IGF 2021 – Day 0 – Pre-Event DC #15 Closing the gap between the theory of digital security and the practice of insecurity

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.



>> -- the IGF website does not seem to be working as well. I suggest we start the session, and that, perhaps, we have to reconsider how we are going to proceed. Depending on ‑‑ I can see how many people are in the Zoom, can someone tell me how many people are in the Zoom. 

>> SERGE: Ten. 

>> So welcome, I think we'll just start. This is what it is. If there's an error, then there's an error. Welcome to this session of the Dynamic Coalition on internet standards and security and safety, and. I was going to give an introduction to the Dynamic Coalition, and on this workshop called closing the gap between the theory and the practice of security. And there's a reason for the title of this workshop, because we are working on the Dynamic Coalition for a year, started at the virtual IGF last year, and we found out there's this huge gap about talking about the security of the internet and the actual daily practice, which is still mostly insecure and little bit black and white, understand that, makes it a little bit easier to discuss what we are discussing. We are going to do a few things today. 

The first is the opening, the second we are breakout groups, but perhaps we will split in between with one online and one here in the room. And the third item is the reporting back on what we have heard, and then discuss and finally some closing remarks. There are two other sessions with the Dynamic Coalition this week, and the first one is on Thursday, the 9th at 1615 in room 4, that will be our second general meeting, and one on Friday, we have a networking session during the lunch at 12:30. The Dynamic Coalition has some very clear objectives, and it starts with our slogan that's a make the internet more secure and safer. And how will we try to achieve that, by the wider and more effective and rapid deployment of already existing security related internet standards and ICT best practices. 

That distinction is there because you have official internet standards and some other set called best practices for like for example, the top ten that ‑‑ more or less could regulate the standards of websites. What we also try to do, we are looking at prevention and not at mitigation. Most initiatives participating in the past were all mitigation, there's an incident and then we try to fix it, for example, we take the next down, we don't go in search of the infections, that's what the Dynamic Coalition trying to do, get the prevention up to a higher level so a lot of the mitigation perhaps not necessary. We want to do that through existing internet standards and already existing frameworks of cooperation. 

If we look at the standards just to give you an idea that we are discussing the security of the domain system, talk about RPKI, routing system. PCP 38, that would prevent spoofing. It mentions looking at the security of website, most, for example, secure software principles that exist that make sure software is more security developed in the first place. If we do that, we are able to close the gap between theory and practice. So where did this all start, this addition to and where do we want to go to, we started with a report in 2020 and from there, the Dynamic Coalition started. 

The questions we have to look at is why these internet standards and best practices are not widely and effectively deployed, some are arch for over 20 years and still they are not effectively or widely deployed, some better than others, but why not massively in the sense of that everybody is ‑‑ simply does it are there. Some of the answers the deployment of standards is usually voluntary, you have a choice to do or not to do it. If there's no business case, which is often the case, just extra cost and no demand from the consumer or the user side, there will be no supply. Also no so somebody who actually does it has more costs than somebody who does not deploy, and that is negative towards your shareholders. 

>> YURI KARGAPOLOV: Sorry to interrupt. 

>> MARK: People are trying to join this zoom link. 


>> What we need is a general Zoom link that I can send to OLAF and all the others asking for it. Is somebody in support provide it. 

>> WOUT DE NATRIS: You see Savyo. There is a Zoom link through which people can access this meeting, can we get that online somewhere so everybody who is trying to access this can see it. Savyo, can you show the Zoom lung to everybody there. 

>> MARK: He put it in the chat. I'll try it. I'll send I see to Olaf and the group. Okay. We'll get there. 

>> WOUT DE NATRIS: For the people who do not have access, they cannot see the chat as well, of course. 

>> MARK: Let me go back on e‑mail. 

>> WOUT DE NATRIS: The organization saying something, yes? That is not working. But the people who need it, they are getting it now, right? So Mark you're sending to it Olaf, I sent you all the e‑mail now. 

>> MARK: The link Savyo provided, is that working. I'm using Yuri's link. I don't know what happened to Yuri. 

>> WOUT DE NATRIS: If you can get that to the others who are external, then they should all be here and more people in the room as well. We are slowly getting there. Thank you, Mark. Where I was, that there are a few active drivers for change where the deployment of internet standards are concerned, because there's no real drive behind it. So what are solutions? Well, when we interviewed a lot of people and they did a survey late in 2019, many people said if you started regulating this with new legislation, then perhaps it would come to 100 percent, but everybody also said, this is a very bad idea because most likely most governments will make their own regulations, never go that route. 

But it is important to conclude that this should not be no identical to no action at all. Then probably at some point, there will be legislation, and we have time slot to do voluntary solutions. So it should be a voluntary stakeholder‑led solution that brings us forward. How do we create that business case? The first is that we have to drive demand because when governments and large organizations procure or purchase ICT products, whatever they are, services or devices, if they demand a level of security, that would mean the business case is automatically created. At the same time, there could be some sort of societal or peer pressure. For example, from consumer protection agencies or consume advocacies through relentless testing. 

The bad side, the dark side is testing our internet and everything 24 hours a day, why aren't we on the good side. So that could be a system that could work to create more pressure. The same could be by aligning politicians and the media, or existing ‑‑ perhaps even existing regulatory measures that are there on consumer protection or on liability or technical solutions, that are already being monitored, but that look at in a different way. Finally, there should be a better aligned ICT education, not talking about cybersecurity education but everything around ICT. 

If our students do not leave their tertiary education with the measures of knowledge that are needed for this society, how can they ever make sure it becomes more secure? The current initiatives, activities of the DCISS senior three working groups, the internet of things, there could be other working groups, this one is internet such things, we are looking at education and skills, looking at procurement of the supply chain management and creation of the business case. There is a fourth one on communication, because we are professionalizing our organization, there will be a website soon. Social media handles, et cetera, funded by an African organization from Ghana. 

There's also a lot of work on outreach, Mark, the senior policy adviser and I am working relentlessly on getting more people aware of the initiative and reaching out and creating the network and making sure that the financial part of it is sound. One moment. So we are going to do try to do some breakout groups, everybody online can join a breakout group. We have five ideas behind it. Let's see if we have enough people. I think we do, looking at everything now. The first breakout group will focus on how to identify and promote a list of internet standards that urgently need deploying, led by Mark and reported on by Naveen, both online, they will discuss with you about 30 minutes on this topic. 

The second topic will be how to get from a limited and slow deployment to a widespread and rapid deployment. This topic led by Olaf Kolkman. The l The period one how to close the gap between industry needs and tertiary education crick la. We have a moderator in the room here, but I have one cancellation so I'm looking at a volunteer here in the room who could do the reporting. Maarten perhaps? You can't get online, then you can do it ‑‑ you can do it here. The fourth group is closing the gap between the theory of security and the daily low security. The moderator I hope is online. And the fifth is the role of internet standards and enhancing human rights and digital inclusion, led by Robert. 

I hope we are all online, say Olaf. And Elif. I think we are basically there. I'll ask the organization to split everybody up in breakout rooms, and with the assigned teams. And the people not online, I suggest that we have one working group here, that we sit together in one spot and ‑‑ who are online, you can join a working group there. Everybody prefers. So I'm going to ask to do the breakout. To start them and we'll end that at about a quarter past 10:00, you have a half an hour to discuss the topics. From there, there will be some reporting and then we'll have some discussion and wrap up. Thank you very much. The people in the room who want to join, we'll make a circle here, that's safe enough and discuss it, others online, you can go to preferred discussion. 

>> MARK: Somehow, I've assumed Yuri's identity for this. I'm ‑‑ I'm moderating the first team with the help of Naveen, who I don't see now. I don't know if we are being split up, I don't know if that's possible even with this Zoom link. Because we are not through ‑‑ we are not in the ‑‑ on the website. So I have no idea if this is working or not, to be honest. I've lost my Rapporteur. I don't know if you can hear me. 


>> MARK: I'm not sure what we are doing. 

>> WOUT DE NATRIS: I'm checking, Mark, thank you. 

>> MARK: May not be possible since we are relying on the Zoom link. 

>> YURI KARGAPOLOV: Okay. I am ready. You are ready to start. 

>> MARK: I think we are all ready, waiting for the technology to catch up. 

>> WOUT DE NATRIS: I understand the rooms are there. 

>> Yes, the rooms are there. The names of people. 

>> WOUT DE NATRIS: Most people are on the Zoom link of Yuri. To Naveen. And you know what to. 

>> You know what to do with any of these people. Assign them. 

>> WOUT DE NATRIS: Yuri goes into one and the rest ‑‑ these are not people who are here. Mark, you're going to be connected, you're under Yuri's name and you were not here on the ‑‑ so it's being done now. 

>> MARK: Okay. 

>> WOUT DE NATRIS: Everybody should have his or her own. 

>> MARK: I got a spin message, going now to 1. 

>> WOUT DE NATRIS: They're online waiting to be assigned. Okay. Are people in the breakout rooms? Everybody is connected online is in a breakout room at this point, I understand. Okay. Your reporter is there. So what shall we do? Because the ‑‑ it doesn't seem to be working. That's ... I think that's the best thing. It does not seem to be working with breakouts. We create one breakout team, which people external, we'll create I think two here in the room. There's too many people, two here and one external. Mark ‑‑ can Mark hear me? Take everybody out and create one external room. (Speaking non‑English language) Yes, everybody is back in. 

There seem to be some issue with the breakout rooms. So we have decided all the people who are external, they're going to be in one breakout room, and I suggest that's being led by Mark Carvell. You can choose the topic of your choice. We have to make our choice here. My suggestion is to drop the fifth question, and that we focus on the ‑‑ externally on closing the gap between the theory of security and daily law security together with searching for some solutions. That internally we'll be looking at some of the perhaps education points and then look at the potential list of top 20 ‑‑ I call it top 20, it's the most important identified security standards we should be focusing on in the first year. 

So my suggestion is to do that, we'll decide here who leads it, create two groups, this half and this half, you can do one and you can do the other on that side and we'll start working here, yes? Enough people? Make one? All right. We'll do one here. So I put it down, you'll see you all a half hour from now and sorry about ‑‑ Mark, you have your hand up, one question, fast. 

>> MARK: Yeah. Yuri, Naveen and me, we just rejoined from our breakout rooms, can you recap what you're doing, I didn't quite catch it. 

>> WOUT DE NATRIS: The breakout rooms were not really working, all the people online do one group, and you can choose your topic yourself, Mark, so suggest that you lead it with ‑‑ perhaps with Olaf together and Rose with all do the reporting. We'll do one here with Maarten and I'll do reporting. So that's the way we suggested so we have two breakout rooms, one onsite and one there online. 

>> MARK: Okay, understood, thank you. 

>> MARK: Thanks very much for persevering through technological adverse youth, it seems. I think this is ‑‑ is always a risk at the start of a big conference. There are going to be glitches, we are right at the start of it. So we are ‑‑ we are the sort of ‑‑ not the four guys, but the sort of champions of getting the thing up and running and rolling, so let's go. So as I understood it, we have to decide really the key question for us as the online group. And I'm sorry, I was reading a message I had to go and join another room. 

>> WOUT DE NATRIS: Everyone online has to join the room being suggested to you now. 

>> I'm from the same country. We be careful not to ‑‑ maybe only on your first point, attaching to the political themes. I'm not sure first think it's better to use the government as a launching customer of security standards. I think we are pretty successful in the area in the Netherlands. And you think I would ‑‑ it's probably a combination of the two, before starting to regulate it. So using political themes to put pressure on everybody, I think it would be better if the government is showing example. And like we do in our country, if the government signs San IT contract with a private supplier, they have to enforce the standards in that area, I would prefer that kind of approach. 

>> Then we are dependent on the government actually understands. 

>> Yeah. We are a very dependent on the government to understand in any area. So, yeah, sure, and I think that we can help, especially the technical sector can help to educate the government. So that would be step one. Yeah, so you need kind of that a standardization organization, and get the right groups in there, and make sure that they influence the government and get it on the political agenda, and I think if there are dangers that these standards will solve, it will probably help to get them high on the agenda. I think that the approach that we have where the government is a launching customer, at least we try to make the government launching customer, I think that's pretty good approach. Modernization great. Anybody else ‑‑ anybody here from ‑‑ representing government? j. Tell us how that works. No, I'm just teasing you. You've been in this game longer than most. I think we might need you behind the microphone for the transcript. 

>> WIM: I'm working for climate policy in the Netherlands, and I think I understand very well where Olaf is coming from when he says that the government has an important role to play, and I agree with him, that the government has an important role to play. As a launching customer, not only as a launching customer, but as a regulator or stimulator or remoting, all kinds of standards, especially also open standards. So we have a big program on doing this, probably not enough, we need to do more about it, but I think we have good practice, that government services, institutions, they need to explain or apply certain standards. 

So if the security standards, but also a standard like IP version 6 in a way you can define it as a security standard. I think there we say, when you are procuring, then you need to ask suppliers to provide the standard, to ‑‑ if a government service is not able to use that standard, there needs to be an explanation why that is not possible. So that I think is a good incentive for the kind of government services to use the security standards. Sometimes there are practical differences, difficulties, it's not always possible to use this, but I think that to overcome this kind of difficulties, we need to look into those kinds of difficulties to get there somehow. 

Maybe you need some additional support to get there, and maybe also in the end, prescription, political discussion about, you know, going a step further and saying, okay, if the launching customer argument doesn't work, then maybe we can go think about going a step further and making it obligatory. But I think that we are not there yet, and hopefully we'll ‑‑ it will not be necessary to go there. 

>> MODERATOR: All we need is one big cyberattack. 

>> PARTICIPANT: We have been advocating for security standards for IOT in the European Union and especially there is a regulation which makes it possible that security in IOT products is possible to regulate it. It's not maybe the preferred option, but we have advocated that that should be done, and we are, let's say, hoping that, in a short while, that the European Union, your big mugs will come forward with regulation, that minimum security standards will be applied for IOT products. So I think that ‑‑ I agree with Olaf that the preferred option is a customer trying to convince market bodies to go there, but that's not possible, there should be other ways to promote it or even regulate it. Thank you. 

>> MODERATOR: I see Elke. I think it's become a very western European party here. I hope some other people from the other regions will join into the discussions. 

>> PARTICIPANT: I'm trying to give my opinion as a customer. I want to buy certain products in the store, let's take, for example, my lights that I've connected to the internet, and I might hope that those lights are secure, and these are safe, and nobody can spy on me having my lights on or off. 

>> MODERATOR: Did you buy them at the action for five Euros, I can guarantee they're not safe. 

>> PARTICIPANT: But I hope this bigger company, which is also a medical equipment does make those lights safe. But as a customer, I don't really have a position in that. 

>> MODERATOR: You need to join the Dutch consumer organization, that does look at these kinds of things and tells you exactly. This is exactly the problem, there's no guarantee, because it's not a requirement that these products are going to be safe. They could be spying on you in your own house. 

>> PARTICIPANT: In that respect, I hope that my government is protecting myself from buying ‑‑ yeah, lights that are, for instance, not safe. 

>> MODERATOR: You don't. They send them straight to your house and where is the Dutch government come in the transaction between you and international company. 

>> PARTICIPANT: I hope at the border of Europe in this case, some regulations protecting me as a customer from buying those goods, but I am also aware it's pretty difficult to put that into place. 

>> MODERATOR: Are you ready to get Dutch customs to open every single package coming outside the European Union and make sure our consumer rights are protected? I think it would be virtually impossible. I think you make a very good point. For that, we would need regulation and standards so they would know what to actually look for. 

>> PARTICIPANT: Your first question was politics or consumer organizations, and I guess has to be a collaboration of those two, but indeed, consumer organizations maybe setting the scene, putting it on the agenda, by politics, by giving a good example of something which when ‑‑ by foresee Secretary General, foreseen problems and if agenda setting has been done, then I do guess it's up to politics to protect me as a customer promise buying goods that are not secure. Thank you. 

>> MODERATOR: I'll take a couple of more comments and then I'll hand it over to you because we are putting different sessions together. Is there somebody especially from another region who would like to contribute to the discussion, yes, please. 

>> PARTICIPANT: Thank you. Okay, maybe I should remove the mask. Good morning, I'm from Brazil, Sabo. From the technical community. About this point of regulating the devices and something like that, how could I saw that? The point is that, it goes a bit beyond having new standards and so on, because in other types of device and in other scenarios we also have rogue security problems, as for example I can cite here, the problem, lots of hospitals stopped work just because the device is using windows XP, and it was supposed to not be connected to the internet, and somehow the mower got to those devices and there were some problems on that. 

So the point is that coming from the technical community, I can saw that people only do things when it hurts. When the internet goes ‑‑ sorry, internet goes down, when my device is not working, my light switch not working, people only do things about security when it hurts. Other examples ‑‑ okay. And so on, and so for me, it's to challenge to understand how to ‑‑ first is not the best word, but okay, make the technical community understand well the problem and deal with the problem of deploying the security standards and best practice, and not only by regulating, but maybe ‑‑ don't know, creating policies that you get some gift for doing good things or something like that. Maybe this kind of approach may work better. Not sure. But I think from the technical point of view, from the people who are working with tech, and more and more beyond IOT, the point is people don't do nothing if it's working, we keep doing. . 

>> MODERATOR: If no security incident all year, everybody gets a t‑shirt or more substantial than that. Yes, please. 

>> PARTICIPANT: Good morning, everyone, my name is Nama, I'm the member of parliament in Tanzania, and I will apologize for being late, I was a bit lost. I was very interested in this session, I wanted to understand, you know, most of these companies, the regulations and the different mechanisms to protect the consumers in developed worlds, it's very much structured, but the same companies, when they come to do business in Africa, or in other developing countries, they don't tend to follow the same criteria that they follow in developed countries. 

So I was a bit curious to understand is how can developed countries ensure that these multi‑nationals, tech companies, et cetera, maintain the same level of protecting consumers, despite where they are operating, because we found that, let's say, if they look at developing countries, like Tanzania and others as sort of a dumping place, so because we are not yet, in terms of our policy and regulatory framework, not yet where perhaps the developed countries are, we are still developing our digital different laws, and we are still yet even understanding on how to regulate the digital sector and technology sector. 

There is a huge loophole which, unfortunately, tends to be taken to their advantage and to our detriment. I wanted to understand what can be done to have that holistic protection for the customers, thank you. 

>> MODERATOR: How wonderful it is to have a politician at the IGF, because we have such difficulty always trying to get politicians to come here because there's such a crucial part of trying to find the solutions to the problems that are happening online. So big welcome to you, and secondly, what an excellent question. I think this is a challenge everywhere. The corporate Europe observer to has done an investigation into big tech in Brussels, even there, which is supposed to be highly regulated, very developed and sophisticated, the amount of money and access that big tech companies have in order to try to lobby for their own financial benefit to the exclusion of end users and others, it is extraordinarily challenging to try to counter that. 

My day job, I'm Director of Transparency international Netherlands and we look at how corporate lobbying, the access to ministers, it is extremely difficult. Other people who have suggestions here to answers? I believe having strong consumer organizations, very alert politicians like you, having media on top of this, it's part of the whole system of Democracy and the rule of law. Does anybody want to come in either on this point or otherwise I'll hand it over. We are supposed to be combining different sessions. We'll take it over coffee as well, I think. And continue a bit more. 

I think just having politically aware ‑‑ digitally aware politicians like this asking this precise question is the most important step. That way you get to question the government, why are you dealing with this company and sign this contract. Do what we can do. Yeah. As developed countries. (off microphone) Yes. I think here there's I would like to make a distinction without wanting to get too political between American companies, many of them are American, which is highly unregulated where they still believe in the power of the shareholder, capitalism and all that, even though the Biden administration is trying to change things or Europe where we have started with regulating with the GDPR to make sure people have privacy rights and data can't be marketed in the ways Americans did. 

I would split the countries into different groups in this regard, I don't think Europe has an equivalent of the Facebook or Google or anything like that. It's ‑‑ but if there are examples of companies, then of course we could probably talk to them, put pressure on them, shame them, and expose them. What do you think? I'll hand it over to you. 

>> MODERATOR: Check with you first because you gave me four questions for this group. I was supposed to talk with the working group on the knowledge and education gap, but we have been talking about how to implement standards, and one of the reserve questions was what kind of standards, do you have a preference, the last one. The question for the group, and it's the whole of this group again, is can we come up with a top ten or a top 20 of the standards that we think ‑‑ security standards that we think should be on the list to get implemented everywhere, let's say, is there anybody who wants to make a proposal? We have heard a few of them already. 

Nobody? So what are you guys doing here? You want me to repeat the question. We are challenged to come up with a list of, let's say, 20 or ‑‑ at least 10 security standards that should be implemented globally, everywhere, that should be on this government list of the user ‑‑ I think somebody mentioned ‑‑ what we call the apply or explain list in the Netherlands where the standards organization has a list, the government uses it, every time it contracts an ICT supplier, this list, they have to either apply the standard or explain why they can't. So we could start from that list. I know DMARK is on it. It's more of a best practice, they are probably on it as well. If they built the website. What are other ones? I think if everybody was here to get educated, not to provide answers. There's somebody who wants to respond. 


>> MODERATOR: The best common protocol, 32 ‑‑ the one that prevents spoofing. Sir, there you go. 

>> PARTICIPANT: Sabo for the record. I would like to suggest putting in the session list the manufacture description for the IOT context. It was from the DATF, the RFC, 8520. And it goes in a way that reduces the possibility of one device, one IOT being attacked, closes the possibly open gate and reduces the possibility of you being infected by the MIRA BOTnet. I think that list is good. I don't like that face. RFC8520. 

>> MODERATOR: That's an RFC that has a set of standards IOT should ascribe to. It's about five years ago, something, U.S. Senate adopted a list of, I think, eight criteria that should apply to any IOT device being manufactured or imported in the United States. I don't know how we are doing on that because you remember that Europe was going to follow that, but I think we are still talking about it instead of ‑‑ is that something you were ‑‑ a list of standards for IOT devices, right? Viewing RFC. 

>> PARTICIPANT: There is not a list. Standards that should be good to be implemented. I mention it only this. 

>> MODERATOR: Okay, thank you. Yeah, you have to go to the microphone. I was wondering who this . 

>> PARTICIPANT: We are talking about a list, recently they developed a standard called the foreign DOH, https, which is at the moment very controversial or at least in discussion. I wondered if we can have a discussion on ‑‑ should it be promoted or shouldn't it because I think also some political questions are involved with this one. Thank you. 

>> MODERATOR: Thank you. I think most people that have some knowledge about DOH. There's DOH list, I think the protocols themselves are pretty good. But they kind of open the gates for the big tech companies to dominate. DNS resolving with their business, there's some examples where the default settings point to the service, which is good, unless it's American based big tech, we do your DNS by default solution. So there's more of a political market type, political in the sense of, let's say, strategic digital autonomy, the technology itself, it was developed by the ITF as a protocol. 

It's a microeconomic and political impact of that kind of a solution. But I think ‑‑ well, if we solve the resulting problem, then I think encrypted DNS is a good standard to adhere to. Though I think some government parties might consider that to be a threat to their ability to apprehend criminals. Well, not just like that, I think we have to address the issue that it makes it possible for a few big tech companies to dominate the DNS resolver business. I think you have heard about it, DNS for the European Union is looking at a solution to that, but we have to have that kind of a solution, because most users will not change the default DNS settings in their browser, they won't have a clue and shouldn't have either. 

I think we have to come up with a solution for that before we put this on the standards list. It would be a good standard, in my opinion. Other people who want to provide some input? We haven't talked really about, I think, one of the problems the lady here in the front of the room, manufacturer standards. Does anybody know how we are doing in Europe on standards for IOT guesses, I know we wanted to follow what the U.S. did a couple of years ago. Have we adopted any of those? (off microphone). We will try to keep them off the market, which would be difficult if the order is in China, but probably educational gap, we have to tell them it's done by. (off microphone) 

>> MODERATOR: There's some progress in there, there are standards like a strong password, regular updates, security settings, that kind of thing. Okay. Can you ... 

>> PARTICIPANT: Again, as a consumer, you don't know what the standards are, which are provided by the manufacturer, so it's almost the same common, but a different package, government should protect the customer from implementing those standards. Because as a consumer, I don't see that from the outside on the box of the website, if it's from Alibaba or Phillips. I can first make a distinction, also other standards, or if there is a certain logo on it. Could be China export or CE. It's different, it's difficult for a consumer, again. 

>> MODERATOR: Yeah, but this doesn't really skill very well. That is the problem, because it would be possible to make sure that you cannot use your internet connection to order anything in China, but you would probably consider that kind of filtering or blocking that is ‑‑ which you don't want. Then the government could decide that they get people and open everything that they send to your home before it gets to your home, you wouldn't like that either. There's some responsibility with the consumer as well. We cannot put everything at the government level. From the government's perspective. 

>> PARTICIPANT: There is ‑‑ we introduced it a couple of years ago the cybersecurity act, it makes sure that there are certification schemes, and they use standards, but it takes time to develop these certification schemes which say that you can see what kind of level of security is attached to a certain product or even service. Which you allow. So we started to discuss first the very high level of security of products like microchips, for instance they should be very secure. 

They are used in very high, sensitive areas like banking or cars or mobility or whatever we are trying to get there, now we are also back talking about securing the cloud, certification schemes for cloud, and then, of course, you come to the discussion where next, and there is the discussion when we talk about, for instance, IOT, should you use the radio equipment directive to make sure that they are ‑‑ that there are minimum standards or should you use the cybersecurity act for IOT products? Our preferred route is the minimum standards in the radio equipment act. That we could at a certain point in time also develop certification schemes for IOT, which then, of course, would make the consumer much more aware of how ‑‑ what kind of level of security is connected to a certain product, whatever you have ‑‑ or whatever you want to apply in your home environment. So I think it's a complicated question, and with ‑‑ with different levels of action. (off microphone). 

>> PARTICIPANT: That's the idea, to have high, average, medium and low. 

>> MODERATOR: I think our time is up. You want the mic. 

>> WOUT DE NATRIS: Okay. The other group is back as well, welcome back. We have had a discussion here, you had a discussion there. 

>> MARK: Actually we were in mid‑flow when we shut down. I want to apologize to my colleagues in the breakout ‑‑ online breakout, not wrapping up smoothly. We covered quite a lot of ground. 

>> WOUT DE NATRIS: You have been very active. So I'll invite you to report first, because we haven't seen you on the screen for a while. Who is reporting on your group? 

>> MARK: If Roos is back. 

>> ROOS: I'll leave it to you, Mark. 

>> MARK: We are reporting to the whole session. Are you able to quickly sum up what we covered in terms of complexity and finding ways around not perhaps seeking total harmonization, but ways of ensuring awareness of standards amongst a small ‑‑ any business enterprise for example and users generally and the ‑‑ we talked about engineers and their training, how they perhaps ‑‑ the curriculum for their training should encompass issues like societal context, consumer protection, human rights and so on. And then we talked about issues of trust and then very quickly we almost lurched into the area of pros and cons of regulation. Do you want to recount a bit more about that, Roos from your more comprehensive notes than mine? 

>> ROOS: I think you have the most important points there. Somebody said that you said that it's for medium, small enterprise, very hard to have the capacity to implement standards properly. It's a capacity problem more than a knowledge problem, they feel the importance to implement standards well, it's for medium and small enterprises, because they have a lot of other stuff to do as well. And we discussed, indeed, the importance of standards and human rights and privacy and everything, all the aspects who are related to standardization should be in the curriculum for engineers because they're the technical guys who should organize the standards properly and security properly and should also learn about privacy and human rights. To understand the importance to develop it properly. So that would be my summarization. 

>> MARK: Thank you very much, Roos. Back to you, just one additional comment. We didn't get down to sort of specifics of key standards, you know, your top 20 request, just we didn't get to that. We wanted to focus really on what were the critical problems, and you think that's what we have covered in a sort of condensed conversation. We could have gone off on all kinds of different angles, of course, but we were conscious of the time. So back to you, Wout, I hope that's helpful. My thanks to all the colleagues in the breakout who spoke with such focus and with some real free thinking. Thank you very much. 

>> WOUT DE NATRIS: Thank you very much, and I can't see you all on the screen, but thank you, Roos, for taking notes and all actively participating in this discussion, you have more or less covered everything we did not discuss here. It's some sort of harmonious division, somehow. I'm looking to the room here. Is going to do the reporting, step to the ¶ row phone and hear what we have been discussing here. 

>> PARTICIPANT: We had quite an extensive discussion, the first part was what are the actual needs of security, is to be politics or more to be decided by consumer organizations, and the first speaker from the audience was that it should be the government that could act as a consumer before regulating, better than showing example. We had a good balance here, we had government in the room also. And yeah, the government mentioned that the security standards, it might be possible to regulate, but advocating has also been successful. 

And then I took a different role as a consumer, where I said, yeah, as a consumer, you don't really see what standards are applied in the place that you buy, for instance in the store. Yeah, and we also had really good question from parliamentarian of Tanzania, and she asked a question what can countries do to protect consumers, as audience in the room, we really had ‑‑ we were struggling answering that question. That was also, I guess, I liked that ‑‑ not that we liked struggling, but it was difficult to come up with an answer here, because that's the importance of the question, and I hope in further sessions we can answer that question. Now speaking for myself instead of reading my comments. 

>> WOUT DE NATRIS: That's what we are here for. 

>> PARTICIPANT: We had the second part where we tried to come up with a list of ten security standards. But I touched upon the point that the room was not really prepared on ten items, but we did have a good conversation on some security standards for internet of things devices, and yeah, we later on developed the question from, yeah, what should, again, be the role of the government, should they protect customers or should they try to educate, again, for these standards. These were my notes, but I'll send them to you and hope you can. 

>> WOUT DE NATRIS: Thank you, and I just remembered that I started this session because there were so many issues getting on Zoom and everything, I forget to introduce myself. But name is Wout de Natris, and I'm the organizer on this internet standardization and safety and Mark is a Senior Policy Advisor of the Dynamic Coalition. We are around for about a year, and we are developing our program for 2022, and the idea is that all three working groups in the Dynamic Coalition as a whole comes up with very tangible outcomes of the new IGF, the IGF plus, there are policy recommendations, some guidelines, advice, but capacity building programs, that could help with questions we just heard from the lady from Tanzania. The outcomes that can be very practical and useable instantly by all stakeholder communities. 

To be able to do that, we have to fill in this program and all three working group chairs will be presenting on Thursday on their ideas for the next year, for 2022 and what the end results should be when we are together in 2022. Having said that, there is still some room for discussion and questions. So I'm looking into the room, if there are any questions or additional comments that you've heard from the other group or something that you would like to bring forward in general? On Zoom, please raise your hand, because then Mark is the external moderator. Anybody would like to comment on what you've heard and what you heard from the other group? There are no hands here. Your end, Mark. 

>> MARK: I'm just going through the chat, and various downs coming through. So let me just pick out ‑‑ various points coming through. Let me pick out one. Serge says, Roos who ‑‑ yeah, he's with us here. There are ‑‑ I'll read it, there are different communities, and I think the more pope ones create better standards, I'm not sure regulation is the solution. Empowerment. We didn't use the word empowerment, but that's a good way of capturing points that came up in our breakout session. If stakeholders have greater knowledge about the critical importance of standards, that will lead to greater security and safety online. So that was Serge's point in the chat. 

Yuri Kargapolov, should we consider training programs as one of the types of standards to achieve our goals. I mean, in the coalition we have a working group on education and skills, and we talked in our breakout session, as I mentioned and Roos reported, training of engineers is one aspect of that, vocational training, if you like, about standards and about their importance for social welfare, for business, for personal consumers and so on. So those are the ‑‑ you hope I haven't missed any other critical points from the chat. Wout, back to you. 

>> WOUT DE NATRIS: I have a question here, please introduce yourself. 

>> PARTICIPANT E I'M ELISA, I WORK AT THE DUTCH ECONOMIC AFFAIRS AND CLIMATE POLICY. IF WE NEED E: Empowerment, I know IPV 6 is not always deemed as a security standard, but how much empowerment do we need to turn the world to IPV 6. It's been a standard here for many, many years, I think it dates back to 1992, my birth year, and we are still not using it fully. So how much empowerment do you need for a standard to become the standard if it's deemed a very useful standard. Thanks. 

>> WOUT DE NATRIS: That is a good question. Looking at SERGE. You put this forward, would you like to comment on the question. 

>> SERGE: Yes. I think this is a really good yes. The reason that I think ‑‑ one of the reasons IPV 6 never really flew, there was no reason. The internet continued working with really big problems, we had work‑arounds that were cheaper. What I mean by empowerment is how people who create secure products and rather than ‑‑ and making it clear why this is a benefit. For IPV 6, failed to convince people why this is a benefit, because when I talk to engineers in big companies, they always say I have twice as much work to do, I have to maintain IPV 4 and 6, there's nothing I gain. 

So why would I do this? If you look at security, I think it's not for people produce insecure products because they don't care, it's because they don't really know why they would do this and they don't understand the implications, there was one question in our breakout seeing how society participates in these types of things, they probably can't because it's technical things. What we need to do here is empower engineers who understand implications of whatever they do on Saturday and all stakeholders. You have to give people an incentive to do this. With IPV 6, we didn't have that. 

>> PARTICIPANT: My experience is engineers understand perfectly well how this works and that they would like to make it secure. At the end of the day, it's their bosses that want the product to be cheap, because it's all about profits. So I'm wondering whether it's the engineers we need to empower or the consumers who demand certain kinds of standards. I can't see tech companies and producers of what is very often really nasty, cheap plastic SHI Ty without any security components that allows weak passwords and can hook up to the internet, which is not upgradeable, et cetera, et cetera, it's going to keep happening unless something happens somewhere, and the older and wiser I get, the less I believe in empowerment of engineers or consumers, whether we need to put our fist down and make sure this happens in some other ways. I don't understand how those engineers are going to convince their bosses to do something which is probably going to be more expensive and convince consumers to pay for it as well, unless it's an actual enforced standard if I may call it. I look to GDPR for example, nobody would take privacy seriously until the European Union regulated it and said you're going to get fined. That's what it took, now it's a global standard if wow want to do business with Europe. 

>> SERGE: We probably would need another two‑hour session to get into this. When you started talking about standards, it's really ‑‑ if the standards ‑‑ it's the standards that need to empower you, it should be cheaper to use something secure than something insecure. Why are we producing insecure stuff? It's because we ‑‑ companies tend to reinvent the wheel over and over again, it's like when IOT came up, we made me same mistakes we did with applications 15 years ago. 

What we need is kind of open frameworks, open tools to kind of have this built in so as an engineer or company, you don't have to start ‑‑ in our breakout session we discussed this a little bit at the beginning, it's about, well, if the you're insisting on the expertise we have for innovation, it is not about reinventing the wheel, it is about taking good components and do something new with it. Like a good cook doesn't need to go out and reinvent farming, he needs farmers who produce good produce so he can cook a good meal. 

That's something that's lacking, we have so much stuff that's closed, not accessible, not available, and I think you're going into a world where people can start innovating on existing and secure frameworks, then that's when we start moving forward. But I totally agree, there's a lot of ifs and whens in this and we probably need to build more before it flies. I think regulation is not going to fly, and I don't think the comparison to GDPR is a good one, I think it's a success, so don't get me wrong here. 

>> WITHOUT: Just one comment. We do need to have more discussions on this topic, and perhaps as a Dynamic Coalition we should start organizing them and making sure that the right people come into a room, it's about empowerment, because as I look at it from the outside, and don't get me wrong, because I have a lot of respect for the whole technical community, as you probably know, but we have been talking to the same people for 20 years on these sort of standards and not a lot changes, Something changes, not a lot of changes, other people have to be brought into this discussion. 

That is what we try to do in this Dynamic Coalition, to make sure that other people start talking to each other, then the regular crowd, the usual suspects, as they call it in English. That is one of the aims that we are at this moment struggling to do. We are moving and progressing. Having said that, Serge, perhaps we can do something together as well and start organizing some sessions together in the coming year. So that's an invitation, let's discuss that after this session, of course, Yuri, your hand is up, I'll give you the final word and we'll start wrapping up this session. As you are leaving, sorry, I would very much like to make your acquaintance because we do need to talk on this topic and you were introduced, thank you for your question. Yuri, the floor is yours. 

>> YURI KARGAPOLOV: The big age of security is what we are now reacting, to what it was already, and not ‑‑ what will happen. Peter spoke about it on our IGF ‑‑ I mean IGF, and it's not dependent from what type of protocols you will be using in your IOT system. It's not dependent from IPV 6, not dependent from lower one, not dependent from others, et cetera. It depends from the complex of our ‑‑ context of our challenges, and trust environment and from the technical aspects. We discussed these usuals on our panel, subpanel. Thank you. 

>> WOUT DE NATRIS: Thank you, Yuri. Mark, if you have final comments in the chat. I can't see them. 

>> MARK: No, just a sense we are on a very important conversation, Serge made that point, and I mean, I feel, you know, we have the three IGF off to a great start with this, despite the technical glitches. I think we have to pick this up and take it forward. I mentioned we have ‑‑ we have our main coalition session on Thursday, as you mentioned and also our networking session on Friday, and I think we should highlight this as a topic, that will engage a lot of people. Thanks everybody, from me, I'm not Yuri, Mark. Yuri too, Mark. 

>> WOUT DE NATRIS: Thank you, Mark, some final comments. I think we have heard some very good comments on the way forward, because that was actually the intention of the session, not just to make our work known, but to hear what your thoughts are on how we should progress. And this is not an easy topic because the way you've come to look at it in the past year is that if you work in the domain name sector, like, for example, Roelof, you focus own DNS SEC and other domain name security systems, if you're in the internet resource world, you talk about secure routing, that's what you promote. If you're in software, you just talk about software and if you build websites, you talk about secure websites. 

When you're the consumer, like Alco was saying or you're a procurer within a corporation or an organization, like a governance, it's not just DNS deputy sec, you have a million ‑‑ DNS SEC, what most likely is the outcome for somebody who procures, either you're told what to buy by your bosses or you don't procure security at all because you don't know where to start the conversation. Perhaps sometimes even on the other side who you're buying from is not even knowledgeable enough. That's the sort of empowerment I think that Serge was talking about, how do we make sure that we come to knowledgeable decisions when you're procuring ICT services, IOT devices or any other stuff that connects to the internet. 

And that's why I came up with it, not just me, the dynamic coalition came up with the idea, perhaps we should start with the top 20, because if we can identify together the most important standards, we have a start of a debate and not an overwhelming one. And from there, you people start understanding the topic and you can start developing. If a year from now we could develop some sort of an overview, what sort of standards are there, what exactly are they for? What do they cure? That would mean that somebody could have something to look at. Perhaps it exists, but nobody has told me that it is, it's just this view of many organizations making some sort of standards or best practices out in the world. 

So should we connect them somehow and make sure they become accessible in language that nontechnical people can understand as well? So that is a sort of goals we are looking at, the individual working groups that I introduced, IOT security, education and skills and procurement are working on their own programs and will be presented on Thursday at 10:00 to 5:00 in room 4 from the top of my head. I hope we can welcome you as well. I'm wrapping up in the very last seconds with thanking the moderators and the reporters for doing their part of the job. It became a bit chaotic because of failure of the website. 

I think we have done very well looking at what happened in the room and what happened remotely. I think the reporters, please send Mark and me the notes by e‑mail, we have to produce a report two hours from now, officially, so that means some work, thank you, kind people back there, for organizing everything for us in the background and making sure that we had breakout sessions, et cetera, and with that, also want to thank finally my colleagues in the Dynamic Coalition for making these sessions possible as well and thinking of the concept and everything. Finally, our sponsors that have helped us get here to ‑‑ up to today, and with that, I wrap up and hope to see you on Thursday and thank you, again, for your contributions, because they are very valuable. Have a very good IGF and see you hopefully soon.