑ on the IGF website.

So I think that brings me to my opening remarks ‑‑ or my framing remarks and how we get to this workshop in the first place.  Let me quickly set myself here.

Security and global supply chain is critical to ensuring trust in ICT and future of digital society.  Today's ICT products and services and the Internet itself are comprised of a multitude of hardware, software components.  Organizations including operators of infrastructure and firms rely heavily in large numbers of third‑party vendors provide their operations with each of them having some degree of connectivity, each adding difficult to manage third‑party risk.

At the same time, sophisticated cyber tasks have excessive agency in terms of managing the third‑party risk even further.  I think while we have seen global ICT firms have invested heavily in mitigating third‑party risks, governments, particularly those in the global south and small and medium‑sized businesses often lack the capacity and the resources to manage ICT supply chain risk effectively.

To address supply chain‑related security concerns, and the international security concerns, some governments have enacted strict measures.  This reflects in some ways in mar cases, also geopolitical struggles that we are finding ourselves in and in some cases, ill‑guided attempts, over the Internet which may further the fragmentation of the Internet, and the technological and economic universe.

So how do I come here to this particular topic?  As I said earlier, with the EastWest Institute, and in 2016, we unleashed a report.  I hear some background noise.  I hear ‑‑ I don't know where it's coming from, but it would be good if we can mute our microphones while ‑‑ while ‑‑ at the time that you are not speaking.  Thank you.

As I said, in 2016, we released a report on supply chain security, and the importance of creating a level playing field based in objective and transparency security requirements based on internationally recognized standards and best practices and I will later share the link to the report in the chat.

But back then, this was mostly a technical discussion about, you know, technical discussions among technical people, also back then, the NIST cybersecurity framework did not explicitly address supply chain.

Fast forward to 2020, there's more focus on supply chain security, and tech nationalism tendency as the report describes.  As we all have become more aware on the dependence of suppliers for critical ICTs.

And in the report itself, I think we try to address this kind of like struggle between national security versus economic interest as sometimes those restrictive measures can have unintended consequences, while government measures try to attend legitimate national security concerns, there might be negative consequences for innovation, competition and global trade and support.

So let me take this from here.  I think the point here was really to describe how the thinking around supply chain security has shifted.  And I want to go ahead and address two particular issues that come up, excuse me.

One more back.

They come up in the report, and one of them is trust and trustworthiness.

Underlying many of those issues you are trying to address in supply chain security is about trust.  The question here is often how can we come up with assurances that are trusted?  And so in the report, we kind of outline a set of measures and make the argument that in order to ‑‑ to get to a level of confidence and acceptable level of risk, a buyer has to make the calculations about how much risk a buyer can take on, and what kind of measures are sufficient to address those risks.

The idea is that we take a combination of measures to then minimize this trust gap and also find a level of acceptable risk, including an acceptable ‑‑ to the agree those residual risks be acceptable.  Some of them are technical measures, some are organizational measures and also regulatory measures are part of that calculus to address those ‑‑ those trust issues.

On the next slide, I want to ‑‑ I want to show you what we refer to as the security and trustworthiness framework and basically it outlines three main components.  First on the left side, we are describing what kind of, like, components or measures are in place that individual ICT buyers can do as part of their procurement requirements.  This includes vendors to follow international standards for security development and to ensure that services and software are delivered in a good configuration.

In the middle part, this is the industry level and the second and the third component and the vendors and what can buyers do and collectively to address some of those issues.  An example here is coming up with software bill of materials for entire industry.  And having security vulnerability remediation and so forth.

On the right side of this, we talk about ecosystem measures that can be put in place, those include regional transparency centers or global conformance programs such as efforts that are currently underway in had the European Union.

What I wanted to do next is also to provide a brief overview on what is going to be happening in the United States with regards to supply chain security.  But I will save that and maybe bring this back later into our conversation during the discussion to save a little bit of time here.

For today's workshop, we will hear about current developments and discuss approaches to strengthen risk mitigation trust in supply chain, along three key dimensions, which are first, assessing ICT supply chain risks and the threat landscape; second, building confidence in ICT supply chains through assurance and transparency measures; and third, closing the ICT supply chain security supply chain and capacity gap.

In summary, risk and threat on one level, measures that can address some assurance and transparency measure that can address some of those issues that we find when it comes to supply chain security and third, what are kind of like the competencies and capacities that need to be built up in order to do that.

And managing ICT supply chain security effectively requires close cooperation between government and corporate and civil society stakeholders to address their interests and concerns as buyers, users and service operators along the three dimensions of the technical, operational and normative level.

This concludes my initiative framing remarks.  I hope this was useful to set up the conversation for our panelists and give some more background, but before we go into that, we have a little refresher here.  Arnaud, will you please start the Kahoot! game that will allow us to kind of like talk about some of those issues in a more playful way.

>> ARNAUD DECHOUX: So you should see my screen now.  Can you see it?

>> ANDREAS KUEHN: Yes, we see the screen.

>> ARNAUD DECHOUX: So maybe, Andreas, I let you comment.  So everyone, please go to kahoot.it and use the six figure pin code that you see on the screen.  Thank you very much.

We will wait a few seconds so everyone can join.

>> ANDREAS KUEHN: Thank you.

>> ANASTASIYA KAZAKOVA: I like we have Griffindor in the game.

>> ANDREAS KUEHN: Can you say that again, Anastasiya.

>> ANASTASIYA KAZAKOVA: Yes, someone came up with a very nice nickname, Griffindor for the game.


>> ANDREAS KUEHN: All right.  So we have 19 people in the game.  20.  The count is going up.

All right.  Do you want to get started?

>> ANDREAS KUEHN: The question is:  Which supply chain attack/operations do not exist?

I think now you just go ahead and choose the answer that is provided on your screen.

So the correct answer was Wannascreen.

Can you advance, Arnaud?  Thank you.

Next question, which method is not used to infect ICT supply chain?

Please choose your answer.

You see on the left side, the counter shows you how much time is left.

I only see colors.  So I cannot play.  The idea is that the colors respond to the questions and so I think you can just choose that particular color.

Hopefully that helps.

Next one, please.

Griffindor is in the lead.  Excellent!

Next, what are the most attractive targets for supply chain attacks?

And the answer was, your grandparents.

Okay.  So let's see what the final results are here.  Who the winners are.  Slythrin, Salah, congratulations.  And number one is... Griffindor.  Yay!  Congratulations!

All right.

Runners up are Katie and myself.  And maybe I should not have played, you know.

So thank you so much.  I hope this was a good introduction to the supply chain issues.  Now, the exciting part is to hear from our esteemed panelists.  I want to head over.  Anastasiya, you are first.  Again, I ask all of you to stick to the five minutes.  After about four minutes, I will start waving my hands and I would like to ask you to kindly wrap up in order to make sure we are on time.  Anastasiya.

>> ANASTASIYA KAZAKOVA: Thank you very much.  I love the game.  I'm sharing my screen.  Please let me know if you see that and all is good?

So before starting, I would like to ‑‑ my role, I was told my role today is briefly to give the perspective from the private sector company and the security research company and I would like to throw the supply chain attacks back door into your network.

So before going further, I would like to briefly illustrate and actually with a visualized as well the threat model and the possible threat model of a supply chain attack.  It's important to know that the brands listed here, only for illustrative purposes.  This should definitely not be understood as an indication of how secure or not secure particular software is.

So in an appropriate system network, we have the green zone, which represents the traditional IT infrastructure.  It's usually well secured as a corporate network.  Then we have the yellow zone, which also could be called as a of bring your own device zone.  When employees of the company use mobile phones, laptops, and they all also are in the company's asset.  And there's some extent of control possible for the company.

And the next layer red zone, it represents external services, such as email, storage, service, and it's located outside of the company's assets only.  The company can no longer safeguard the data and in the third‑party service is compromised, let's say your cloud provider could have ‑‑ something happens with the software, then there are red business impacts to your business.

And finally, the blue zone represents services which are based on resources and usually do not belong to the company.  So they have occasional contacts with the company's IT infrastructure.  If something goes wrong, at this point the company's assets do get compromised as well.

Another visualization of how possibly a home infrastructure could look like.  It has several layers.  For example, I have ‑‑ I have a desktop computer, and Intel is designed in the US and in Malaysia.  The mother board is from Taiwan, et cetera.  The additional layer, that could be produced in the US, designed in the US, but have some components from different parts of the world.

And the hardware infrastructure.

So the key idea is that the more the software consists of multiple components which produced in many jurisdictions and many countries and each particular software has different components inside, and it also could be produced by other components.

There's also a myth of a national software.  For each component, I call it myth, because for each component, again we would have to ask the following questions:  Where was it designed?  Who has the access to the manufacturing and the development?  Where was it built?  Who wrote the software?  Who has access to the source code?  And many, many other questions.

So there's a part of us that we cannot trust anyone, but we must trust everyone.  I think this is particularly the same idea as we see in the physical world, not only in the cyberspace.  There will always be some sort of cybersecurity risk, or physical risk, and we are speaking about the physical sphere.

But the key is to build and find the solution to that risk is that we must trust for that.

So what is a possible supply chain attack?  Again, a very brief illustration of the ‑‑ of the supply chain attack.  It's usually called supply chain attack because there's a violation of the trust somewhere in the chain.  The most widespread scenario can be against the company who develops software made of several components that there are these components, digital assign and everything is good.  But when there is a wholesale actor that interferes with the development process and adds some modifications to the software, and still is assigned by the valid digital signature, then the software goes directly not users and infects them.

So this is the ‑‑ I would say the most wide spread scenario for the supply chain attack.

There are possible ways how to infect supply chains.  There are these ways, software implants.  When a threat actor uses malware with persistence presence.  And firmware.  Foot firmware is often the target.  And hardware implant.  Implanting keyloggers in USB drives inserting chips and microphones into the hardware.

So it is believed that all of the three possible ways could be the kill chain for the attacks.  Usually those three particular processes are the most vulnerable parts for the supply chain, they are source code process, build process and updating mechanism processes and supply chain attacks are poisoning trusted mechanisms.

The Kaspersky sees the paradox.  If you install updates, this is what we are told by the software developers, by the IT security community, you may become a victim of a supply chain attacks.

But if you don't install updates, you might be vulnerable to security issues.  Therefore, this is what the paradox and a big problem for the IT security community.

And I walk to about the threat actor group that we have been investigating, it's called Winnti group, this is the three largest supply chain operations.  Shadow pad, ccleaner infection and operation shadowhammer.  And it has been revealed last year.

So from one simple backdoor in a single supplier, the cyber criminals can damage multiple larger targets.  This is the problem with the wide supply chain attacks and one of the most difficult to detect, one of the most difficult to actually prevent at the very beginning.  You may be a target, but you may be a weapon if you don't know if your network and if your computer has been compromised and something is already happening within your network.

So I just briefly covered particular threats, but actually, to address those threats, there are particular challenges and I would like to briefly speak about them, because I believe that we will cover them in more detail later this session.

Definitely the lack of capacities.  Especially among the small and medium companies which is part of the global supply chains and particularly also the countries, the developing countries.  So this is one of the challenges to properly address the threat of supply chain attacks.  Then usually the lack of institutional framework, on how to actually procure the particular software, hardware, or firmware and how actually to make sure that the software, the hardware that you use is secure.

Lack of transparency mainly refers to how actually the vulnerabilities handle the companies and the vulnerabilities handled by the governments as well.

Fragmentation in regulatory frameworks is also one of the particular challenge and disturbing trend as we see the attacks of different jurisdictions to tackle the problem and therefore the risk of the fragmented approaches.

And finally geopolitical tensions and the tech nationalism which Andreas has already covered.  So I won't be ‑‑ I won't talk about this one.

And I would like to finalize with, again, the clear message and a very important message that our colleagues see, you may be a target but you may also be a weapon.  And this is something really very important for the IT security community.

Thank you very much.

>> ANDREAS KUEHN: Thank you, Anastasiya.  I appreciate the perspective from the IT security vendor on that particular issue.

Next one is Phillip Amman, who provides a law enforcement perspective on the issue of supply chain security and some of those attacks.  We have no one from a vendor on the panel at this point, but I know there are a couple of vendors in the audience.  So I think it will be interesting to see maybe some comments if you want to think along those lines later in the discussion sections of how nice the vendor looks at some of those issues compared to you know, law enforcement or an ICT security vendor.

So Philipp, the floor is yours.

>> PHILIPP AMANN: Thank you, Andreas.  And thank you for the introductory remarks and framing the discussion.  I probably won't take too much of why you are time.  It's always great for us to be able to provide the law enforcement perspective when we are talking about issues that are more potentially in the cybersecurity, cyber safety arena but really to highlight, what is our role?  How do we support and compliment other efforts and why should we be at the table.

I work with part of Europol.  So we support moment in complex cross‑border investigations.  So cybercrimes we look into high‑tech crime and payment fraud and criminality in the Dark Web and we deal with combatting child sexual abuse.  And we have seen a whole different types of crime, but we are supporting the very complex cases.  And luckily, we also have some successes because I think that's also important.  It becomes very doom and gloom.  We just talk about the victims and becoming a weapon, and that's true and I agree with that.

From a law enforcement perspective when we look at supply chain risks, what we really see is it sort of ‑‑ it widens, expands the attack surface, right?  And it's often an ignored risk by the company.  It's ‑‑ you know, it's ‑‑ there's an inability, and I think, you know ‑‑ actually, I refer to that, in that there is an inability to also protect, you know, your information, your systems beyond your own perimeter.  So there's a number of challenges and just to go with a case example.  The number of cases that we supported, particularly in the IoT sphere, but there is an ongoing attack.  That's how criminals abuse the current situation, which, is you know, they are targeting actually teams Microsoft Team, and they upload the Global Strike, the ransomware.  They target specifically the education sector.

So you see how quickly the criminals are adapting and they are very agile to use the word, to ‑‑ to, you know, exploit potential security risks as part of the supply chain.  It's something you are supposed to install the updates and then you do install the update and what you get is ‑‑ you install yourself ransomware, which is not what you wanted to do.  This is currently ongoing.

This is just a reminder that, you know, this is ongoing and be on the lookout for those fake updates.

So what's our response?  You know, well, I think the biggest difference to an industry response, to supply chain risks is that we can go beyond defense.  You know, we usually go ‑‑ we can investigate.  We can go after the bad guys which is almost, you know, the gold standard but we also do a lot of prevention and awareness.  That's a key message as well.  That's like, if you will, the standard, prevent an attack from happening using tools, you know, by educating your staff.  You know, that's actually better to have to investigate the attack.

We do a lot of assessments.  We actually specifically highlighted the supply chain risk in our annual report, the net crime ‑‑ the Internet organized crime threat assessment report which is our annual product on describing the cybercrime landscape in ‑‑ in ‑‑ in the EU and beyond.  So, you know, mainly from the law enforcement perspective, but complimented, and very comprehensive.  We also try to predict the future to the extent possible and we have a number of recommendations, but specifically this year we have a number of issues that we highlighted but supply chain attacks is only one of them because of the risks that come with this in our ever connected world.

Like you said, Andreas, there's a much higher level of awareness now when it comes to that.

We have a number of issues.  Panelist European and sometimes working with industry, in connection with specific operations that we support and I think that's very important too, working also with industry partners because we need to have that stakeholder‑led network response to the problem.

One minute left?

You know, we organized with Anissa, the IoT conference, you know, IoT security conference.

So a number of things that we do there.  And so what's ‑‑ what's the solution?  Things like, you know, we heard already defense in‑depth, you know, seeing security and privacy design, positioning that as a competitive advantage, right?  Adding this to the procurement process, right?

And then have specific area for start‑ups and SMEs.  For us, it's really public/private partnership such as the normal ransomware and a lot of things that we can do.  Together we work with the web but we really need to walk the talk.  We need to start sharing more information and create the incentives for the companies to ‑‑ we work with everyone, and make sure that we can actually overcome and address those risks.

Thank you.

>> ANDREAS KUEHN: Thank you, Philipp for those remarks.  You are absolutely right, there's definitely more awareness own supply chain security issues.  You know, you mentioned some of the European Union reports, you know, Microsoft recently issued its digital defense report, and we will talk about supply chain security exclusively.  So I think it's definitely, you know, we ‑‑ as we have seen in our work.  So I think what is still missing, if you want and I think that was your final point, how can we together as a communicate address those supply chain security risks given kind of like current geopolitical tensions and some of those issues.

I think that's ‑‑ if we think ahead to the end of the workshop, maybe that's something we can do is make that very concrete.

Having that said, I think I really like Philipp and Anastasiya's original introduction of the topic, because we have some issues of how to think about then conceptually and what the threat landscape looks like.  I will go to the next speakers who come from more regional perspective and what is happening particularly in the global south.  First, I will hand over the floor to Dr. Amir, who will speak about Malaysia's perspective, but also the broader region.  Doctor, the floor is yours.

>> AMIRUDIN ABDUL WAHAB: Thank you, Andreas.  Very good day.  Firstly, it's an honor for me to be here at the IGF 2020 workshop.  My thanks to Kaspersky, to EWI for organizing this workshop.

A bit of background.  I'm from cybersecurity Malaysia.  We are actually a government agency, a techno center agency, under the ministry of communication.  We don't have any legislative body, so we are not a law enforcement agency, but we work with them closely providing the expertise.  We are not a ministry and we do have legislation.

And we also work closely with industry.  So we know that no one can do everything.  This is why we need to collaborate, and we have you are own platform to create partnership, collaboration, managing anything in cybersecurity.

Today we are more concerned about ICT security in the supply chain.  I think we all know in this digital age everything is connected.  I mean, everything is getting increasing reliance on ICT.  Whether individuals, businesses, and even government, whether it's positive or negative, it is something that we need to understand.  Technology is also getting smarter, in parallel with the evolution of technology.

But there are cyber criminals are getting more and more smarter and more and more sophisticated.  They may take more additional measures to protect themselves but somehow it makes it harder for the perpetrators or the actors to attack ‑‑ more time for them, more work, even more costly when it comes to attack the company.

So they will go to the alternative, which is the third party, and this is more accessible, easily for them.  And this is something that I think it is very important and the security is embedded in the ICT supply chain, you know, from the beginning.  It's to manage the weakest link.

And this is the role.  We have a program to educate.  We have program to educate the public, and also program to train the capacity ‑‑ the capacity building program to train the practitioner and even professional services and we create many roles but we believe it's important for us to work especially to ensure the overall cyberspace, I would say, the country is concerned.  And more now with the COVID‑19 pandemic, I think the increased dependency and use and connectivity, I think the supply chain may be impacted due to the third‑party outsourced business.

So I hope through this session, this panel, Q&A, et cetera.  I will be sharing based on the theme we have provided, I will be sharing more about some of the tracks related to ICT supply chain in Malaysia.

And then probably looking to some of the challenges the government, whether they as producer or as a consumer, you know, how do ‑‑ what do we face when we assess the security of the ICT security supply chain?

And also, how do we in Malaysia and probably the region, how do we approach it to ensure safety?  How do we share the trustworthiness of the ICT supply chain and the capacity building?  I mean, it's always a challenge because when we look at cybersecurity, it's not purely about technical matters.  It is about, I will say people, process itself, policy, and even the technology, all combined together, and we call it a holistic approach.  So this is something that we hope we can listen and interact.  You know, island ‑‑ and we have to learn from others.  I'm a panelist, but I'm not necessarily an expert from everything.  It's good to have this kind of platform to learn from the areas of the American region, the European, and the ‑‑ the north African, et cetera.

So this is something, a good collaboration.  So that we hope that we can interact and even establish networks among ourselves to learn how to get better and come to a security ‑‑ the ICT supply chain.

Once again, thank you for organizing this workshop and also all for joining this workshop.  Thank you.

>> ANDREAS KUEHN: Thank you, Dr. Amir.  I agree with your remarks.  There's very much we can learn from each other and I look forward to having these conversations later on, capacity building and what can be done collaboratively in when it comes to supply chain security.

The next speaker is Dr. Getao.  She has been thinking about some of those issues when if comes to capacity building in particular, and some of her work on cyber norms through the UNGTE, so Katherine, Dr. Getao, we are looking forward to your comments.  The floor is yours.

>> KATHERINE GETAO: Thank you very much.  I tried to start my video, but it says the horse has disabled it.  So I will just proceed.

So thank you very much.  I think I have already learned a lot from my fellow panelists and I thank EastWest Institute and Kaspersky for coming one this noble idea.

Now the ICT authority is a state corporation that is very much involved in supporting public service users, with infrastructure, with technology and with skills, and also we have a broad mandate.  So we are ‑‑ we promote our private sector also.

So we have a very practical point of view when it comes to this issue of supply chain.  So I will start by saying why we are concerned.  The first issue is sovereignty.  As a country, you expect that the technology belongs to you, and it is working for the purposes for which you bought it, and there's no form of external interference in the operations of your technology.

Another reason is we are generally a customer or a client.  We manufacture very little of our own technology within the country.  So we are normally buying from outside.  And as a client and a customer, you expect a reasonable degree of protection.  When you purchase a vehicle, you expect that it will have seatbelts, airbags, and other safety features that give you a reasonable chance of survival if your car is involved in an incident, and in the same way as consumers of technology, and I think Dr. Wahab said the same thing, we have a reasonable expectation.

And, of course, there's a possibility of loss or harm through supply chain insecurity issues and so we need to protect our government, our citizens from loss or harm.

One thing we may not have discussed is why are actors and those actors, most people have been talking about the criminal element, but we also know that there have been suspicions that there are states who are involved in supply chain issues, as well as companies.  So what are they looking for?  They are looking for strategic information, where they serve a national intelligence nature or whether it's of a commercial nature or even from personal data.

And I like what Anastasiya said about, you know, the forms ‑‑ the forms.  Yes, so there's the software.  There's the firmware and there's the hardware.  And for naive environments, of course, it becomes more problematic as you go further down the lists, because while software, we may have the tools to examine and notice what is happening, but when the threat is in the firmware and the hardware, it may be a little bit more problematic for many jurisdictions.

Now, I will end by saying, somewhat are we interested in?  As governments.  We are interested in technology that is functional.  In other words it does what we purchased it to do, that it's robust to threats as well as to natural ‑‑ its natural that is genuine, because this supply chain issue means that ‑‑ (No audio).

>> ANDREAS KUEHN: Dr. Getao, I think we lost your audio.  Let's wait a quick moment to see if she's going to come back.

I think she just from the call, if I'm not mistaken.

>> KATHERINE GETAO: Can you hear me now?  Okay.  I'm sorry about that.  It seems I lost network for a moment, but I will try to be very quick to finish my statement.

So I was just saying that we are interested in robust functional and genuine products because this supply chain involves very many actors and not only at the point of manufacturing or producing the product, but also in environments where maybe we don't have the capacity, we involve others such as consultants who are assisting us to set up the software, who are assisting us to manage the software.

So there are a great many actors involves in the delivery of this, and all of them should be trusted.  In my later remarks, I will say what we consider persuasive solutions to assist us in this issue of the supply chain risk.

Thank you very much to everyone.

>> ANDREAS KUEHN: Thank you, Dr. Getao for these remarks.  I think it's very important the trust, that we think are ours, and they can be controlled by malicious third‑parties.  We have some questions about transparency center and some of the work that Kaspersky is doing.  Maybe some of those early experiences since you started that.  To have this discussion.

I think the important part, it's not only about cybersecurity in the narrow sense, but increasingly artificial intelligence, whether the mechanism is in place to have transparently mechanisms so we understand what is happening under the hood of the technology so to speak.

Moving on, Salah to you.  You shared with us, our your colleague, Mohamed Saad shared some of the interesting work that's happening in Morocco on a technical level.  It was quite fascinating to see the maturity that you have to see what you in particular addressed small and medium sized businesses.  I'm curious to hear more obviously about that, but the floor is yours and looking forward to your report.

>> SALAH BAINA: Thank you.  First of all, thank you very much for involving us in this workshop.  On behalf of my Moroccan partners and my Moroccan ecosystem, we are very proud to be here with you this morning.

Please let me share with you my small presentation just to focus on some points I would say in Morocco, we are focusing on the supply chain because we aim to be a major actor in the Mediterranean level.  We are trying to develop a facility as the biggest I would say in Africa.

The security is a high level concern for us.  We know that being involved in a world trade ecosystem is also engaging that we are not the weakest one at the security level.  We don't want ‑‑ in the ‑‑ I would say in the chain of world trade commerce, we don't want to be the weakest link so each point of this network has to develop the regulation, the rules, the laws to ensure a little bit of security of transparency and of course, to protect ourselves but also to protect the others and Morocco is very concerned with this security problem so.  I would say that since 2010, we had very interesting roadmap for developing regulatory authorities, frameworks, laws, and also very productive, very active ecosystem in this ‑‑ to tackle this problem.

So I would say that we started in 2011 by creating the regulatory organizations.  So we have, I would say two main actors, which are the strategic security committee, and the general direction of security of information systems.  Both of those authorities have made the which is called today the strategy of information system security in Morocco.  So we have a specific framework that have been developed using international standards but also using national work that has been do with the whole ecosystem to ensure that no Moroccan organization is the weakest point in this network.  So we have ‑‑ lately we have defined what is ‑‑ what should be the security level of the ‑‑ of what we call important infrastructure which is mainly critical infrastructures in Morocco.  So we have a list of those critical infrastructures airports, also energy, suppliers, telecommunication providers and each one of these actors has to achieve a certain level of security and this, I would say cascading to every small company that work with those big players, I would say.

And we as association of the users of information systems in Morocco, we have the ‑‑ I would say we have the role.  We are not policymakers, but we have the mission to educate the ecosystem.  So we accompany this whole ecosystem with seminars, with events, with ‑‑ by producing white books and producing articles in the aim to make education sensitization and also awareness of the whole ecosystem, starting from primary schools.

We also have by the few past years events that have been made with schools, with universities and with industrial partners and at the local Moroccan level but also at the regional level, we collaborate with I would say colleagues from France, colleagues from Tunisia, from somewhere else in the Mediterranean.  So we try to make this thing general, not only at the ‑‑ because if Morocco is a trust level ecosystem and we have to collaborate with another country or another facility in the region, so it's no more our capacity to defend ourself, which will be involved, but also the capacity of our partners to the ability of our partners to protect us.  So it's ‑‑ I would say, it's a team work we cannot only protect our infrastructures.  We have also to make sure that every single point in this world network is protected.  So it's real team work at the world level to protect the whole supply chain.

And so this was my point and to do this I just say that the association is making a lot of work for dissemination of Moroccan policies but work policies and we try to make a framework to accompany SMEs in this maturity level and we have the ICT maturity level which is get assessed and get value, and in this program, we have a lot of, I would say issues about security and protection.  That was my presentation.

Thank you.  I guess we have to exchange about all of this in the next few minutes.

>> ANDREAS KUEHN: While you were talking.  There were quite a few questions.  Probably everyone has realized and now I think we said before that once everyone becomes a panelist, you can't use the Q&A function anymore.  So that's why we switched to the chat for that.  I really like your slide that shows the overlay of the actual trade streams are happening and how we can all ‑‑ we can all think about how ICT plays into that.

We can think about that in a more narrow scenario of the ICT supply chains.  It's quite important and probably just drives further the point that we need to look into that.  And obviously besides the cybersecurity conversation that's happening over the past year, this year in particular, COVID‑19, I think brought also to the forefront.  Understanding supply chain security.

That was our opening statement.  Time flew by a little bit faster than we expected.  We originally thought to have some more conversations directly from the panelists but I want to make sure that we have an opportunity from our participants ask questions and get involved.  I think there was a common theme around education awareness that particularly our last three speakers directly or indirectly addressed and I was hoping to get more perspectives on that, you know what in particular are you doing?  I know Dr. Amir has some thoughts on the wider region that the ASEAN countries are doing in that regard.  Dr. Getao also had some thoughts on supply chain.  I'm curious if we can briefly provide some comments on that.  Dr. Amir, would you like to start?

>> AMIRUDIN ABDUL WAHAB: Thank you, Andreas.

Okay.  In cybersecurity Malaysia, we have programs that covers the community at large and that community we even divide into SMEs, the organization and children, we call it cyber safe program.

It stands for security for everyone.

So it's about giving knowledge about the awareness of the threat that might be there and online whether you as individual users or as an organization.  Because I think it's important.  Not everyone is a practitioner.  They are just a user of the technology.  So regardless of where ‑‑ of which sector they are in, so they need to have the basic understanding.

Then if you come back to the triangle.  That's we call it the bigger community.  And then the next layer up we have the capacity building for the practitioner.  So we have a program called the cyber guru, whether they are in the IT area or when it comes to the supply chain.

How ‑‑ how do they need to protect their organization, for example?

And as a practitioner, a person who is pay professional to protect the organization, whether they protect their own organization or the third‑party vendor, for example.  They need to have that basic understanding.  So we have programs from the responsibility side.  And up to proactive measures.  Giving business continuity, and all of these other things and then also looking into various new technology, security requirement.  We are now having IoT security, and it needs to be understood.  So this is the type of training that we provide so the practitioner.  In addition to having a training, we certify them as a professional certification, and certified professionals.  That means that they even have to take an exam, just like following the ISO17024, basically to ensure that they are really capable, competent enough, you know?  And this program we call the global ACE team, global cybersecurity team.  It's not only developed by us.  It's facilitated by us.  It's vendor neutral and industry driven.  It's coming from various sectors whether it's from public sector input, the industrial input and the academia and the community at large.

And we build this together, facilitate cybersecurity measure.  Two months ago in September, this global ACE team was recognized by ITU under the WSIS 2020.  So we won it under category five of the world summit.  This is an initiative that we tried to bring it and not only that, we bring it not next level.  I mentioned by cyber safe and cyber guru.  And cyber ace.  But this up with we work collaboratively at international level where we are putting ‑‑ we are now helping some of the countries in the region, whether in the ASEAN or even in OIC countries, because we are currently also the Asia Pacific chair ‑‑ the Asia Pacific with the chairman and we are the permanent Secretariat to the OIC.  So we are building a mutual recognition of cyber ace, and we are mentoring some of these countries to help build a program and billing professional certification and at the same time we mutually recognize each other.

People we believe is always the weakest link.  So you need people who are aware of the issue of cybersecurity.  But at the same time as a practitioner, they need to be qualified.  They need to be certified.  They need to be competent to be able to do what they need to do to protect their organization.  But at the same time, since it is aligned with the international standard.  We want to recognize whatever they have done, which the organization is put ‑‑ this is recognized also at the international and that's why we are building and helping some of the countries in the region to build a mutual recognition.

So rather than ‑‑ like a mutual recognition, for example, in the case of ICT assessment, for example, a common criteria.  So now at the people level.  So we believe that cybersecurity regardless of your own organization, it must look holistically from the people, process and technology together.

So that's a bit of ‑‑

>> ANDREAS KUEHN: Thank you, thank you, Dr. Amir.  I like that you tied that together over people, process and technology.  And I see in the chat, Arnaud provided the link to cyberguru.my and that allows our audience to check out some additional information on what you just described.

I know Dr. Getao and Salah may want to respond.  And Chris Blask raised his hand.

Salah, would you like to have a short response or is it ‑‑ it's always an interesting perspective from India.

>> KATHERINE GETAO: I'm happy to allow my old friend Latha to make her contribution.

>> SALAH BAINA: Go ahead.

>> ANDREAS KUEHN:  Latha, very nice to see you here.

>> PARTICIPANT: Lovely to be here.  I actually wanted to bring in a different element and not necessarily from India's perspective, though I suppose it does also affect India.  When we are talked about the transparency in the ICT supply chain, with the increasing globalization of the supply chain, you know, there is a real issue with dual use technologies and supply chain security and it's not always adequately protected by the arrangements like the WASA agreement, for example.

Now it's a fact that we need the new technologies, particularly the Internet protocol network monitoring systems, the telephone interception equipment, the intrusion software in electronic devices including telephones and computers, and the data retention systems for legitimate purposes but they can be very badly misused.

Now, India has been subject to a lot of restrictions on the dual use technologies, of course.  So from our point of view, we would like to see less restrictions and not more but I think the real question is with the new technologies not yet really being completely under the control of the new emerging technologies, how do any of the panelists ‑‑ and this is open to all of you ‑‑ see this whole issue of the dual use technologies.  It's a new item I wanted to toss into the discussion.  Thank you.

>> ANDREAS KUEHN: Thank you.  Philipp, I know you work this.  I saw you thinking when she was saying dual use technologies.  So please, for a short response.

>> PHILIPP AMANN: I think very quickly, I couldn't agree more.  I think that's certainly one of the challenges that we have, with the dual use aspect and different, you know, actor groups, you know, potentially using the same, if you will techniques that cyber criminals use.

So there's some initiative ‑‑ I think from our perspective this has to be, again, a stakeholder discussion.  We need to come to a point where, you know, ideally, I know sometimes we don't like the word "balance" but a better balance, but a right mix of safety, security, and privacy.  Meaning that from our perspective, you know when we look at the use of encryption, for instance, or, you know, we are about to publish ‑‑ unfortunately, it will be published on the 19th of November, we will public a report on the malicious uses and abuses of the eye, which we created with two industry partners and that's the kind of things where we look at what are the challenges and to say that and see how can we build safer and more secure systems?

But I think that's going to be an ongoing challenge.  There's no silver bullet as we know to address that dual use aspect, but I think the safer, the more secure the metrics are, the better we are protected the better we can deal with the very legitimate, you know, lawful based ‑‑ on you know, legality and all the transparency measures that you need from the law enforcement perspective to ‑‑ to, you know, address the criminal use of those technologies.  It's an ongoing discussion.  I fully agree with those comments, but it's a challenge that we all together need to address.

>> ANDREAS KUEHN: Thank you, Philipp.  From my side, I think the question around ‑‑ when it comes to tech nationalism, looking at the issue from that perspective that this has been, I think, kind of a problem, right, in terms of like there are new technologies out there.  There are emerging technologies that have good uses and in some cases, I think we have seen the controllers restricting them early on which is problematic from the innovation and competition point of view and there's a lot of literature on this from other emerging technologies back in the day, but definitely something that needs to be addressed.

When you look at the US issue, recently a new strategy on emerging and strategic critical technologies where we see the expert control regimes or training as tools to deal with some.  Security‑ ‑‑ with some of the security‑related issues.  I hope that provides some answers.  Anastasiya.

>> ANASTASIYA KAZAKOVA: Yes, very quick.  I like the questions which Ms. Reddy asked and there's no silver bullet answer, but I would like to be pessimistic and optimistic.  Pessimistic, I think humanity will not be able to address the old ways that exist and we have to just accept that this is a trend.  Though those items is not that completely used.  It could be just the computer, it could be a dual use item.

I think we should be aware that not the ICTs themselves pose the risk, but also the use of technology and here's the human aspect actually takes place.

But I would also like to be optimistic in this regard.  I think that in the global discussions, especially those are taking place at the UN currently, if there would be more discussions outcome oriented with private sector and cover the dimension of the human rights and to map all the risk, to make a basic threat modeling particularly, and also to dig a little bit deeper, what are the particular definitions and there's still the question of what are the dual use items whether the items that could be classified as dual use.

So if this manual work could be more, I would say, a part of the ongoing life and I think it would ‑‑ we would reach some outcomes.

>> ANDREAS KUEHN: Thank you.  I want to switch over to Chris Blast who I know works with the Linux Foundation on something very practical when it comes to transparency in supply chain security.  Chris, the floor is yours.

>> PARTICIPANT: Thanks, Andreas.  Thanks, everybody and Latha, always wonderful to see you.  And Andreas, you mentioned earlier, that some of us are vendors and I actually have three hats to talk to here.  One as we are sometimes a vendor and integrator and part of that time I spent as a chief security officer in Colombia and we put together a 25‑year plan that includes solving this.

And now as you mentioned, I'm also chairing a foundation project, the digital build of materials, and as the vendor, early last year, inside Unisys, thinking these things through with applied innovation group, answering the question, can't we just write this down somewhere.  Westerly Unisys.  We are the supply chain.  We know how these technologies work.

And one thing basically led to another, and we formed this consortium under the line U. foundation, doing Linux, including Intel, and Siemens and ‑‑

>> ANDREAS KUEHN: Can you briefly explain what the DBOM is so everyone knows what we are talking about?

>> PARTICIPANT: Exactly.  We just open sourced our first code in 140 years, it's the DBOM node code which everybody can use and create or involved in the attestation channels.  So we have come at this from the direction that there are three questions and answers in the supply chain security.  What are you writing down and who gets to read it?  Taxonomy, repository and policy.  The repository part was just spread out chaotically in tasks.

It wasn't coherently done anywhere.

With the DBOM node code, organizations can create or involve themselves in policy, where attestations are made that can be stacked up.  When I put myself in a position of the asset owner in Colombia, I can put a process in place where I can take an individual device and look across the attestation channels and be able to say that the hardware, the software came from, you know, these have come through steps.

And you know, keeping the focus on the global south and the regulatory process, we help to put in place, it feeds the inventory and the process back in.  So this ‑‑ this ‑‑ the Colombia example is something that I just always refer to because we looked at that in 7, 15, 25 year quantums of things that must be done.  We are two years into the seven years that we had to make significant progress by the end.  Getting attestations and clarity, the regulator and operator and the stakeholders can see, gives some structure to all the things we are talking about here.  How do we see how do we share the certifications across countries, well attesting them to them along the way, allows us to automate it and build it into processes.

>> ANDREAS KUEHN: Thank you, Chris.  I think when I showed in the very beginning this table of different measures to for assurance and transparencies, and the ideas about softer build of materials, that as an aspect of that.  It's an interesting point to hear something very concrete when it comes to proof of concept how can this be do in from the grid, right?  And I think that's what we need to work on, right?  We had other conversations, kind of looking at monitoring through the chat and the questions have been asked, where certification is a big question.  The DOD is currently on the way to roll out certification scheme where they have an entire practice where they will assess the cybersecurity posture of its more than 300,000 globally contributed suppliers and you get the complexity of the issues that we are working on.  The project like you just described.  When we you talk about the certification scheme, how does it build?  There are still big questions but everyone agrees that we need something to address some of those challenged.

Any other questions?  I know there are a lot of good that Vlada makes.  Do you want to take the floor and speak about some of the insights?

>> PARTICIPANT: Well, thanks.  I apologize for not putting on the camera.  I'm chasing the kids around.  It's not a good scenario.  I like the discussion.  It's really thinking loud, whether the existing certification schemes that we have such as in the UN and the sing pore, whether they are fit for supply chain or not.  And secondly, it's good to have maybe a couple of governments being involved but then politics can play a role.  If the free can come up to ‑‑ I mean, industry ‑‑ it's much less of an influence if they can come up with a criteria primarily, that could then maybe be accepted by the government, some of the governments ‑‑ I don't know, it's really think loud.  I wonder what others think about it.

>> ANDREAS KUEHN: I see that Andy Purdy has joined this group.  And Huawei has been thinking about certification in terms of 5G and there are newer standards out there and certifications to try to address this.  I wonder if you can talk about that.  Andy, do you want to address that or other thoughts?


Yes.  Thank you.  I think some of the work that's been done by our competitors and ourselves and 3GPP and GSMA in terms of focus, for example, on the ‑‑ the telecom equipment, the network equipment security assurance scheme which is the combination as you know of standards and independent testing, are built around the same concept as common criteria where you have recognized labs.

And while there are only two recognized labs so far, that can be an important way to have a baseline of standards and testing that could be add ‑‑ add additional layers for higher levels of assurance.  And so we hope that governments will consider that kind of a program platform, to enable the kind of certifications to specified standards.  If you can combine that type of testing scheme with a couple of concepts that are near and dear to folk's hearts and when I was at the IGF a number of years ago, the ‑‑ the idea of combining norms of conduct with some co‑op or no bias agreements, so you could have countries sign on to that agreement and companies to sign on to such agreements and if we could combine that with some of the recommendations a year ago this month, actually of the global commission on the stability of cyberspace and I see that there are some commissioners that are part of the conversation.  To increase attribution, including technical attribution.  I think those kinds of combinations where industry and government can work together, they provide a transparent basis of knowing which products and services are worthy of trust.

I welcome any comments on those thoughts.

>> ANDREAS KUEHN: Thank you, Andy.  I see some people nodding to those comments.  Anyone would like to answer or respond to that from the panel or someone from the audience?

>> PARTICIPANT: The keyword attestations and ‑‑ I'm sorry, I forgot the word there, but, yes, making those things clear.  You know, whether from, you know in Columbia, or whether from the vendor perspective or whether from the Linux foundation perspective, we had to have the certifications.  We had to have the assessments and, I'm sorry the term up just using, Andy was ‑‑ not attestations, but attributes.

>> ANDREAS KUEHN: Attribution.

>> PARTICIPANT: That's right, attribution and places.  Ghana in the south, Huawei owns the fiber, the undersee fiber coming in.  I'm an American company as well.  Ghana has the ability to see where everything is coming from and having those attributions and those attestations, they can make the decisions based on that.  So it's ‑‑ you know, the certifications and so forth that we use as many of the panelists have discussed allow us to assign attributes to artifacts whether they are people or software or hardware.

You know, it's the policy structures we have no have to consume those at the national levels or the infrastructure levels and those at the end of the day have to come ‑‑ have to be supported with the visibility to know that the policies are in force.

You know, I'm biased.

>> ANDREAS KUEHN: I think Philipp is raising his hand.  We also have ‑‑ I'm sorry, I might in Butrinastrice, who also raised his hand.  I so a quick response and I would like to hand the floor off to you.

>> PHILIPP AMANN: Well, I think, again, that's the way to go.  I think we need to have those built on existing certification schemes, and trust building schemes, working with industry and government and I think, you know, just going to what Andy said about 5G.  That's a perfect scam.  Involved in the 3GPP group as well.  And we want to make sure that this is lawful.  Again, we have need to have the multi‑stakeholder environments where we can discuss and also address the different requirements that we have and come up with the solution that works.

I think from a law enforcement perspective, speaking from the EU, we do a lot of technical attribution.  We wouldn't do the political attribution.  We would do the EU service that does the political attribution.  We work with them and then they take it further.

I have this on my desk.  It was in Malaysia.  We had a visit from your colleague, Dr. Amir and a call with Morocco.  We apply that platform economy to our way.

>> ANDREAS KUEHN: A quick question from Allan from the IGF.  If we run a few minutes long, is that hey massive breach of protocol.  With that, I will hand over to ‑‑

>> Yes, we can give you five minutes to wrap up.

>> ANDREAS KUEHN: Thank you.

>> PARTICIPANT: I will be very brief.  Thank you, Wout.  The dynamic Internet standards in the chat, I would like to explain very briefly where that comes from.  Last year, it was IGF pilot on Internet standards deployment and we asked the world why the Internet standards so slowly deployed.  And the main question is there's no pressure from anywhere, but really to deploy them.

You know, no demand, no supply.  When we asked what is the solution, most people say leg, but everybody else said do not legislate, but then the question comes in, what comes next?

And creating a business case through procurement and supply chain management was one of the major answers provided by basically people from all around the world.

And that's what we are trying to promote, because if we can get the security of the Internet up through supply chain demand and through procurement demand, by governments, then also smaller businesses and the individual end user will profit from the supply that is going to be given once the business case is made through procurement and supply chain management.

That comes with questions like:  How secure is the platforms or the responsible disclosure of vulnerabilities.

I would like to ask you to visit our Dynamic Coalition and ask you to if you are willing to participate.  We will try to tackle some of the questions that have been raised here by the chat and by the panelists.  Thank you for this two minutes.

>> ANDREAS KUEHN: Excellent, Wout.  If there's a link to the work that the coalition is doing, please, please, put it in the chat so we have it for our records.

As we unfortunately see, we are running quickly out of time.  I know there's a lot of interesting questions also happening in the chat.  We won't be able to address all of them in the remaining few minutes, but what I want to do is kind of like do a final round of final comments or concluding remarks less than a minute, please, from our panelists to wrap this up.  Salah, I know you had your hand raised first.  So please go first.  And go ahead, thank you.

>> SALAH BAINA: Thank you.  Very quickly, Anastasiya said that we can't be optimistic and we can't be pessimistic.  I just want to say that we have to be pragmatic.  In Morocco, for example, we have a special task force which is called the Masser task force which is in a few words Moroccan computer response team, so each time we have a threat, we have to react, and quickly ‑‑ quickly and right.  We can't ‑‑ even if we have a system with ‑‑ with regulation and compliance and certifications, the supply chain system is too big and too complicated to have everyone in the system okay with compliance.

So we have to have this kind of reaction team that will do the necessary actions each time we are in threat.  So having certification is not enough.  We need to have on field active teams.  That was my point.

>> ANDREAS KUEHN: Thank you, Salah.  Was it also your concluding remark or is this ‑‑ was this a separate comment?

>> SALAH BAINA: I don't, it was my final ‑‑

>> ANDREAS KUEHN: Excellent.  I wanted to double check.  Thank you so much.

Dr. Getao, your final comments.

>> KATHERINE GETAO: Okay.  To Lattah's interring question, there have always been dual use technology.  Guns and knives are dual use technology, and norms have emerged about how we deal with these kind of dual use technologies.  However, I think the problem we have now is the speed of action, which I think many I colleague has also referred to.  We can't wait for technology to just emerge.  And also, there are always outliers even in the handling of things like guns.  We have seen there's a middle norm which most people accept, but there are outliers on either side.  And I think this will happen with technology as well.

I wanted to say that there must be accountability measures as well as the measures that we take to respond quickly as my colleague has just said.

And among those, I would like to add that there should also be a public registry of complaints so that we can examine such registries when we are selecting our technology.  Thank you, and I really enjoyed the panelists and also the participants.  It's been great.

Thank you.

>> ANDREAS KUEHN: Thank you.

Dr. Amir.

>> AMIRUDIN ABDUL WAHAB: I think from the workshop, we can find the security in the supply chain and we need to be proactive.  Obviously, certification is important.  I think the government, for example, required it because we need to ensure that the supply chain is also well equipped in defense of the cyber threats.  It's not just certification.  It has to go beyond the certification as our panelist from Morocco mentioned, certification is not sufficient.  We have to go beyond.  And it need ‑‑ and it's a continuous effort.  And it needs to comprehensive and it keeps changing as you know, it changes very fast.  And we need to be adaptive, dynamic and innovative and at the same time to strengthen the private/public partnership.  We need to work globally because these are not local issues.  A supplier can also be from overseas.  So always the importance of working together both domestically and at the international level.

By the way, I would like to express my thanks to Kaspersky and EWI and Andreas, wonderful moderatorship.

>> ANDREAS KUEHN: Thank you, Dr. Amir.  Anastasiya.

>> ANASTASIA AILAMAKI: My three final points, I actually feel more a little bit optimistic personally also as a user, not just as ‑‑ an employee of the private sector entity.  But three final remarks from my side.  I think there should always be a risk and we have to accept this, especially with the new lessons learned during the pandemic.  There would be more the use of ICTs.  There's no longer a question whether to use or not use them.  No longer a question whether to live in cyberspace or not to live.  So this is one.

Therefore, we need to trust the communities.  We needed trusted multi‑stakeholder communities to actually first identify what are the gaps and then timely fill those gaps and thirdly, I would say work on the awareness and the capacity building.

And likely, I see the very good OED thing is that today we are actually ‑‑ I think and I hope made a good progress in raising awareness about this issue, and hopefully to share more best practices.

I noticed many useful links.  So we definitely thank you very much to everyone, and definitely we will compile those links.  I think it would be very helpful, especially to small and medium companies and especially to developing countries as well.

Thank you.

>> ANDREAS KUEHN: Thank you.  Philipp.

>> PHILIPP AMANN: Thank you.  I have about 10 seconds?


>> PHILIPP AMANN: We are in the deep red zone.  I think to repeat what we heard, it is a multidimensional, very complex issue.  So it needs to have a multifaceted approach.  As Dr. Amir said, certification alone will not do the trick.  We need policies, regulations, best practices.  We into Ed to have technical solutions and we need to have prevention, awareness and capacity building and training and all of that needs to come together.  We have to go way beyond, beyond the EU and have that international network and exchange and it's happening already.  So I'm very happy to see that, and just to, you know from my side thank you very much for organizing this panel.  Great to be part of it, and thanks for the panelists and all the ‑‑ you know the participants for the good questions.

Thank you very much.

>> ANDREAS KUEHN: Thank you, Philipp.  I think it's now to me to say thank you to everyone.  This was very insightful.  I was fascinated by all the topics that came up.  Unfortunately, there was not enough time to go really deep into some of noes ‑‑ I was astonished to hear that dual use came up.  It's definitely an important aspect to think more about that when it comes to the future of supply chain security, but also the issue of certification is something just looking at the chat that people really think about and know we need no move forward in that regard, but we also know it will not solve all the problems we are currently facing.

When we do in good IGF fashion, we will write a short report within 12 hours and then a longer one after that, to kind of like bring to paper all the interesting thoughts we heard today.  And we also to hope to engage with you further on this.  I think on a preparatory call you mentioned and also said again today, talk ‑‑ walk the talk, right?  You need to do something here.  So I think that's kind of like the next step where we are.

We'll ‑‑ we will provide some more thoughts on this.  We will work on creating some more resources and share them with you.  Please be in touch.  Again, thank you to all the excellent panels and the participants.  It was great to be here with you, even at 1:00 in the morning.

So thank you so much, and with this, I will conclude, but also thank you again.  At the IGF for providing the mat form for hosting this panel.

Thank you.  Have a wonderful day or evening.  Until next time.

>> ANASTASIYA KAZAKOVA: Thank you very much.