IGF 2021 WS #200 Security of digital products – A coordinated approach

Time
Thursday, 9th December, 2021 (09:45 UTC) - Thursday, 9th December, 2021 (11:15 UTC)
Room
Conference Room 4

Organizer 1: Civil Society, Eastern European Group
Organizer 2: Civil Society, Latin American and Caribbean Group (GRULAC)
Organizer 3: Civil Society, Eastern European Group
Organizer 4: Government, Western European and Others Group (WEOG)

Speaker 1: Ambassador Benedikt Wechsler, Head of Division for Digitalisation, Federal Department of Foreign Affairs, Switzerland
Speaker 2: Nele Achten, Senior Researcher for Cyber Security and Foreign Policy, ETHZ Center for Security Studies
Speaker 3: Bilel Jamoussi, Chief, Study Groups Department, Telecommunication Standardization Bureau, International Telecommunication Union
Speaker 4: Edwin Sin, Singapore Cybersecurity Authority
Speaker 5: Anastasiya Kazakova, Senior Public Affairs Manager, Kaspersky

Format

Round Table - Circle - 90 Min

Policy Question(s)

International standards: How should international standards address the different requirements and preferences of governments and citizens in different countries?
Private sector accountability: What can be done at the national and international level to tackle private sector companies that aid and abet nation state attackers?
Additional Policy Questions Information: Enhancing the security of cyberspace: How to sync the emerging standards, regulatory environment, global norms and principles, and incorporate best practices in order to enhance security of digital products and services, and reduce vulnerabilities?

International standards play an important role in securing the digital environment, including with regard to products. However, the fast-changing environment introduces great challenges. The threat landscape continuously evolves, with an increasing sophistication in techniques, tactics, and procedures, including those set up by well-resourced advanced persistent threat (APT) groups. High socio-economic and political impact of cyberattacks, demands approaches which transcend market competition and opt-in compliance. At the same time, digital supply chain ecosystem is becoming increasingly complex, with numerous small and medium enterprises and start-ups, as well as non-tech industries, providing important elements of the supply chain. Products and business practices are being shaped at a much faster pace than standards and the regulatory and normative environment. All of this introduces challenges to the development and efficiency of implementation of standards – real life examples suggest that even companies which comply with the standards and certifications, are not necessarily capable of fending off sophisticated attacks.

Security of digital products is addressed in parallel by various fora: - companies through their 'security by design' practices (e.g. the collection of good practices by the Geneva Dialogue on Responsible Behaviour), - standard setting organisations through new standards (e.g. ISO/IEC), - national regulators through labelling and certification schemes (e.g. Singapore and the European Union), - multi-stakeholder fora through various principles (e.g. Paris Call through its Working Group 6 on Supply Chain), - regional organisations (e.g. OECD work on security of digital products), - international organisations (e.g. UN OEWG norms related to supply chain security and reducing vulnerabilities).

Those fora face similar challenges: - How to reconcile fast pace of tech development with slow policy processes? - How to strike the balance between a neutral approach towards cybersecurity practices and standards, and the increasing (geo)political importance of cybersecurity? - How to increase the diversity of stakeholders (especially SMEs and start-ups, open-source communities, etc.) in policy-making processes, while not making those processes even further complex and slow? - How to ensure the implementation of agreed practices, standards, and principles, particularly by those stakeholders which play critical roles but have limited resources, awareness, and incentives?

At the same time, those fora often operate out of sync with each other.

The IGF is an ideal setting for enhancing such dialogue and connecting the stakeholders. The workshop would build on the successful workshop by the Geneva Dialogue on Responsible Behaviour on security of digital products, held at the IGF in 2020, as well as on the continuous work performed by the Geneva Dialogue in this field.

SDGs

8. Decent Work and Economic Growth
9. Industry, Innovation and Infrastructure
16. Peace, Justice and Strong Institutions
17. Partnerships for the Goals

Targets: Enhanced security of digital products directly contributes to a safer cyber environment, which reduces likelihood of cybercrime and cyberattacks that disrupt economic growth (8). As digital products and services represent key infrastructure of the digitalised world (in a post-COVID 19 world more than ever), the industry plays critical role in ensuring secure innovation and infrastructure (9). Vulnerabilities in digital products are an important element for conducting politically driven, high-impact cyberattacks, which endanger international peace and stability. Reducing vulnerabilities thus reduces the likelihood of cyberattacks and enhances cyber stability and peace (16). Finally, drawing together companies, standard-setting organisations, regulators and governments, and regional and international organisations, to collaborate on common baseline requirements that would underpin their work and harmonise their efforts, directly contributes to enhancing partnerships for the goals (17).

Background

The threat landscape continuously evolves, with an increasing sophistication in techniques, tactics, and procedures of adversaries. The exploitation of vulnerabilities in digital products is an essential component of cyberattacks. Resourced adversaries – such as the advanced persistent threat (APT) groups – exploit vulnerabilities for economic, political, or military gain, causing effects which result in economic or social damage, destabilising cyberspace, or impacting international peace.

At the same time, the digital supply chain ecosystem is becoming increasingly complex, with numerous small and medium enterprises and start-ups, as well as non-tech industries, providing important yet vulnerable elements of the supply chain. Products and market practices are being shaped at a much faster pace than standards and the regulatory and normative environment. Real life examples, like SolarWinds attack, suggest that even companies which comply with the standards and certifications, are not necessarily capable of fending off sophisticated attacks.

High socio-economic and political impact of cyberattacks demands approaches to secure our 'smart environment' which transcend market competition and opt-in compliance. A coordinated approach to reducing vulnerabilities should connect good industry practices, international and community standards, emerging regulatory environment, and global norms and principles.

Security of digital products is addressed in parallel by various fora:

  • companies, through their 'security by design' practices (e.g. collected by the Geneva Dialogue, or the Charter of Trust),
  • standard setting organisations and communities (e.g. ISO/IEC, ITU, IEEE and IETF),
  • national regulators, through policies and regulations (e.g. labelling and certification schemes, as in Singapore and the European Union, or software bill of materials as in the USA),
  • multistakeholders, through various principles and guidelines (e.g. Paris Call and WEF), regional organisations, through policy principles and confidence building measures (e.g. OECD, or OSCE and ASEAN),
  • international organisations (e.g. UN OEWG norms related to supply chain security and reducing vulnerabilities).

All the previously mentioned fora face similar challenges:

  • How to reconcile fast pace of tech development with slow policy processes
  • How to strike the balance between a neutral approach towards cybersecurity practices and standards, and the increasing (geo)political importance of cybersecurity
  • How to increase the diversity of stakeholders (especially SMEs and start-ups, open-source communities, etc.) in policy-making processes, while not further making those processes more complex and slower
  • How to ensure the implementation of the agreed practices, standards, and principles, particularly by those stakeholders which play critical roles, but have limited resources, awareness, and incentives

At the same time, such fora often operate out of sync with each other. The IGF is an ideal setting for enhancing such dialogue and connecting the stakeholders.

Background documents

Description:

The exploitation of vulnerabilities in digital products is an essential component of cyberattacks. Resourced adversaries increasingly exploit vulnerabilities for economic, political, or military gain, causing effects which result in economic or social damage, or destabilise cyberspace. Several multilateral and multi-stakeholder fora develop norms and principles to reduce such vulnerabilities. Standard-setting organisations cope with developing new standards, while various national regulators propose baseline requirements, and certification and labelling schemes. Under the Geneva Dialogue on Responsible Behaviour in Cyberspace (Geneva Dialogue), a dozen leading global companies jointly developed a set of good corporate practices, that translate high-level principles into day-to-day operations.

Each of those actors, however, face similar challenges: fast pace and increasing complexity of technological development; emergence of new players (e.g. open source communities and start-ups) that provide critical elements of the supply chain – particularly in the era of the pandemic; increasing (geo)political importance and politicisation of cybersecurity; limited resources, awareness, and incentives of various actors in implementing the agreed requirements, practices, standards, norms, and principles.

This workshop brings together representatives of various organisations and communities – companies and tech communities, standard-setting organisations, national regulators and diplomats, regional and international organisations, as well as the academic and civil society groups – to openly discuss challenges and ways ahead for a common approach to this emerging concern.

The session will build on the successful workshop on the security of digital products organised by the Geneva Dialogue (https://genevadialogue.ch/) at the IGF 2020, as well as the ongoing work of the Geneva Dialogue in this field. A research on the emerging trends in national regulatory environments about security of digital products, conducted by the ETHZ, and expected to be published by September 2021, will be fed directly into this discussion.

To stimulate the open exchange among stakeholders, the session will be organised in format of a moderated open discussion. Results of the research by ETHZ will help setting the stage, while several representatives of various stakeholders will be invited as discussants, to boost the discussion and the exchange.

SESSION OUTLINE:

[45'] Part I: Security of digital products – Different perspectives

  • Introductory address: 'Relevance of the norms and principles and the Geneva Dialogue', Ambassador Benedikt Wechsler, Head of Division for Digitalisation, Federal Department of Foreign Affairs (FDFA), Switzerland
  • Industry perspective: 'Vulnerabilities in digital products', Alexey Kuznetsov, Head of Security Analysis, BI.ZONE
  • Presentation of the research results: 'Governance Approaches to the Security of Digital Products: A Comparative Analysis', Nele Achten, Senior Researcher for Cyber Security and Foreign Policy, ETHZ Center for Security Studies
  • Open discussion 
    • Bilel Jamoussi, Chief, Study Groups Department, Telecommunication Standardization Bureau, International Telecommunication Union
    • Edwin Sin, Singapore Cybersecurity Authority
    • Participants

[45'] Part II: Connecting the dots – A coordinated approach

  • Roundtable: 'Who's doing what'
    • Geneva Dialogue by Jonas Grätz-Hoffmann, FDFA, Switzerland
    • Paris Call (Working Group 6) by Anastasiya Kazakova, Senior Public Affairs Manager, Kaspersky
    • IGF Best Practice Forum on Cybersecurity by Sheetal Kumar, Head of Global Engagement and Advocacy, Global Partners Digital
    • Charter of Trust by Stefan Saatman, Global Coordinator Cybersecurity Policy, Siemens
    • Cybersecurity Tech Accord (invited)
    • OECD (invited)
  • Open discussion
  • Messages and closing

Moderator: Vladimir Radunovic, Director, E-diplomacy and Cybersecurity, DiploFoundation

Remote moderator: Andrijana Gavrilovic, Digital Policy Researcher, DiploFoundation

Rapporteur: Efrat Daskal, Digital Policy Researcher, DiploFoundation

Expected Outcomes

The discussion is expected to clarify challenges various stakeholders face in their work related to the security of digital products, and the existing gaps among their efforts. Hopefully, good examples of how certain actors are addressing the identified challenges will also emerge, serving as guidelines to others.

At minimum, the discussion will connect various interested actors and ongoing processes. Ideally, it would also suggest the venue for further dialogue between companies and tech communities, standard-setting organisations, national regulators and diplomats, regional and international organisations, as well as the academic and civil society groups. This direction will be further taken up by the Geneva Dialogue. Thanks to the partners of the Geneva Dialogue, findings will be fed into other fora as well, such as the OECD, Paris Call for Trust and Security in Cyberspace, Charter of Trust, etc.

 

 

Format of the session will be an interactive discussion, in round table setting. The stage will be set by a brief presentation of the findings of the report on the emerging trends in the regulatory environment about security of digital products, conducted by the ETHZ. Moderator will then invite participants to reflect on policy questions, turning to discussants to contribute their own positions, as ice-breakers. Particular voice will be given to youth participants in the audience – and especially to those from the open-source community, start-ups, and SMEs – who are critical contributors to the supply chain, yet often have limited resources in addressing security in their work. High interaction with the online participants will be stimulated, including through the introduction of online polls.

Due to the nature of the discussion and Diplo's vast experience in organising online and hybrid meetings, a hybrid meeting would be easily implemented, providing equal opportunity to both the participants in the venue and those connected remotely. A particular attention will be given to parallel discussions in chat: in order to stimulate more inputs by participants (including the shy ones, or those with weaker connections) and feed their inputs timely into the discussion, an experienced online moderator will be assigned.

Online Participation

Usage of IGF Official Tool. Additional Tools proposed: Mentimeter

Key Takeaways (* deadline 2 hours after session)

Building blocks exist. Industry has good practices, certain standards are globally recognised, global norms and principles (like the UN GGE and OEWG) call for states to focus on security of supply chain and reducing vulnerabilities, and regulatory instruments – like labelling and certification schemes – are emerging. There is a need to find a way to ensure all stakeholders are aware of these building blocks, and base their work on them.

Importantly, there are many ongoing initiatives and fora that address challenges of security of digital products, and gather actors together: Geneva Dialogue on Responsible Behaviour in Cyberspace; OECD’s Working Party on Security in the Digital Economy; Paris Call for Trust and Security in Cyberspace; Charter of Trust; Cybersecurity Tech Accord; IGF Dynamic Coalition and Best Practices Forum; ISO, ITU and other standardisation organisations.

Call to Action (* deadline 2 hours after session)

Broaden the dialogue of industries with standardisation organizations and regulators in the field of security of digital products. Geneva Dialogue and the IGF can play an important role in this regard.

Session Report (* deadline Monday 20 December) - click on the ? symbol for instructions

 

The exploitation of vulnerabilities in digital products is an essential component of cyberattacks. Several multilateral and multistakeholder forums develop norms and principles to reduce such vulnerabilities. Standard-setting organisations cope with developing new standards, while national regulators propose baseline requirements and certification and labelling schemes. The Geneva Dialogue on Responsible Behaviour in Cyberspace project (Geneva Dialogue) brings together global companies to develop a set of good corporate practices that translate high-level principles into day-to-day operations. The session, moderated by Mr Vladimir Radunović, was built on the workshop on the security of digital products organised by the Geneva Dialogue at the IGF 2020 and its ongoing work in this field.

The Geneva Dialogue initiative was introduced briefly by Mr Benedikt Wechsler (Head of Division for Digitalisation, Federal Department of Foreign Affairs (FDFA) of Switzerland) who explained that its purpose is to build a bridge between the principles and the practical level by applying a bottom-up approach. This approach brings together the private sector, the regulators, the information technology (IT) community, and the civil sector. Its main strength is its ability to be practical and non-ideological and to develop actionable principles for the security of digital products.

Mr Lexey Kuznetsov (Head of Security Analysis, BI.ZONE) elaborated on the magnitude of the problem derived from the security of digital products today. There is an increase in the number of attacks and vulnerabilities these days, especially since IT infrastructure is becoming more code-based. As codes become more complex (with digital products ending up as part of the critical infrastructure) and developers don’t have enough security knowledge, there is a need to improve transparency and apply a more responsible approach to digital products.

From the perspective of policy and regulation, digital products constitute a new field of governance and regulation. Ms Nele Achten (Senior Researcher for Cyber Security and Foreign Policy, ETHZ Center for Security Studies) presented her research on the topic noting that the term digital products is not used in regulatory instruments or guidelines on the operational level. Furthermore, her analysis revealed that the industry is not against mandatory security requirements, but there is a need for better transnational recognition of certifications. This raises two questions: Which actors are capable of advancing policies of digital products security on an international level? Can we develop policies applicable for all types of digital products?

Mr Edwin Sin (Singapore Cybersecurity Authority) provided a possible answer to some of Achten’s questions by presenting the Singapore CLS initiative. The CLS demonstrates how stakeholders can collaborate (in this case, the regulator and the private sector) in creating labels for securing digital products. Furthermore, the collaboration between Singapore and Finland in recognising each other’s labels demonstrates that states can collaborate and bridge the gap on a more international level.

Work by the Paris Call provides another example of a multistakeholder initiative dealing with ICT supply chain security. Ms Anastasiya Kazakova (Senior Public Affairs Manager, Kaspersky) presented the project in brief. The objective of the work is to shed light on the implementation of the existing OECD recommendations on the topic and share practical, actionable steps stakeholder groups can take for stronger ICT supply chain security. The main conclusion is that all actors have a role to play towards stronger ICT supply chain security. She explicitly highlighted the need to create incentives for security-focused behaviour on both the supply and demand side, enhancing ICT supply chain transparency by the public and private sector, and ensuring harmonisation across emerging national regulatory and industry approaches.

The topic of harmonisation was echoed in the discussion that followed around the issue of standardisation organisations and regulators and the need to incorporate them in the talks.