IGF 2021 WS #228 Supply Chain Governance and Security for IoT Resilience

Wednesday, 8th December, 2021 (10:15 UTC) - Wednesday, 8th December, 2021 (11:45 UTC)
Conference Room 6

Organizer 1: Madeline Carr, University College London
Organizer 3: Louise Marie Hurel, Igarapé Institute
Organizer 4: Duncan Hollis, Temple University Law School

Speaker 1: Joyce Chen, Technical Community, Asia-Pacific Group
Speaker 2: Louise Marie Hurel, Civil Society, Latin American and Caribbean Group (GRULAC)
Speaker 3: MItra Mirhassani, Technical Community, Western European and Others Group (WEOG)
Speaker 4: Peter Davies, Technical Community, Western European and Others Group (WEOG)

Additional Speakers

Jen Tisdale: Executive Policy Advisor for Future Mobility Cybersecurity, GRIMM

Tim Davy: Cyber Innovation Consultant, Munich RE

Martin Emele: European Director, Automotive ISAC

Rebecca Crootof, Richmond Law School


Madeline Carr, Civil Society, Western European and Others Group (WEOG)

Online Moderator

Duncan Hollis, Civil Society, Western European and Others Group (WEOG)


PABLO HINOJOSA, Technical Community, Asia-Pacific Group


Round Table - Circle - 90 Min

Policy Question(s)

Assessing Internet governance approaches and mechanisms and fostering inclusiveness: What are the main strengths and weaknesses of existing Internet governance approaches and mechanisms? What can be done, and by whom, to foster more inclusive Internet governance at the national, regional and international levels?
Technical Internet governance: How can the technical governance of the Internet (e.g. the development of standards and protocols, and the management of critical resources) take into account the needs and views of all stakeholders?

Additional Policy Questions Information: What are the governance challenges facing policymakers and incident responders to manage risks and build resilience when facing supply chain attacks in the IoT?

Lessons from Internet governance can and should be applied to complex supply chain security challenges. Different stakeholders must collaborate to ensure the integrity of supply chains and prevent the proliferation of malware or harmful back-doors that may cause disruption in the digital and/or physical world.


9. Industry, Innovation and Infrastructure
11. Sustainable Cities and Communities
12. Responsible Production and Consumption
16. Peace, Justice and Strong Institutions

Targets: Governance of the supply chain for all sectors, but particularly for connected autonomous vehicles is a key challenge that will require many views and perspectives to be taken into account. From an industrial perspective, sector leaders must have an understanding of what vulnerabilities are emerging, how those vulnerabilities congregate, and what steps they must take to mitigate against them in a responsible, ethical manner (9 and 12). Ensuring supply chain security in critical infrastructures like transport will be essential to promoting sustainable cities and communities (11) in which people can take advantage of emerging technologies with the confidence that their rights will be respected and upheld (16). However, most importantly, this workshop will focus on the quality of the governance and institutions that can bring supply chain integrity in a way that promotes a human centric approach to technological change (16).


Through a focus on connected autonomous vehicles, this workshop will expand on supply chain attacks - traditionally analysed predominantly from the energy sector perspective. These are proving increasingly disruptive and there is much that still needs to be explored in terms of the governance, secure practices, and corporate structures that can mitigate against them. Incidents such as SolarWinds and the Colonial Pipeline have highlighted that these attacks are very difficult to anticipate, prepare for, and protect against. They also highlight the need for not only a multi-stakeholder, but also a multi-disciplinary approach that can comprehensively consider the interoperability and interdependencies between the digital and the physical spaces in the IoT. The automobile industry provides an example in which software and hardware interact with increasing intensity in a safety critical system through a highly complex supply chain. Questions around risk management, the financial dimensions, and social impact of supply chain vulnerabilities will need to be taken up in collaboration with insurance companies and they are a necessary element for this discussion. Policy and technical considerations need to be integrated much more holistically to offer a better view of this subject. Assessing Internet governance approaches to supply chain security requires fostering an inclusive and collaborative approach. We strongly believe that supply chain security is a contemporary governance challenge that reaches beyond security considerations and could benefit enormously if analyzed through the lens of Internet governance.

Expected Outcomes

We will involve experts from the private sector, government, academia, civil society and technical community to exchange views and deepen understanding of supply chain security, asking and resolving questions from an Internet governance perspective. These experts will include perspectives from the automobile and insurance industries; law and policy experts from academia; experts from the incident response technical community and governmental representatives. The report from this workshop will be used as a contribution to activities currently underway in the World Economic Forum's Global Council on the Future of the Connected World.

We would like to offer a seamless hybrid interaction with a diverse group of experts with some attending physically and others remotely. This hybrid format will allow us to bring world class experts together in an open dialogue about the multistakeholder governance challenges of the supply chain. We are proud to have supported successful roundtables where a number of experts add fresh perspectives that, aggregated into a report, can advance the international debate on the subject at hand. We have a track record of bringing together, to the IGF, diverse groups to deliberate on emerging Internet governance challenges in a constructive way. Through the use of breakout groups and online whiteboards, we will incentize the collection of insights and views to converge in a group report aimed at a facilited global knowledge exchange.

Online Participation


Usage of IGF Official Tool. Additional Tools proposed: We plan to utilise an online whiteboard such as Miro that can be accessed through any platform to encourage remote participants to contribute to the discussion and share their views.


Key Takeaways (* deadline 2 hours after session)

(1) Questions arose about whether the Internet we have is the Internet we need in order to accommodate cyber-physical, safety critical systems. (2) Internet governance has proven to be a flexible, adaptable model and may be able to offer valuable insights into governing the IoT.

(3) We need to think about scope and focus for developing a multi-stakeholder policy agenda to move forward with the implementation of these systems.

Call to Action (* deadline 2 hours after session)

(1) Continue with a series of workshops to expand on what we discussed today.

(2) Bring diverse stakeholders to these workshops (including the insurance and automotive sectors), expanding the range of voices that participate in these deliberations at the IGF.

Session Report (* deadline 26 October) - click on the ? symbol for instructions

IGF 2017 Reporting Template

Session Title:                      WS #228 Supply Chain Governance and Security for IoT Resilience

- Date:                                      8 December 2021               
- Time:                                     11:15am-12:45
- Session Organizers:         Madeline Carr, Pablo Hinojosa, Duncan Hollis, Louise Marie Hurel

- Moderator:                           Madeline Carr
- Online Moderator:            Duncan Hollis            
- Rapporteur:                         Pablo Hinojosa

- List of Speakers and their institutional affiliations:   (in order of participation)


  • Madeline Carr, Professor of Global Politics and Cybersecurity, University College London
  • Louise Marie Hurel, PhD Researcher, London School of Economics
  • Jennifer Tisdale, Senior Principle, GRIMM
  • Mitra Mirhassani, Co-Director, SHIELD Automotive Cybersecurity Centre of Excellence, University of Windsor
  • Duncan B. Hollis, Laura H. Carnell Professor of Law, Temple University
  • Rebecca Crootof, Assistant Professor of Law, University of Richmond
  • Tim Davy, Cyber Security Specialist, Munich RE
  • Pablo Hinojosa, Strategic Engagement Director, APNIC
  • Peter Davies, Technical Director Security Concepts, Thales UK and Chair, Security Workstream, Automotive Electronic Systems Innovation Network (AESIN)
  • Ine Steenmans, Lecturer in Futures, Analysis and Policy, University College London

- Key Issues raised (1 sentence per issue):                

  • As in past IGF sessions, this roundtable is an effort to improve dialogue between the policy, technical and internet governance communities.
  • This year, we involved the insurance sector which has not previously been represented at the IGF.
  • We always choose one specific issue around which we can gather and exchange views in an effort to better understand diverse perspectives on a contentious topic.
  • This roundtable was an effort to better understand the wide range of implications of supply chain governance and security in the complex, safety critical IoT systems that are increasingly being connected to existing Internet infrastructure.
  • We also acknowledged that Internet governance has proven to be remarkably flexible and adaptive, and we asked for views on the extent to which this may provide lessons for governing other complex systems and ecosystems.
  • We chose connected autonomous vehicles (CAVs) as the focus for the roundtable because it represents a sufficiently complex, high value example that is close to implementation.
  • One of the key issues raised was that CAVs introduce a new dimension of cybersecurity from those we have focused on in the past – physical security – with the real potential for harmful consequences for failures, including loss of life.
  • This led to discussion of lines of responsibility, the assignment of risk, liability, and accountability – which stakeholders are / can be / should be responsible for ensuring that internet infrastructure is governed in such a way as to accommodate new uses?
  • A key question emerged as to whether the Internet we have now is the Internet we will need in the future.
  • One of the clear messages to emerge was the need for an expanded group of stakeholders to join in Internet governance deliberations including those in the automotive sector, the insurance sector, and hardware manufacturers.
  • At the same time, there was recognition from within the automotive sector of the benefits of further engagement with internet governance models in approaching questions of CAV security
  • There was a presentation on the extensive vulnerabilities in this supply chain and the real challenges around identifying, detecting, and reducing them.
  • From a legal and insurance perspective, there was a view that these challenges with governing and securing systems are leading to humans in the loop being constructed as ‘liability sponges’.

- If there were presentations during the session, please provide a 1-paragraph summary for each presentation:                 

- Please describe the Discussions that took place during the workshop session (3 paragraphs):     

  • Existing problems, standards, regulations and coordinating initiatives were outlined by sector and legal participants. But the acknowledgement that we face a ‘governance gap’ in this context led to a discussion about what other accountability structures might incentivize the change needed to ensure we are able to fully implement CAVs and other similar systems with Internet architecture in a safe, secure manner.
  • Much of the discussion incorporated conflicts between existing approaches to governing cybersecurity and expectations of consumer protection that shape the CAVs ecosystem. One stakeholder’s ‘fix’ can be another’s ‘problem’. For example, it was pointed out that while information sharing is often suggested as a remedy to cybersecurity challenges, competition law precludes that. In addition, it is very unclear what would constitute ‘evidence’ in a court of law in case of automotive accidents resulting from Internet governance issues.

- Please describe any Participant suggestions regarding the way forward/ potential next steps /key takeaways (3 paragraphs):    

  • There was a consistent plea for nimble, proactive policy intervention – all participants agreed that in the absence of market drivers for addressing this, other mechanisms are required. However, doing so across (or even within) jurisdictions is extremely complicated and problematic. Reflecting innovation in public policy, Dr Steenmans recommended the IGF may be a useful forum for actively and collectively reconsidering how the problem is defined, how this challenge can be conceptualised in a sufficiently long timeframe, and how the interests and perspectives of the wide range of stakeholders can be better integrated and reconciled or aligned.
  • Professor Hollis observed that there was a strong tradition of mapping in Internet governance – on both technical and policy issues. He recommended that future steps for this group could usefully include an examination of how to take this same model into the automotive / autonomous systems regime complex and think about boundaries and intersections of different sources of standards, guidance, and regulation, (both informal and formal) to see where there were overlaps and gaps in terms of governing the Internet for safety critical, cyber-physical systems.
  • The supply chain of connected autonomous vehicles is a hugely complex arena and one that we can only begin to explore through this workshop. Essentially, we urgently need to think creatively about how to link systems like this to an Internet that was not designed to accommodate them. The insurance sector will continue to be an important source of expertise and insight into this problem. Better integrating this sector into the IGF will help with risk analysis and evaluation. The observation was made that if the insurance sector struggles to find a market in CAVs, then governments may have to provide a backstop of cover and this will be an area that the IGF will be well placed to contribute.

 Gender Reporting

- Estimate the overall number of the participants present at the session:

Around 40 pax.

- Estimate the overall number of women present at the session:

25 pax.

- To what extent did the session discuss gender equality and/or women’s empowerment? 

The list of speakers was diverse in terms of gender, stakeholder group and geographic representation.

- If the session addressed issues related to gender equality and/or women’s empowerment, please provide a brief summary of the discussion:

The list of speakers was diverse in terms of gender, stakeholder group and geographic representation.