IGF 2021 – Day 0 – Event #47 Bringing practical tools to the global community to secure ICT supply chains

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.



>> ARNAUD DECHOUX: I think we can start now.

>> KATERINA MEGAS: Sorry. This is Katerina. Before we get started ‑‑

(Video plays:)

>> We all live in a digital world. We all need it to be open and safe. We all want to trust.

>> And to be trusted.

>> We all despise control.

>> And desire freedom.

>> BOTH SPEAKERS: We are all united.

(End video.)

>> ANDREW DECHOUX: Hello, everyone. Can you hear me? Yes, I think you can. Thank you very much for joining our workshop, Bringing Practical Tools to the Global Community to Secure ICT Supply Chains.

This session is organized by GEODE, Cigref, Kaspersky as co‑chairs of the Paris Call Working Group, and by ORF America. My name is Andrew Dechoux. I'm Public Affairs Manager as Kaspersky. As you know, cyberattacks against ICT supply chains are massively increasing today. We've seen in the media recently various examples. To counter this threat, some good solutions have already been proposed and implemented in different regions. However, we lack a common response framework that's shared and implemented by every concerned stakeholder across the globe.

So the objective to this session is precisely to discuss the finding and get your feedback, your own fresh ideas, of the Working Group on ICT Supply Chain that was created within the Paris Call for Trust and Security in Cyberspace.

To kick off right away the session, I would like to give the floor to Henri Verdier, Ambassador for Digital Affairs of the French Ministry of Europe and Foreign Affairs.

It's a pre‑recorded video. And I will ask my colleague, Nastia, to start the broadcast if possible.

>> ANASTASIYA KAZAKOVA: Yes. In a second.

I hope you will be able to see this.

(Uncaptioned video plays:)

>> HENRI VERDIER: Dear all, I'm very happy to speak to you today for the Working Group of the Paris Call to Reinforce the Security of the ICT Supply Chain. Before entering into the substance, I first want to thank representatives from GEODE, Kaspersky, and Cigref for dedicating a lot of time, and Working Group 6 for bringing this report to life. I take this opportunity to address the commitment of the team.

As you know, the Paris Call has become the largest organization of its kind since its creation in 2018, with more than 1,200 supporters, in eight states, more than 700 private companies, across many sectors and organizations, from all regions of the world. The United States and the EU have announced that they have joined the Paris Call last November, which shows the appeal of the commitment, but the Paris Call is not just about the number of supporters. It's about how the supporters can come together and develop concrete results produced by Working Group 6, as well as the results prepared by the Paris Call's other groups, demonstrate that the commitment of this particular approach can produce substantial proposals to strengthen security in cyberspace. Here, I want to reiterate my thanks to GEODE, Kaspersky, and Cigref for their outstanding work on these reports and extend my thanks also to all the Paris Call supporters who were involved with the Working Groups.

I want to say that the report on strengthening the ICT Supply Chain Security is complete, and I invite all of you to read it on the website. It aims at showing factors of the success and failure in the implementation of the initiatives, as well as words of responsibilities of different stakeholder groups in achieving ICT Supply Chain Security. The report shows that firms have a major role to play in this, which has deep connection right from the inception, and there's important work to develop certification and develop regulation practices and risk analysis. Among many of the ideas these Working Groups propose is providing concrete and precise IDs to reinforce the ICT Supply Chain Security as well as cybersecurity as a way to analyze cybersecurity projects, for them to be certified.

The report also insists on the implementation of security by design and develop clear end‑of‑life policies on products.

We value cyber research on these matters.

I am deeply convinced that this Working Group did well on its mandate, to provide concrete tools to provide cybersecurity. The tools are there to be deciphered. Such as is the proposal, together with the 53 other states to establish a cyber program of action, which will be key to develop implementation, maintain progress on issues such as cyber capacity‑building, and to operate with logistical cooperation on cybersecurity issues.

Without further delay, I'm now leaving to the floor to the panelists and I thank you again for the ability to share my complete presentation and my happiness.

Thank you very much.

>> ARNAUD DECHOUX: Thank you, Ambassador Verdier.

We will now go to Arnaud Coustilliere for an introductory keynote. Mr. Coustilliere is President of the French Club for Cyber Excellence, and also a representative of the Cigref, an association of large companies involving digital transformation. As such, Mr. Coustilliere has been cochairing the Working Group over the last month. The floor is yours, Arnaud.

>> ARNAUD COUSTILLIERE: Hello. Good evening, everybody, dear friend. I am very proud to be here today.

I consider that some part of the digital law is today through common goods. 

When the same system is used by enough people, it is not only technology, but common goods, and for that security is essential.

In my work, I have dealt with the two faces of the digital world. One, to permit progress and development; also, to be protected against all sort of bad guys.

So with the confidence of the Cigref organization that gathers more than 150 French companies, that gives me the opportunity to coordinate with Kaspersky with this Working Group 6 on the supply chain. The current context of the situation leading to what if we do nothing today is cyberattacks will only increase each year. So capacity of cybercriminals is growing faster than the capacity of victims to protect themselves. The impact of the supply chain attacks was obviously increasing. The need for providing shifts for all actors, in view of the situation, secure and adequate roles and responsibilities, must be changed very quickly. This leads Cigref to set up a Multistakeholder Working Group on the subject within the framework of the Paris Call, with Kaspersky, GEODE, but also all the community of supporters of the Paris Call. Multistakeholders of the Paris Call will be advisors, with actors from different backgrounds, academics, users, Civil Society, organizations, including different demographics, and participants from North America, and representatives for Asia and Africa regions, so forth, for roles in the organization of the Working Group. The participants meet for much work over many months on the subject through several work areas. Today, we publish the report on the occasion of the Paris Peace Forum last 12 of November. The work is based on OECD work as a report of, essentially, digital security of projects and services published in February 2021.

So work was positioned in the line with that conclusion. You work refers to other existing initiatives, at the European level of the European Commission, as unity with labor as shown in your panel, of course.

The issues and challenges of securing the supply chain identified in the world, organized, transparency, and information‑sharing, management, responsibility of each actor in the digital chain, cooperation, and governments at national and international level, innovation, challenge of regulation, institutional political market, and economic dimension, technical also. So globally, here are a few of your recommendations for securing ICT supply chain.

We were from very different backgrounds but we managed to reach a consensus of the action to be implemented by actors. All actors have a key role to play. Everyone has to take a responsibility in this area. The Working Group created metrics of actions based off the main principle of the OECD's recommendation and the analysis of the current situation.

We need to have regulatory operation and to organize this to avoid fragmentation. This is the case in particular with regard to product certification. It is necessary to develop products so that they can be effective over time and adapt to change. Other actions are incentive for responsible behavior on both the supply and demand side, and further improving the digital supply chain by the public and private sectors.

We took as a course for everyone to take effective responsibility from governments, national, and especially international regulatory bodies, project and service providers. We must implement security by design practice and respect common security standards. Finally, it is a big challenge. Cigref has a call for the development of a cyberspace law with a dedicated governance, like convention of the law, but in a digital world we do not have 300 years to define this international law. We have only very few number of years. Thank you very much for your attention.

>> ARNAUD DECHOUX: Thank you very much, Arnaud, for this introduction and sharing your experience.

The session will be divided into two parts. For the first part, we want to propose you to dig into the findings of the Working Group that we just mentioned. So I will give the floor to my colleague Anastasiya Kazakova, Senior Public Affairs Manager at Kaspersky in charge of cyber diplomacy. She will give the interview of Aude Gery, Postdoctoral Fellow at GEODE and coauthor of the report. Ladies, the floor is yours.

>> ANASTASIYA KAZAKOVA: Thank you so much, Arnaud. I'm actually right now a little bit sad I'm not in Poland because you look really, really nice in the room with lots of professional lighting. It's really good to see everyone here.

I've been also part of the Working Group but the idea of presenting the results we wanted to actually highlight what you need to learn from the Working Group 6. It's quite lengthy. We know everyone definitely has lots to read and lots of documents to digest, but today our task would be in 22 minutes to share the key outlines and the key ideas that we worked in, with lots of the organizations, one of the organizations, represented in different regions and different backgrounds. I'm really happy to ask all these questions to Aude, right now, as a sort of neutral interviewer. And there will be many opportunities to discuss ideas we didn't have the opportunity to discuss in the past. My first question would be to describe the Working Group 6 and the final report in three bullet points, what would be those key statements in bullet points? What do you think, Aude?

>> AUDE GERY: Thanks, Anastasiya. Hi, everyone. It's a pleasure to see those who I don't know and meet those who I don't know. Unfortunately, I wasn't able to come to Poland, but it's so great to be able to convene, even if it's only on Zoom. To answer your question, Anastasiya, maybe I would say, in one word, that was awesome.

What we did in the Working Group was really try to not replicate all the amazing work that's already been done. The report, we have someone on here from that previously, and I'm sure he will share more information about this, and our main goal was not to duplicate existing and ongoing work, but to build on this work and try to close what I would call the fragmentation gap. I think, you know, we were fairly successful in doing so, whether it was on the three different work streams, that I'm sure we will go through later, of the Working Group. Because we truly wanted to, you know, show that many existing frameworks, there are many existing frameworks, that we need more harmonization and conversion between all different actors and we also wanted to provide guidelines to all of us that are involved in one way or another in ICT cybersecurity. To do this thing, we didn't want to provide more recommendations on what to do concretely. This has already been done in many different frameworks, but we wanted to help the different stakeholders identify what should be done at different levels and different concrete actions. That was the last part of one of the areas stakeholder groups gap, and I think, again, we managed to do that.

>> ANASTASIYA KAZAKOVA: Thank you so much, Aude. It's refreshing to not only hear you today, but actually hearing what you think being also part of the unique position to provide analytical support to both organizations coming from different backgrounds, but it was really, really a good and interesting answer to this first question.

You were really good at highlighting ICT Supply Chain Security is getting to be a really hot topic, if I could even say so, especially since the late security events that triggered the wider industry and government's intentions to Supply Chain Security. There are lots of initiatives in different lenses going on in different parts of the world. If you had to speak about the results of the Working Group 6 and the report, why should we first want to learn about this report? What are the key results that we actually as future readers, readers and recipients, need to take in mind while opening this report?

>> AUDE GERY: Well, there are a lot of things to learn from the report. The first thing maybe is that a lot of things exist. There are a lot of ICT Supply Chain Security frameworks. Some are on the, you know, led by states and some are private partnerships and some are initiatives from the private sector or non‑profit organizations or Civil Society, but there are a lot of things out there. And if you really want to try to work on that and to improve the security of the supply chain, then there are many different frameworks you can go to. That's the first thing. So we have a profusion of provisions, of recommendations.

The second point is that we have a lot of things, but they are so widespread. And it's a bit hard to know exactly what to do. And I think whether we look at regulatory frameworks or public/private frameworks, in many cases what we saw in when we did the mapping of our work, when we studied all these different frameworks, that there is a lack of information about what to do exactly, to who should we go if you have any questions, and so one of the biggest ‑‑ one of the main points that I would recall is that I would take from this work is a lot of things has to do about raising awareness. And it's not only about raising awareness on the topic of ICT Supply Chain Security and how important it is, but it's also about raising awareness on what are the legal obligations, what are the recommendations, who are the ‑‑ what are the designated and companion services that deal with this issue. So it needs to be more transparent and clearer so everybody can play their role in securing ICT Supply Chain Security. Another point that really strikes me, and I knew about that, but working, doing the work on the action, the metrics of the action areas, is that we are all responsible. When you look at the three cochairs of the Working Group, you have a company on the supply side, you have a non‑profit organization convening users, and you have an academic. We couldn't ‑‑ we couldn't be more different. But we all have a role to play if we want to ensure ICT Supply Chain Security.

And if one of us, I would say, it's of course broader than just the three of us, doesn't play its part, then it collapses. And I think the metrics at the end of the report really shows that, you know, we can ask states to do more. We can ask private companies and especially on the supply side to do more. Users also have a role. And the demand side also has a role. International organizations also have a role. And so we all need to work together and, again, I think it shows that we must work all together.

So that would be the three main points that I would take from the report.

>> ANASTASIYA KAZAKOVA: I really, really like this perspective, because indeed calling for participation and discussion, this actually presumes quite a huge responsibility to be open, to stay open, to hear lots of the different diverse views with where you can actually probably wouldn't agree with everyone, but it's really important to hear everyone in the room and the Working Group 6, I also remember, working on the accountability metrics which we initially frame it but then decided to make it softer and I was among those people who actually called it to make it a little bit softer too because we understood there would be so many different views in the ICT Supply Chain Security to understand who is actually the most accountable or responsible to increase the security of products that we all increasingly rely on. So it was a really good point.

The next question, which I really would like to highlight, because this is something that is really important for us as a company, it's about the fragmentation. It's really important to many users. How to still make sure that we would continue to consume the globally produced technology, and while we see different emerging regulatory and industry approaches to regulate and secure technology, how to make sure they will not be so much fragmented and, thus, would actually place the further burden on the user's shoulders. How do you see this risk coming from the academia, from the Civil Society perspective?

>> AUDE GERY: Well, I would say that, you know, to be honest, we don't want to think about how difficult it might be for the private sector to navigate within all these different legislations. If we don't have a strong ICT Supply Chain Security, it's the resilience of our societies that is being threatened. So it's not just about providing legal security, also, for companies, for the supply side. It's really about ‑‑ it's broader than that. And it is a big emergency and social and economic requirements and emergency that we're facing today.

So now, I would say two different things to answer your questions. The first one is a lack of transparency and access to the legislation. I remember I think it was my first or second day at law school, we had this course on the introduction to what is main principles, and one of the first things they tell you is about access to the legislation. And I mean whatever the subject, it's so difficult to access the legislation and to know exactly what your obligations are. So even before, you know, starting, thinking about a new regulation or harmonization across different regulations, it is the responsibility of the state to make clear that all who are secured by cybersecurity know what their obligations are, know about all the good practices. So it would first be about transparency. The second thing would be about harmonization between different legislation. I mention the fragmentation and the impact of fragmentation on international peace and security. If we have definite levels of requirements, then we might have less security in the ICT supply chain so it is again our Civil Societies that would be threatened. States need to work at the international level to improve that. We see the OACD is conducting great work on this but they're not convening states across the world. What we can hope for is that once they produce some guidelines and recommend concrete recommendations for states, they will be implemented by member states at the OACD and it will have some kind of broader effects on nonmember states. So all states grow together in this matter.

>> ANASTASIYA KAZAKOVA: Thank you, Aude. Probably the last and final question is about the action areas, which you already touched on. So definitely industry that produces technology have lots of the responsibility and a huge role to contribute to the secure, greater security of the product. We also discussed about the role of the governments, helping enforcing and clarifying the institutional framework, and that can be legal landscape also more transparent and understandable to the agents. What about the users? Sometimes it's getting more and more often that a user also plays a role in making sure that supply chains, the security, with less security impact on others, because users are the ones who may apply the patches. The users actually need to follow the exact functionality of the product and do not use it in some unusual functionality where the vulnerabilities might be exploited. How do you see this balance of different stakeholders? And what's the role for the end users in this accountability or the action areas metrics?

>> AUDE GERY: Well, of course, I think the suppliers play a super important role in ICT Supply Chain Security. I think that they have the power to connect, because of their products and services that they are providing, they have the power to connect the world to make businesses, to make activities going on, even in time of a pandemic, as we saw last year. And this is a huge power. And with huge power comes great responsibility. And I like the phrase because I think it tells everything that the supply side has a responsibility, I cannot just say, well, you know, the minimum, and, yeah, well, whatever, end users don't do what they have to do, don't patch their system; it's their fault. No, it's not. I mean we hear but we all know people who are not good with computers and who don't even know what a patch is. So even if users have a responsibility, the demand side has a greater responsibility. Now, when it comes to mainstream users, I feel I would say stupid about saying that but it's about raising awareness and education. We see in our respective states how cybersecurity issues are getting to school, I would say, getting into school. I think we need to do more so when, you know, for example, our Chrome browser tells us we have to update that we don't just wait three or five days and we saw that and we feel, oh, no, I'm doing something else. No, it takes one minute to do so. So it's about getting some new habits and I think it's coming with times and education and raising awareness.

>> ANASTASIYA KAZAKOVA: Thank you so much. I hope briefly we managed to actually characterize what we have done for the past six months. I think it was quite challenging, actually, to keep everyone motivated and stay actually interested in this cause and the policy gaps and supply chain security and produce this final support.

Thank you very much, Andreas, for sharing the links. We encourage everyone to get in touch if you have any disagreement or interesting feedback. We really think the work on Supply Chain Security will obviously continue the next year and there's a lot to discuss all together.

But now we move to the next part.

And I'm really happy now to introduce all of the other speakers. We move into the roundtable discussion to answer probably quite challenging and hopefully interesting questions. Are we losing the fight against ICT supply chain threats or not?

And we are really honored to have with us the four speakers, again, representing diverse backgrounds and diverse regions. First of all, Jonas Gratz, Deputy Head of Policy Planning, Federal Department of Foreign Affairs, in Switzerland. Katerina Megas, Program Manager of Cybersecurity for Internet of Things at the U.S. National Institute of Standards and Technology. May‑Ann Lim, Executive Director at Asia Cloud Computing Association. And Andreas Kuehn, who is Senior Fellow of cybersecurity cooperation initiative at Observer Research Foundation America. And Andreas and May‑Ann have been among the most active contributors to the report. I'm really happy to provide the floor to each of the speakers to share a little bit more about their background and what they do, and then we'll move into the discussion right afterwards. Jonas, the floor is yours.

>> JONAS GRATZ: Thank you. Thank you to all the Working Group 6 team for inviting me to this important event and I'm also happy to see that a few people have actually found the room in this beautifully lighted and lighted‑up IGF in Katowice. It's really a pity to see that COVID‑19 is, again, kind of, yeah, not helping the physical attendance and how much of effort has gone into preparation of this room. Once again, I would to say, I think last year it was planned in Poland as well.

Thanks for giving me the floor.

Well, I am representing here the Geneva Dialogue which is an initiative that the Swiss Federal Department of Foreign Affairs helped develop, and we have been happy to participate in this Working Group since we gather about 20 industry representatives. It's industry only. And we try to, in our dialogue, we try to do a similar thing, focused really on the industry to see where there's a common ground among the global players and Kaspersky is also one of them for enhancing Supply Chain Security and security by design.

We also have the OACD as a frame of reference. We have many commonalities and really happy to discuss the report today that you've laid out for us this afternoon. Thanks so much.

>> ANASTASIYA KAZAKOVA: Thank you, Jonas. We'll definitely speak more about the Geneva Dialogue today, and I would like to go to Katerina to share about the work that's especially being currently done and under the progress within the U.S. NIST.

>> KATERINA MEGAS: Thank you. Let me pull up some slides. Okay. It's not working. It says the host has disabled the screen sharing.

So I'll just go ahead and proceed then without slides and just give a little background.

Oh. Thank you, Arnaud. Fantastic.

So ‑‑ thank you very much for giving me the opportunity to address this group. I do have to say before I jump into my slides the subject of fragmentation is something that has been coming up since the very beginning of the program when we started it five years ago. So I can appreciate the challenge and I do want to say I think we all recognize it and it's definitely a goal we should all be working towards. So very quickly, for those of you that don't know, I just wanted to give a little bit of background on NIST. We are a non‑regulatory agency in the U.S. We are the technical arm in the U.S. Department of Commerce. So our job is really to work very closely with our stakeholders, primarily with private industry, but also international as well. And ensure that there is trust in information technology, and that we can advance this through things like standards.

And ensure the economic security and improve the quality of life of our citizens.

The one area that I do like to highlight that the role of NIST is slightly different is the work that we play within the U.S. federal government and in information security or in the cybersecurity space where there is legislation that has required U.S. federal agencies to follow NIST guidance when it comes to guidelines around the security of federal information systems.

So often, we have a slightly different role when it comes to cybersecurity, because of the inherent role that we have with the U.S. federal government agencies.

So I do want to show the breadth of the work. There's no way I can talk about all the work we do at NIST here in support of ICT cybersecurity. My job as the cybersecurity Program Manager is not to talk about our one‑off perhaps projects, but represent the entire work across NIST and as you'll see we have work that we're doing in everything from smart cities to health care, where we are looking at connected technologies in the health care setting. We're looking at connected technologies in a smart city setting. We do work in very early research areas. We're looking at things like light‑weight crypto. Which while we're not looking at light‑weight crypto only for purposes of IRT cybersecurity, it obviously does contribute to things like IRT cybersecurity. And we also have other areas of work as well that are complementary such as the privacy framework that was recently developed at NIST working very closely in partnership with our stakeholders and U.S. industry. Next slide.

So I won't talk about these too much because I actually think a lot of these subjects will come up during our conversation today. But very early on in the program we listened to stakeholders and we, before embarking on developing any sort of guidelines or guidance we wanted to understand what should be the guiding principles that should guide our work. We came up with these five principles which we think still hold true today. One is we believe all work needs to be based on an understanding of risk. This is due to the nature of IoT devices but also the contextual risk when you think about an IoT device. A lot of the risk involved in the IoT space is not just dependent on the device but really on how that device is being used. Second of all, we believe it's an ecosystem of things. While there's a lot of discussion around the importance of the devices, the devices are often part of a system and a system of systems, and larger ecosystems.

Addressing cybersecurity cannot be addressed just through the device.

Third of all, one size will not fit all.

Fourth, we believe all work should be done at an outcome‑based approach. That's due to the fact that this is a rapidly emerging landscape. Threats are changing over time. We want to allow for diversity of devices and approaches and allow stakeholders to choose the right approach for them.

And of course, we need to engage with stakeholders.

Next slide.

So I realize that you are looking at the broad topic of supply chain here. I apologize. My focus is really on IoT devices, but I do understand that IOC products and devices often do play an integral part in securing the ICT supply chain. You'll forgive me if I have a very narrow focus, but I wanted to give you a little bit of sense of the policy landscape that's been happening in the U.S., as well as give you an understanding of the work that we've been doing at NIST in support of these policy drivers.

So Executive Order 13800 was signed by the President back in 2017. And the intent of Executive Order 13800 was looking at the botnet threat. One of the interesting things that the Department of Commerce and Department of Homeland Security worked together to deliver to the White House was identifying the critical role that IoT devices actually played in the broader botnet threat. One of the recommendations that went to the White House was to develop a baseline and ensure that there's a marketplace of more secure devices. In response to this, NIST took on the role of developing and recommending what we call a core baseline, which is a core set of recommendations for IoT devices.

It is not just a single core baseline that is intended to fit all devices. We recognize that consumer devices are going to have a different need than industrial. We even recognize that the U.S. federal government may have a different risk profile and a different need, but a core baseline was intended to represent a good starting point for all IoT devices regardless of market.

So this was released in 2019. This was released in the draft of NISTIR 8259, 8259A and 8259B. Those are seen quite a bit of alignment internationally. It's very interesting when we look at our work, while perhaps there isn't absolute harmonization, there's a lot of interoperability, you can tell when you look at these, there's quite a bit of commonality that we see with some of our other peers across the world that we work with over time.

Another interesting policy driver was the Cyberspace Solarium Commission Report that was released. This was an independent commission stood up and directed by U.S. Congress. And the Cyberspace Solarium Commission, looking at the broad space of cyberspace and how can we ensure the security of cyberspace, identified some actions around IoT devices as well. I won't go into too much detail there but there are recommendations there that have been made to U.S. Congress that have made their way into legislation.

Another thing that you ‑‑ I think is interesting that a kind of policy driver on the U.S. side was the IoT Cybersecurity Improvement Act of 2020. That is a law passed right at the end of 2020 and the intent of the IoT Cybersecurity Improvement Act of 2020 was really to leverage the U.S. federal government and leverage the purchasing power of the U.S. federal government and establish a minimum for IoT devices that the U.S. federal government agencies procure. And thereby kind of lifting all boats by hopefully driving demand for better IoT devices, but also to kind of set the example and lead by example. We just recently last week completed our tasking under the IoT Cybersecurity Improvement Act and we published what is the mandatory guidelines for federal agencies. It's special publication 800‑213 and 800‑213A. Both of these publications are mandatory for federal agencies. The federal acquisition regulations will be updated to ensure that federal agencies can only procure devices that meet the minimum guidelines in 800‑213.

The last thing I might like to mention that might be interesting to this group is the more repeat executive order, 14‑0‑28 which directed NIST, amongst many, many things, and you're probably familiar with the other parts of the executive order which are very focused on supply chain, but the piece I'm most focused on and most familiar with are the pieces looking at a cybersecurity label for consumer IoT products. We've released a number of white papers. We actually released a white paper just late last week, and we will be hosting a workshop, but the intent is in February we will be putting out a recommendation for a award towards a cybersecurity label for consumer IoT devices. That's it. Thank you very much. Looking forward to the conversation.

>> ANASTASIYA KAZAKOVA: Thank you so much, Katerina. I think now what could be the key to harmonization globally if you manage as a government to harmonize all those different pieces at least domestically, right now, it's complex, coming from the industry, I didn't know about many of those pieces of legislation that you actually mentioned. Super interesting. Thank you. I'd like to pass the floor to May‑Ann, also sharing a little bit more about the background of the Asia Cloud Computing Association, and May‑Ann, we're expecting to hear a lot about the Asian approach to the ICT cybersecurity.

>> MAY-ANN LIM: Thank you. Welcome, everybody, to IGF. It's a little bit late here in Asia, past midnight where I am. If you're dialing in from the Asia time zone or even Australia, hi. I feel your pain. For us in Asia‑Pacific, I think what's been happening with the cybersecurity and the supply chain, I completely agree with everything that's been said before. We're observing a lot of the same trends and issues, the same issues with fragmentation have always been coming up, over and over and over again. And like it or not, I'm probably going to say something which is not going to be very popular with the Asia side of things, but we tend to be price‑takers when it comes to a lot of the discussions on cybersecurity, not because of anything but it's really because sometimes the products and other services are actually being developed elsewhere. And we tend to be following along the trends of fragmentation and those issues. However, some of the other issues where we aren't really price takers, I'm in Singapore, I am Singaporean, a lot of discussions right now by the Singapore government, talking about trust mechanism, I think everybody has heard about the CLS, it's always held up as an industry standard, and it actually works, and we're very proud of it. And for somebody who lives through the days of the modem having a little sticker on there, it's very visceral because you see a little sticker on there and there's lots of things happening. However, this does not exempt us from the second problem, where you're seeing a lot of the problems of the consumer end being that weakest link in the security of everything. The consumer is ‑‑ I always use my mother as an example of this. My mother, her idea of cybersecurity is, oh, mommy, you can't put the password to your email on a post‑it and stick it on your desktop computer. You have to have a better security. She says, okay, okay, sure, no problem, no problem. Next time I go and visit her, she says, May‑Ann, May‑Ann, I have better cybersecurity now. Okay. Tell me. I go to her table and it's clean, no more Post‑it notes. She says, let me tell you where my password is. It's underneath the keyboard now. I say, okay, mommy, that's not exactly the way to increase your cybersecurity, but we have those issues. So fragmentation, consumer side of things, price takers, or not, are some of the trends we're seeing. Other trends we're seeing are actually quite positive things. I think there's a lot more collaborations and data sharing happening between certs, that as a regional organization, we have always had these drills, the asset drills between the search where you basically have a massive cyber drill together and this has definitely got to do a lot with trying to increase the cybersecurity awareness of the certs within the region. I think a lot of that had been working. I do think there is a lot of hope that there are ‑‑ that there's going to be more inclusive in the cybersecurity sort of supply chain, cybersecurity supply chain discussions, and cybersecurity discussions writ large. I do know a lot of companies are starting to move their cybersecurity monitoring features, for example, Cisco, as well as Microsoft, I know there are different zones which are now following the sun. They're actually having a lot of the cybersecurity training as well as monitoring being put within Asia and all the way to the Western countries as well.

That's all really, really good. That's some of the trends we're seeing. I do think later on in the discussion we'll be able to have a little bit of a chat about what's going to happen in the future. So I'll take a pause there. But that's what we're seeing from the Asia‑Pacific side of things.

If you're seeing something different or you have something to ask me about Asia‑Pacific, please feel free to ask. Drop it in the chat or just ‑‑ I think drop it in the chat is the only way to do that. Please drop it in the chat and we'll have a little bit of a chat about it. Back to you.

>> ANASTASIYA KAZAKOVA: Thank you so much. Actually, also bringing another interesting perspective to hear is Andreas Kuehn. From the Civil Society/policy background. I know Andreas has done lots of interesting things in the past but it will be great to hear from you directly, about your background and interest in cybersecurity.

>> ANDREAS KUEHN: Sure. Happy to. Thank you. Hello, everyone. It's my pleasure to be here today. I'm Andreas Kuehn, a Senior Fellow at the Observer Research Foundation America. I have a broad portfolio spanning supply chain security, IoT, cyber norms, cyber independence, systemic risk, it all comes really nicely together in the field of supply chain. I think that's why I'm here.

It's also I think another reason why this is actually not the first time but actually the third time where we're organizing a workshop at the IGF to talk about Supply Chain Security.

Over the years, those aspects have changed a little bit, with different audiences, with different emphasis. But I'm very pleased that this important topic continues to resonate with the IGF community, not only because I think it has become more prevalent during COVID‑19 and now everyone is talking about supply chain, but I think you also recall in our earlier conversation that we might have found it kind of challenging to think about how Supply Chain Security kind of connects to a more narrow definition of internet governance. Again, I'm glad we're hear and having this conversation. At the same time, I'll keep my introductory remarks shorter, but I want to obviously thank you, everyone, online as well as offline, for coming here and being part of this conversation, to all speakers as well as all my co‑organizers, but especially Ambassador Verdier and Arnaud Coustilliere for graciously agreeing and making opening remarks here.

In the interest of time, I'll stop here, and I'm very much looking forward to the more substantive conversation today. Thank you.

>> ANASTASIYA KAZAKOVA: Thank you so much. We have today for the discussion to whether we're losing the fight against supply chain threats or not, the key discussion we would like to discuss with all four speakers. Those blocks include digging a little bit deeper how the policies are being developed and how they're being implemented and what key ingredients that could make them work, and the way forward. A little bit reflecting about the future of scenarios over the next year.

I'd like to pass the microphone first to Jonas, keeping the focus on the Geneva Dialogue, a unique perspective of the government and how Civil Society and foundations and lots of industry partners being able for the second year actually to discuss lots of their really good food for thought on ensuring security of digital products. Jonas, in development and policies and approaches to secure digital approaches, including IoT and smart devices, what are the key important factors to consider and make them really effective with those policies in the future?

>> JONAS GRATZ: Thanks so much, to you and all the speakers, really, for their interesting perspectives and thanks to Katerina from NIST for giving us her time line which is really intriguing to see, because we have been in the Geneva Dialogue we have been approaching it from the industry side and we often ask ourselves, okay, what is really out there in terms of regulation that would guide us? It seems in the U.S. you really have some parts, at least in the IoT fields, you really have some parts already in place. And it's good to hear also that others are following this advice so that we don't see a really fragmented landscape worldwide.

So when developing policies, well, we have been approaching it in Geneva Dialogue on responsible behavior in cyberspace from the producer side for the last two years. We had, I think, it's 35 meetings all virtual due to the pandemic, where we were discussing how producers really can make an impact on the enhanced security of the supply chain and one of the crucial aspects that we have identified and which is also in the Paris Call report was the security by design, and then also other aspects like vulnerability disclosure and now, lastly, we have been discussing a lot also key concepts such as the software of available materials to increase transparency to really know what is in a product. Which has also I think been developed by NIST and NTIA in the U.S., these concepts. So I think when you look at developing policies, one of the key factors for effectiveness is, of course, that you need to get the main actors on board and this is always, always a challenge. Also, in the software field you have the open source community which we still didn't get a clue how to, for example, improve the practices in the open source community. If you think about software, available materials, how do you want to implement this concept with the open source communities? That's still an open question.

And we've also been looking in the Geneva Dialogue, as I says in the beginning a bit, at the regulatory field. Recently we've been commissioning a study by the Swiss federal Institute for technology and they've been looking at regulatory approaches for digital security of products. And here, when it comes to the government side, so not the producer side, but the government side, they have been ‑‑ we have identified three different, I think, challenges when developing policy. The first challenge that's been identified is the cost of compliance, which is why many governments also are considering measures such as voluntary certification, labeling schemes, which are entirely voluntary, also baseline requirements which are not put into law but more like, yeah, like help for producers to orient themselves towards them. One of the key issues is the cost of compliance, which is, if you want, slowing down broad development of policies for more cybersecurity because you don't want to destroy the existing ecosystem of product development which is making us more efficient in a way, but it also has costs in terms of security.

Second factor is also how to keep track with the current development and Geneva Dialogue we had an event which a standardization organization which also plays a crucial role in making the environment more secure because ideally everyone would, all the regulators would use international standards, but what we heard from the organizations is also at an international level is they have difficulty in keeping track with the current technological developments. So you need really agile and adaptable risk‑based standards, as Katerina has also told us recently. You cannot have one size fits all but you really need risk‑based approach and we need to evolve with the threat landscape. It needs to be based on accurate threat modeling. Those are all challenging we have identified in the framework of the Geneva Dialogue that make it so difficult to develop the right policies at the right time, and also at the global level. Because what we want to avoid in the end is to have a fragmentation of different regulatory regimes, which would, as was also pointed out, one of the challenges is also, I think, Aude in the beginning said, one of the challenges is transparency about the requirements and often producers don't really know what requirements are in place in one marketplace or how they will be applied in the end, how the conformity assessment will be made, if there's a mandatory standard in place, a mandatory regulation.

So I think this is also a key to keep in mind in the event that we need a level playing field globally. Here, I think there's much more work to be done. Thank you.

>> ANASTASIYA KAZAKOVA: Thank you so much, Jonas, for a really structured view. Katerina, what do you think in your perspective, what are the key principles in designing those emerging government and industry approaches to ensure the security of digital products?

>> KATERINA MEGAS: Of course, I agree with everything Jonas said as well. Again, every time I attend these events, I always feel very vindicated because I hear echoes of things I've been thinking and things we've discovered over time. I think one thing I would characterize is very early on, especially once we started working and focusing kind of on the supplier and the producer of IoT devices, is there was this inherent tension between the market that wants predictability and wants to have, you know, for lack of a better term, a check list, and have a predictable outcome and say, "If I do the following things, then I know that I won't get in trouble or if something does happen I won't be held liable." At the same time, because of everything I talked about earlier, and the complexity behind IoT devices and how each IoT device has different capabilities, you know, if some have actuators they can affect the physical world. If that actuator is actually integrated with perhaps some sort of algorithm on the back end that allows for automated action to be taken, then you have the ability for a much higher risk sort of transaction to occur where you have the sensor connecting to an algorithm, connecting to an actuator. So we struggled quite a bit with understanding how can we balance this natural tension between the market wanting predictability and, again, understanding that everything needs to be done in a risk‑based approach? So we combined that in what we came up with is our core baseline, which is our recommendations, but that is embedded within a recommendation that you follow a process and that you do evaluate risks and threats and you do do some things like threat modeling. You do some things like understand who is your ‑‑ what is the anticipated maturity of your user? What can you really expect of the consumer or the user or the customer to actually do with this?

Again, we don't think security can be a check list.

I would think the second trend I think we've really embraced, and again I go back to those principles, is that we think everything needs to be outcome‑based and especially when you're talking about trying to establish guidelines that are intended to have broad applicability. We really try to steer away from getting very prescriptive and trying to tell manufacturers or organizations exactly what to do. We think it's much better to say, "This is the outcome we recommend you achieve," and allow the marketplace, allow the manufacturer, to work within SDOs and work with each other and develop standards to actually achieve those outcomes. Because we think that standards can actually evolve much faster. So it's more likely that you will be able to meet the emerging threats. It's more likely as well that you will have a marketplace of standards. We don't think there's going to be one standard to rule them all. We think it's good to have multiple standards so that there's many ways that a manufacturer can pick and say, "This is how I'm going to achieve the outcome." Or it can even be the customer who looks at the standard and says, for my environment, I need this sort of standard to fit with the rest of my system.

The other thing is, you know, transparency. I completely agree the transparency of something is very important. I think one thing we're really considering as we move forward, the way we worked in our program is we started out looking at the enterprise use case. We said, our role is to ensure that the U.S. federal government has guidelines around security. So we approached it from a sense of saying an enterprise customer has tools, certain levels of maturity, can control many things within their environment, and therefore the customer, in this case the U.S. federal government, or any sort of enterprise, can look at what is this device providing. Right? What is this supplier giving me in terms of cybersecurity capabilities? In terms of documentation? What can they tell me about my vulnerability processes? And each organization can make both a risk‑based decision and can also look at their tools and say, based on the tools that I have, I can or cannot make use of these capabilities that are offered in the IoT device. I think as you move down the spectrum towards the consumer, you know, one of the things we're looking at, and we've invited feedback on from our stakeholders, is ‑‑ and something we keep hearing, actually, quite loudly, from the consumer who is the customer at home, you cannot have that same expectation of what sort of maturity they have. So transparency may mean something very different for the home consumer versus the enterprise consumer.

I can probably go on as well. We have what we developed early on at NIST called the CPS framework which is looking at the cyber physical system perspective. And very early on, the cyber physical system framework talked about the inherent trade‑off. Sometimes there are trade‑offs. Sometimes they complementary support each other. But there's cybersecurity which we're talking about here, but there is an inherent relationship with safety. Sometimes cybersecurity supports safety. Sometimes cybersecurity can get in the way of safety. And depending on how you implement cybersecurity it can impact and cause physical harm. Same thing with privacy. There's an inherent tension sometimes because cybersecurity and privacy. Cybersecurity supports privacy. But sometimes you will say to achieve the optimal outcome, from a cybersecurity perspective, we may do something that depending on the situation and how it's being used could have, what some people call, privacy negative outcomes.

And there's other areas. Resilience. Reliability. And I'm sure if you build IoT devices, or if you use them in an enterprise scenario, you also say, well, I own a factory and the most important thing to me is that those devices are, let's say, those devices are reliable, because I need to keep my factory up and running. Whereas, perhaps, if you're a hospital, you're number one priority may be safety. You may say between those five things safety is the most important for me. And I'd be happier to perhaps sacrifice something somewhere else, maybe privacy, but I need to ensure that I keep people safe. I'm not saying that's the case, but I'm just trying to illustrate the different examples. I think we have a complicated ‑‑ I'm infamous for saying on my LinkedIn posts, it's complicated, when people ask me a question. There's not a silver bullet. If there was, I'd be out of a job now, but it's complicated and I think the policy needs to strike a balance between allowing that flexibility because it is complicated, while trying to be prescriptive, so you can have kind of a predictable outcome. Thank you.

>> ANASTASIYA KAZAKOVA: Thank you so much for actually massively covering different aspects. You highlighted the complexity of devices and also the different configurations of end users use that IoT devices, be it end users or enterprises, their approaches to ensure the security will be also slightly different. And it's good that we probability getting more and more clear about this differing approaches, as an initiative, definitely for the enterprises, but it might have little efficiency communicated just to end users, like myself, with the IoT products. Definitely, there should be different and creative approaches tackling this with the security of products.

May‑Ann, I'm coming to you right now, covering the perspective of the Asia‑Pacific again, because we also know that Asia‑Pacific being traditionally the region for manufacturing lots of the IoT devices. So it's really also important to make sure we're somehow aligned in understanding how to secure products.

>> MAY-ANN LIM: I like what Katerina has said, the idea of "it's complicated." I think it's very, very complicated. And indeed, I feel that there needs to be a little bit ‑‑ there needs to be more learning of how to balance. So Katerina mentioned that it is a balance. But the question is always how do you balance? Because a lot of the discussions that I have been having about Supply Chain Security, about cybersecurity, have really been about what's your risk profile? Because the question always fits back to the person asking it. They say, oh, I need to have the most security A, B, C, D, E, F, G. Okay. That's fine. You need to have the most secure whatever it is. But what's your risk profile? And also, what's your budget? Because there are different ways to secure things. You can want to have the most secure whatever it is, but if you don't have the budget for it, it's kind of moot point talking about it. That idea of risk profile, balancing all the different factors, I think we need to have a little bit more of a discussion of how do you actually start to balance all these things. And I think this is where the report actually starts to put the framework to that discussion, the report that has just been launched. If you have a little bit of a look at it, if you're tired of reading through the whole entire thing, just scroll through and look for the pictures and the diagrams. There's lots of nice diagrams there that will show you the balances there. Thank you so much for those people who were working on that. So I feel in Asia, that's what I'm seeing. I don't think it's an Asian discussion, by the way. I think it's an everybody discussion. How do you balance it? It's not a zero sum game. It's not a zero sum game. It's not saying you're either going to have total security or you're not going to have security. It's going to be a balance you want to make. That's one thing which I want to point out and something I'm seeing and conversations I'm having. Another conversation I think needs to be put into perspective and I haven't heard it raised so far is the idea of trust. Trust mechanisms. We had a little bit of discussion about it, because we are talking about cybersecurity labeling schemes. We're talking about certification. But I think we need to have a little bit more discussion of how do you develop, for example, trusted trading partners in a systematic manner? I think we're trying to make sure the supply chain is safe. We're trying to make sure that there are trusted products, trusted whatever it is, but the thing is they balance here between the geo politics versus economics and businesses. Private companies and governments need to understand and manage this perception and the reality. So the idea of the transparency and trusted mechanisms, I think we'll need to be starting to discuss what is that mix of independence and interdependence that needs to come alongside everything? Because again, it's not a zero sum game. Again, we have to balance everything. This is not just for consumers or businesses which are trying to make decisions on equipment. But it's also a whole of the ecosystem approach. How are you going to create a trusted ecosystem where you'll be able to check and balance some of the risks that you're going to be seeing here? I don't have all the answers. Again, this is not a very uniquely ‑‑ it's not a unique to Asia issue. But there are a lot of questions here. And there are a lot more questions than there are answers. I do think that there are, again, coming back to Katerina, sorry, Katerina, I just texted her privately, I'm a big nerd fan of NIST, I think the idea of multitude and fragmentation of many, many certifications is going to be the way to go. The other thing which I think needs to be done that I see at least from the Asian side of things, I feel that governments need to make certification more accessible to people who are a little bit more at risk. I'm not talking about consumers. Because that's one very unique group of people. My mother notwithstanding, but my mother being one of the examples of that. Small and medium enterprises may often want to have ‑‑ may actually be available and they have the ability to have a lot of innovation coming up from them, but they may not be able to access the cybersecurity and security technical specifications. Maybe they want to but sometimes it's really expensive and if you're a small or medium enterprise you may not want to do that. Now, there's ISO and EEE, there's technical specifications that can be purchased, but leaving that aside, I think governments within my region, and I'm happy to be chatting with you about your other regions as well, but I feel like governments within Asia may want to try and make those standards a little bit more accessible. One example is within Singapore I do know we actually buy or we're given complimentary copies of the standard document. It's a physical copy. It's thrown into the library. And Singapore is quite small so a visit to the library isn't that far away, but it makes that certification actually very, very accessible to small and medium enterprises. Is that a way for that to be systemically available for small and medium enterprises? That's one way. So that idea of building that transparency and building the accessibility, I think those are two things that I would contribute to the discussion at this point in time.

>> ANASTASIYA KAZAKOVA: Thank you so much. Again, focus on the complexity of IT devices, it's one of the challenges.

I think also we touch here the second question, the challenge that the small and medium enterprises as well, both as suppliers as well as the consumers. But I also would like to provide the floor to Andreas, also who is among the builders of the report in the past, so maybe share your perspective on that. So Andreas, what do you think would be the key principle in designing industry and regulatory approaches?

>> ANDREAS KUEHN: That's a very good question. I obviously don't want to repeat some of the really good remarks my colleagues already made earlier. I have to say I agree with most of them. I think I would push back a little bit on the fragmentation and the cost of compliance arguments. Maybe we can come up with that and discuss that a little bit later. But I think in terms of one principle that's not been mentioned yet that's worthwhile and not been pointed out is life cycle as a security principle. It's in the Paris Call, in there. Need to strengthen the digital processes and products and services throughout their life cycle throughout the supply chain, as it's written there. We often focus on the supply chain without asking questions about life cycle related security issues. In particular, patching of security flaws, of no longer vendor supported legacy ICT systems. I think that's something important.

But I think we've heard a lot about today kind of the current state of Supply Chain Security and some of those challenges. I wanted to briefly go just a few years back to kind of like illustrate how far we've come so far.

I remember back in 2016, I was with East West Institute, released this report. I'll hold it up. I'll share the link afterwards. We started talking about here third part vendor risk or as we call them today mostly supply chain risk. How I think of the risk that comes from outside organizations when you buy, like, stuff. Software, hardware, services, and so forth. Buyers have to deal with those risks. This was just like five years ago. So kind of like seems like a long time in cyber time. But I think back then people had not really thought too much about that. It was kind of new and I'm going to share one example here. It was like I remember very distinctly a conversation I had with a member of a large company, as we were preparing comments to the NIST updated cybersecurity framework, there were things we tried to deal with. Should Supply Chain Security or supply chain risk be a separate explicit category or should it be kept, like, hidden somewhere else under another risk category? And I remember, it still blows my mind today, that representative and that person's team made the argument that it's not necessary to kind of highlight supply chain risk as a separate risk, so it doesn't really deserve to be treated separately as its own category.

And I think by that, again, this was just a few years ago, right? We can see how much has changed, how many efforts have kind of spun up across the industry to address that issue. And I think that was my first point where I said, oh, maybe I want to push back a little bit. I do understand fragmentation can be a challenge but I think it's actually a good thing, right? Because a lot of different places in different sectors take now Supply Chain Security seriously and have come up with their own approaches. Of course, some harmonization will be very helpful but it speaks to the fact that a lot of progress has been made.

Let me briefly talk about some of the U.S.‑based work on Supply Chain Security.

I think there's been quite a bit of work done, right? It's quite impressive. I think last time I've counted there's nine executive orders addressing cybersecurity in some form of another. There's been things done by the White House, some things have been elevated since the COVID‑19 pandemic. Kat mentioned some of these earlier, looking at some supply chain issues as well as foreign dependencies. There's numerous efforts to address Supply Chain Security. But there's no mention yet kind of pointed towards the remark earlier that there's a huge defense sector that has an extensive industry to think about supply chain risk components to come, like, that might be affected by foreign adversaries.

Obviously, last but not least, rising geopolitical tensions that kind of still ongoing 5G controversies come to mind. I think we can think of them as a large‑scale case study in Supply Chain Security.

Of course this is only a U.S. view. There is more that could be said around other countries. That's why I really appreciated that May‑Ann provided an Asian perspective on this as well.

I think where we are here right now, we started defining the problem and now what really needs to be done, that's some of the question for these panelists, what are the action and organizational and institutional changes that are needed to put all the good work we've done so far to be put into action to effectively address cybersecurity risk.

>> ANASTASIYA KAZAKOVA: Thank you. I'd like to raise the questions in the chat. The first question from Susan, maybe to address to Jonas and Katerina first of all as the government representatives, and also those who are really in the field of the policy planning and participating in the development of those policies. Is there a centralized database of standards and policies? I'm assuming Susan is asking if it's possible theoretically could we review future products for compliance of international policy standards? If not, can this be a product theoretically? Jonas or Katerina, would you like to share your remarks very briefly?

>> JONAS GRATZ: Yeah. Thanks so much. Good question. May‑Ann also highlighted the challenges with regard to international standards in the first place. I mean they are not public. To have to get them through your national standards association. As May‑Ann also said, we need to change a bit the way this is working and at least make versions of the standards available to the public in a different way. And we have been at this discussion that we had in May with standardization organizations. We have discussed a bit the approaches that they have towards developing international standards and they have also said, yeah, we need to change a bit the way we are working and they also are in the process of adapting their work. So I think here there needs to be some change to make certain it's publicly available. And when it comes to regulations, this is even more difficult. The study that has been done within the framework of the Geneva Dialogue, it also encountered some difficulties when trying to do a broad overview of the regulations that are in place in different world regions. This is also something which, yeah, which is an open question at the moment, I think. So we don't have this overview. It's a rapidly evolving field. And more needs to be done. And it should be a priority, I think.

>> ANASTASIYA KAZAKOVA: Thank you. Katerina.


>> ANASTASIYA KAZAKOVA: Sorry. Apologies. We have five minutes until the end of the session. Very briefly.

>> KATERINA MEGAS: Okay. Sure. It was very interesting because I was watching the chat. I'm sorry. So I saw that Andreas made the comment about what standards are we talking about, because I think often the word "standard" I think, you know, in being from NIST where the word "standard" is in the title, I try to talk about upper case Standards where we're talking about standards developed through SDOs, but there's a host of other tools that are actually available out there. Standards are not the only tools. And I know perhaps this isn't quite exactly on in response to your question, but the reason I want to mention it is because the word ecosystem came up so many times and the word trust came up and how can we enable trust from an ecosystem. One person I talked to recently said there's three layers of the ecosystem. There's the tools that we have, the how that are across the ecosystem, and they all have a role to play and they all have to work together to enable trust. They were talking about things like standards, which is one piece of it, but it's not just standards. It's tools. It's best practices. It's the regulations. It's all the how these pieces fit together. The other one is the who. There's no, again, one person in the ecosystem I think that can actually take on the role of enabling trust. It's going to require the entire ecosystem. It's going to require the retailers who are actually putting the products on the shelves. It's the users of the devices, whether they're the consumers or the manufacturers. It's governments. Everyone is going to have a role in the ecosystem. And then the last part is the where in the ecosystem, because, again, I think it's not just about the device. There's a technology we've been looking at or a protocol, called MUD, the Manufacturers Usage Description, and it really is all about how can we actually leverage network devices to implement security and complement the types of security that an IoT device can provide.

There's lots of other places in the ecosystem that we can look at. So this probably doesn't answer your question directly, because, again, I think standards is just one piece. Standards alone, we can't just rely on standards, but also I'm not a policy‑maker and I better not at all make any sort of comments about policy. Thanks very much.

>> ANASTASIYA KAZAKOVA: Thank you. I also really like the dynamics on our discussions taking place in the chat. I think they provide parallel insights that we've been discussing. Going to the close of the session, most of you really covered the challenges and spoke about these and many other actors, the complexity of IT devices and so on. Maybe right now probably the final question, what do you think should be at least the key or first priority ingredient tackling the supply change security, be it an economic perspective or anyone else? I'd like to start with Andreas, May‑Ann, then Katerina, and then Jonas, very briefly.

>> MAY-ANN LIM: I think the technical standard is definitely one part. As Katrina said, let's put that aside. I think there needs to be another discussion around trust mechanisms. I think the trust mechanisms are really, really lacking. How do you know when you can trust something or someone that is not quite there? I think that that's, that trust deficit, is definitely something which is a big challenge. I think the fragmentation is something we'll need to address. We need to have a little bit more widespread discussion. This is kind of important. We are, I think we're all talking to people within the zone. We all know it's really important. But I think we need to have a little bit more widespread discussion on the ICT supply chains. There are better imaging and virtualization tools. I think there needs to be a little bit more people talking about it and bring it more to the fore. In the chat, thanks, Vladimir, for bringing that up, that interesting discussion. I think cyber discussion has now become a challenge of the commons. Who is going to become in charge of this? Keeping track and keeping the whole ecosystem safe? I think everybody is looking at each other and saying we're going to take care of our own little garden but not everything. So I think we need a more widespread discussion so we can start de‑fragmenting and putting some pieces of the puzzle together. I'll stop there.


>> ANDREAS KUEHN: Thank you. Let me make this short. I think trust is an important issue. I put a link into the chat about discussion about trust centers. So I think that's one approach to address this. I think the deeper point I want to try to make, we need institutional changes. We need new organizations or new mechanisms to kind of like deal with this thing. I think we haven't really figured out what that is. Standards are good. Documents are good. But we need something, a organizational or institutional changes or mechanisms to actually enable that. Another thing that would be important is the question is Supply Chain Security. And the third one, what can international institutions on the UN level do, the program of action mentions by the Ambassador, as a way to kind of bring this discussion on an international UN level, to address that there as well.

Thank you.

>> ANASTASIYA KAZAKOVA: Thank you so much. Katerina.

>> KATERINA MEGAS: Just very quickly because I know we are running out of time. While the word "fragmentation, harmonization," I hear them over and over again. If I had a word cloud, those would be probably very big words in the cloud, I think one of the challenges when we start trying to globally address fragmentation or at least trying to say we're going to harmonize I think it's very difficult because I think the policy tools, some of the assumptions that we make, are so different. In some places, they have a much more top‑down, they have much more of a preventative approach, perhaps, to cybersecurity. In some countries, there's far more of a reactive, perhaps, approach, kind of allow people to do something, and only after if something goes bad do you actually then try to kind of go back and reinforce. So I think with this wide variety of tools or appetites for risk and appetite for regulating, to say we're going to have harmonization I think is difficult.

I think we should be talking about interoperability and how we can assure mutual recollection of that. And then trust, when you do something different that I do, that the outcomes of your approach is the same as my approach, even though they're different. Over to you. I talked longer than I intended to.


>> JONAS GRATZ: Yes. I hope I can still talk because the IGF is telling us we have to end. Anyways, just a few thoughts. The UN was already mentioned, those discussions at the UN level are going to intensify. They also mention supply chain but they don't know exactly how to implement it and Geneva Dialogue will provide the link to those discussions and find a common approach. And May‑Ann said directly it's good to talk to a variety. We need to broaden our own horizon and talk to a variety of actors. So we need to find a common ground there and between the industry, how they want to proceed, also, to enhance trust globally and to secure the supply chain globally. I think that's what we're going to do next year. Yeah. See you on Thursday for our workshop. And thanks so much for this great discussion.

>> ANASTASIYA KAZAKOVA: Thank you so much to everyone for sharing their insights and really interesting perspectives. Please also join me thanking now our experts today and also thanking to Aude who has shared lots of the ideas that we produced in the past together with many other organizations. Thank you so much. I wish you really good day and evening and again let's also stay in touch and join the session later this week on the federal security of judicial products. Thank you.

(Session ends at 11:00 AM Central Time.)