IGF 2023 Open Forum #57 Procuring modern security standards by governments&industry

Thursday, 12th October, 2023 (04:30 UTC) - Thursday, 12th October, 2023 (06:00 UTC)
WS 10 – Room I

Cyberattacks, Cyberconflicts and International Security
New Technologies and Risks to Online Security

Other - 90 Min
Format description: Short presentations, followed by discussion of patrticipants and interaction with the public


As digital has become an integral part of everyone’s lives and work environment, security is no longer nice to have but a prerequisite to work and live safe from online harm and its implications in the offline world. At the same time cyber incidents seem only to grow and have more and more impact. This Open Forum will show what government procurement agencies and purchasing departments of other organisations can do to upgrade their own level of security and as a result, everyone else’s: by procuring secure by design. When discussing cybersecurity, the discussion often focuses on the user. He/she is responsible for security. In practice there often is not a lot these users can do to protect themselves. When Internet standards are not built in by design or ICT best practices ignored by designers or manufacturers, security-wise the end user is, often, clueless. This does not have to be this way. The Dutch government has a policy on open standards to support interoperability, (re)use of data and lower dependency on specific suppliers. To attain these goals, the Standardisation Forum was established in 2006. The Standardisation Forum does not develop standards but can assign a status (required or recommended) to existing standards in the public and semi-public sector. Its ‘Comply or Explain’-list assists governments to procure secure ICT. In this Open Forum, the Standardisation Forum presents its approach and the list of the most relevant and urgent security-related internet standards and ICT best practices. Inspired by the Dutch approach, the Internet Standards, Security and Safety Coalition (IS3C) of the IGF currently conducts a global study into procurement and supply chain management, analysing to what extend governments and industry use procurement to enhance their cybersecurity. The result of this study will be presented in this session. Representatives from other countries are invited to share their ideas and experiences. What are these experiences? The debate will focus on what is perceived to work best. 1. The stick Organisations are threatened with measures or legislation to comply. 2. The carrot Organisations are (financially) stimulated to comply. 3. Preaching Organisations receive messages on why it is good to comply. 4. Force Organisations are forced by legislations or fines to comply. Participants will be asked to share their experience and views on this matter. Finally, an international version of a ‘comply or explain’-list will be presented. This list is the result of an international advisory panel that worked under the aegis of the IGF in 2023, that reached a rough consensus on the content. Imagine how security can be changed for the better when all organisations in the world start to procure and purchase ICTs according to these principal standards. Because of it, they will become integrated in all ICT or IoT devices, services, applications, software and hardware. They will be sold secure by design.

Active engagement between the online and onsite moderator will ensure that all participants get their chances to speak. All participants will be invited to engage in the chat so that opinions can be captured this way as well. A moderator can read the most relevant comments from the chat so that they are on record.


🔒Netherlands Standardisation Forum
Mallory Knodel, Center for Democracy & Technology and Internet Architecture Board (IETF), U.S. Steven Tan, Cyber Security Centre of Singapore, government, Asia (still to be confirmed) Larissa Zegveld, Kennisnet and Netherlands Standardisation Forum, government, Europe Wout de Natris, Coordinator IS3C, Europe Participant from Japan Network Information Center (JPNIC) (still to be confirmed) Gerben Klein Baltink, Dutch Internet Standards Platform (Internet.nl), Europe Marjolijn Bonthuis, ECP, Europe


Mallory Knodel, Center for Democracy & Technology and Internet Architecture Board (IETF), U.S.; 
Wout de Natris, Coordinator IS3C, Europe;
Gerben Klein Baltink, Dutch Internet Standards Forum (Internet.nl), Europe;
Annemiek Toersen, Dutch Standardisation Forum, Europe;
Gilberto Zorello, NIC Brasil, South America;
Flavio Kenji Yana, NIC Brasil, South America;
Satisch Babu, INAPP, Southern Asia;

Onsite Moderator

Olaf Kolkman, ISOC

Online Moderator

Gerben Klein Baltink, Dutch Internet Standards Platform (Internet.nl), Europe


Marjolijn Bonthuis, ECP, Europe


9. Industry, Innovation and Infrastructure
16. Peace, Justice and Strong Institutions

Targets: Cybersecurity has to lie at the heart of our evermore digitizing world. When governments and larger organisations start to procure ICTs secure by design, based on the principles shared in this workshop, the internet environment as a worldwide critical infrastructure will become far more secure and less prone to incidents and harm (SDG 9). This will aid economic development because online platforms and services become more secure and safer. It will also provide a more peaceful and inclusive use of the internet and thus assist the goals underneath SDG 16 to flourish.

Key Takeaways (* deadline 2 hours after session)

1. Modern internet standards (such as IPv6, DNSSEC, HTTPS, DMARC, DANE and RPKI) are essential for an open, secure and resilient Internet that serves as a driver of social progress and economic growth. Such standards have been developed, but their use needs to increase significantly to make them fully effective. Procurement policies have proven to be an effective means of ensuring that these standards get traction and are used more widely.

2. Not using modern standards is a risk for the individual internet user. However, often users are not aware of it (because standards are "under the hood") and there are economic network effects that prevent users from fully benefiting immediately ("first mover disadvantage"). Research by IS3C has shown that public-private partnerships can play a crucial role in the creation of transparancy and awareness which is crucial to reach critical mass.

Call to Action (* deadline 2 hours after session)

1. To governments and TLD registry operators: Monitor the usage of modern internet security standards (such as IPv6, DNSSEC and RPKI) in the public sector and in society. For this, they can make use of open source tools such as https://Internet.nl and even extend it (eg tests for Universal Acceptance and for accessibility). Such tooling provides transparancy, helps end-users articulate their demand, and creates an incentive for vendors to comply.

2. To governments and industries: Publish procurement policies regarding modern internet security standards. These can be reused by others when creating procurement policies. Furthermore vendors could use these as requirements for their software and systems. The list with most important internet security standards that was created by IS3C (https://is3coalition.org/) can be used as a reference (consultation untill  5 Nov 2023).