Wout de Natris
Welcome to the IGF 2020 Pre-Event #19 ‘Let's work. Deployment of Internet standards and secure ICT products and services’. A workshop with an active and inclusive goal: to make the Internet more secure and safer by ensuring the swift deployment of Internet standards and ICT best practices. Anyone with an interest in deploying security -related Internet standards and ICT best practices is invited to join and contribute views, ideas and proposals in this multi-stakeholder forum.
You can find further information on the DC and on how to join through the mailing list here: https://www.intgovforum.org/content/dynamic-coalition-on-internet-standards-security-and-safety-dc-isss.
Session Update 2
This session focuses on a few questions in relation to pre-work undertaken by experts over the past weeks. Their suggestion have led to the forming of three working groups. This following texts are the basis on which this workshop is based. The DC-ISSS is in search of your ideas, knowledge and vision, in person or through the chat function to debate there.
DC-ISSS WG1 Security by Design – Internet of Things Sub-group presentation 04-11-2020
Members of the IOT Sub-group met on 27 October. The group first discussed potential topics that would add value to the current work already taking place in other fora and processes relating to IoT standards and policies. The following actions were identified that will produce added value to current initiatives:
- Comparison of current guidelines;
- Provision by DC-ISSS of best practices;
- Creation of an Observatory of best practices.
ii. Solutions to Barriers
- Identification of current barriers to deployment;
- Creation of solutions and implementation of actions to overcome these barriers;
- Identification of ways to provide solutions for SMEs.
iii. Regulatory considerations
- Avoidance of barriers created by divergent national legislation and regulations;
- Promotion of harmonisation through alignment of legislative proposals.
iv. Specific IoT issues
- Definition of attack vectors and threats for IoT;
- Creation of best practice solutions for legacy IoT devices.
The IoT sub-group also discussed end goals and agreed that the first sign of success will be participation and diversity. Outreach to users in economic sectors will therefore be important, e.g. gas and electricity network operators.
The second sign will be concrete outcomes of the actions listed above.
To be effective, priorities will have to be made on which IoT sub-topics to work on first.
It is important to define potential roles of other stakeholders, e.g. consumer advocacy, trade organisations, regulators, standardisation bodies, etc., who may not be involved in Internet governance on a regular basis and invite them to either join or to consider consultations with the IoT subgroup.
Responsible disclosure of vulnerabilities in IoT was identified as an important early issue for consideration by the IoT sub-group. This could lead to activating the DC-ISSS WG to propose solutions towards responsible disclosure and to detect vulnerabilities by way of suggesting forms of global gaming systems to detect vulnerabilities through constant testing and instituting reporting options. This WG will be wider than IoT and will include all relevant ICTs.
Yuri Kargapolov will present a document on attack and threat vectors, that can start a discussion for this part of potential work.
DC-ISSS WG2 Education and Skills presentation 04-11-2020
Members of Working Group 2 Education and Skills met on 26 October. The following issues were identified as priorities for the WG:
- A diverse range of programmes exists world-wide in the field of ICT education, skills and careers, including government initiatives, private sector programmes, and government-led programmes involving ICT companies;
- Curricula are often set by the individual school and university making them difficult to change in a coordinated approach, while it is important to allow for national and regional differences;
- The security of online education platforms is an important issue for educational establishments to understand and make provision for. (A topic for WG1 Security by Design - Platforms);
The goals of WG2 should include:
- Identifying and reviewing current practices;
- Creating an observatory of global best practices;
- Examining whether curricula include Internet security, safety, governance and architecture. Each depending of course, on the level of ICT education programmes / schools;
- Bringing together experts with the aim of establishing collaboration;
- Identifying deficiencies and gaps in current educational programmes and curricula and making recommendations for additions;
- Agreement on how to disseminate and promote the outcomes of the WG, taking into account national and regional differences;
- Wider adoption of global best practices for developing ICT education and skills in national educational programmes;
- Provision of guidance for vocational training programs, e.g. relating to procurement decisions and deployment generally of Internet standards and ICT best practices.
It was agreed that WG2 should not focus on wider public awareness-raising for which many diverse programmes already exist.
The WG will have been deemed successful if global best practices have been collated and the main outcomes and key messages of the WG have been communicated to relevant organisations, e.g. ministries of education, universities and schools through national programs. To achieve this, it was suggested that the WG should be represented in existing events where ICT education issues are discussed, and that it might also convene its own IGF session / workshop in 2021 / 2022 or an international event on this theme if resources were available.
DC-ISSS WG3: Procurement, Supply Chain Management and Business Case – presentation 4 November 2020
Members of WG3 met for a first discussion on 27 October 2020. Concerning the scope of WG3’s work programme, in addition to focussing on public sector procurement as a driver for adoption and deployment of security-related standards, there was also support for including wider private sector supply chain management opportunities for deploying security standards. The meeting agreed the following intended goals and priority actions for WG3’s work.
- Preparation of effective and comprehensive practical guidance on incorporating relevant and up-to-date security standards in procurement objectives and negotiations.
- Compilation of best practice guidelines supported by a set of recommendations that will enable purchasers to make better decisions in support of security and safety.
- Promotion of a framework approach for procurement that creates greater consistency amongst national public sector purchasers and regulators in the deployment of standards for security.
ii. Addressing Gaps and Inconsistencies
- Resolution of the widespread gaps in knowledge and lack of expertise in security standards at national level.
- Reduction in the major variations in national practices that create failures to address security vulnerabilities.
- Advocacy of inclusion of security-based procurement in national and regional digitalisation strategies.
- Consideration of liability regimes with penalties would contribute to strengthening compliance with security standards recommendations.
iii. Review of outcomes
- Establishing a continuous role for the IGF as a multi-stakeholder observatory to monitor and review security standards deployment, and to update the DC-ISSS guidance and recommendations where necessary in order to take account of technology innovation and development of new standards.
In considering how to achieve the goals, the WG3 discussion took note of the following:
- Multi-stakeholder collaboration through WG3 as the best means for identifying mechanisms and tools for achieving greater awareness amongst government procurement agencies of how to deploy secure standards.
- The importance of keeping uppermost in mind the interests and needs of the end-user.
- The need to take into account the differing requirements of individual Internet users, businesses, larger corporate users, institutional and public sector requirements.
The following questions will be put to you:
Questions DC-ISSS Working Groups
1) WG Security by design
Many topics can and probably should be tackled during the time the DC-ISSS has available, (more) secure: IoT; websites; data storage; privacy; software; identity management; platforms; etc. The one that has been mentioned most leading up to this work and currently holds the most experts, is IoT security. At the same time a lot of work on IoT security is carried out already around the globe. An important question to answer here, is where and in what way can the DC-ISSS be of added value? When we establish that, the question that needs answering is: what is our end goal and how do we propose to get there? When is it opportune to focus on the next topic(s) in this WG?
2) WG Education & Skills
The focus presented on the topic so far has been on changing ICT curricula so that students studying ICT, leave their schools and universities with a more up to date knowledge of cyber security, Internet standards and ICT best practices, as well as an understanding of Internet governance and architecture. Education and skills insufficiently match demands and the level of knowledge needed, where security (by design) is concerned, from vocational schooling to universities.
We have also heard of the need to protect children being educated online. It is important to understand whether: a) this fits the goal of the DC-ISSS and this WG. (It is e.g. possible it fits better under “platforms/ICT services” above.) and b) if so, to establish whether the topic can be incorporated into the curricula theme or becomes a second track within the WG.
Main questions are also: What should be the end goal of this WG and how to get there? It will be important to provide examples of what needs to become part of curricula.
3) WG Procurement and business case
Through procurement a business case for faster deployment of Internet standards and ICT best practices can be created. There are a few examples around the globe of procurement demands/advice for governments. These could be starting points, but first we need to determine what is our end goal? and how to get there? What constitutes a business case allowing for secure products and services? What elements do procurement demands need to contain, to create a business case and deliver secure products and services?
If we can present on this on 6 November we have our launch. After we have established where we want to go, the next step after the IGF is to establish a timeline. From there we’ll go through the crunch of inviting experts, to gather and analyse relevant data on existing initiatives and take it from there. We are looking forward to your input.
The objective of the IGF's new Dynamic Coalition on Internet Standards, Security and Safety (DC-ISSS) is to achieve rapid and more widespread deployment of Internet standards and ICT best practices relating to online security and safety. It takes forward the recommendations of the IGF’s Pilot Project Implementing standards for a safer Internet in 2018-19 which were published in the report Setting the Standard for a More Secure and Trustworthy Internet.
Achieving greater online security and safety is a priority for many governments and business organisations, and for the technical community, civil society and individual personal and corporate users of digital technologies and services. The vulnerability of many existing and future Internet-related devices and applications to security threats and the spread of online harms and criminal misuse, is widely recognised as largely due to relevant standards and practices not being effectively deployed worldwide in order to mitigate and prevent these risks. This undermines the trust of private, corporate and public sector users in the Internet and its related digital technologies and applications, and has created the serious risk that the positive social, economic and development benefits of transformative digital technologies will not be fully realised for all communities worldwide. The impact of the COVID-19 pandemic has highlighted the criticality and urgency of addressing these challenges.
Under the leadership team of Wout de Natris, Mark Carvell and Marten Porte , the DC-ISSS brings together experts from all the relevant stakeholder communities who are committed to making online activity and interaction more secure, trusted and safer through ensuring that standards and best practices play their full role in addressing these challenges. The Coalition aims to achieve this by delivering recommendations and evaluating their adoption by decision-takers.
This session is meant to be a workshop, including three breakout sessions to determine the objectives and goals and the participating stakeholder experts will finalise the overall workplan and first year priorities.
Following recent preparatory stakeholder consultations, the session will also confirm the establishment of three thematic working groups for the first phase of the coalition’s work during 2020-21. These will examine and develop policy recommendations on i) security by design; ii) education and skills; and iii) procurement models for driving the deployment of security standards. Stakeholders are invited to join these working groups. Self-nominations for chairing the three working groups are currently being invited. Expressions of interest should be addressed by e-mail to the leadership team at denatrisconsult (at) hotmail (dot) com.
If you are not only interested in this workshop but also in the ensuing work that will follow it, please join the D.C. by signing up to the mailing list at https://intgovforum.org/mailman/listinfo/dc-isss_intgovforum.org
The outcomes of this session will be presented on at the formal launch of the DC-ISSS on Firday 6 November at 09.10 UTC.
The workshop is the final phase of the constitution of the Dynamic Coalition Internet Standards, Security and Safety (DC-ISSS) when the outcomes of the online stakeholder survey held in September-October for defining the coalition's priorities and the topics for the first year of the DC’s work programme will be presented and discussed. The workshop will then proceed to decide on the constitution of the Coalition’s Working Groups based on the outcome of this discussion of the survey results. The topics with the highest priority will be announced at this session and there will be the opportunity for additional Working Groups for addressing other issues to be established in 2021 – 2022.
To summarise, the following topics have been scored in the survey:
1) Security and standards by design;
2) Procurement and business case;
3) Human rights and consumer protection;
4) Skills and education;
5) Role of policymakers and regulators;
6) The creation of a global testing and reporting programme.
We welcome participants from all stakeholder groups to join the pre-event and the Coalition’s Working Groups that will be announced at this IGF. We will also encourage working methodologies that allow for liaisons to be established on behalf of specific stakeholder communities who would ensure their input is provided and taken into account, to distribute content, questions for consultation and outputs, and secure the necessary commitments to implementing the outcomes of the working groups.
To achieve success, many stakeholders will have to join who may not be familiar with the IGF, Internet governance and technical aspects of Internet standards. It will require concerted action from all involved to make sure that the level of participation is fully inclusive, that achievable goals are set, that the necessary work in support of these goals takes place, and most importantly to create and initiate a concrete action plan leading to effective universal implementation and deployment of security and safety-related standards.
The proposed management structure, role of the D.C.’s leadership and funding requirement will also be explained in the session. It will be emphasised that the success of the Coalition will be dependent on sufficient financial resources being sourced from participating stakeholders that will ensure that the leadership team is able to fulfil its role in providing strategic management oversight, supported by a small secretariat in order to coordinate and sustain a quite complex work programme that adheres to the goals of making the Internet more secure and safer for users, related timelines for the work programme and its key milestones.
A survey has been opened to prepare the workshop. Please join in. It is open until 7 October: DC-ISSS survey link