Report IGF 2020 Launch of DC Internet Standards, Security & Safety (DC-ISSS)
Friday, 6 November, 2020 - 09:10 to 10:40 UTC
DC-ISSS leadership:
- Wout de Natris
- Mark Carvell
- Marten Porte
This session marks the official launch of the Dynamic Coalition on Internet Standards, Safety and Security (DC-ISSS). Wout de Natris, Chair of the DC, presented the goals of the event and of the DC at large: make policy recommendations and connect both existing stakeholders and new stakeholders. A picture was painted on the status quo of the implementation of Internet standards and the reasons that have led to this. For this, the connection was made to the report that came out of the 2019 IGF pilot project on Internet standards deployment, which investigated both causes and possible solutions of slow standards deployment, of which three were selected, by the DC-ISSS participants, for the initial work of the Dynamic Coalition:
- Security by Design - sub-group IoT security;
- Education and skills;
- Procurement, supply chain management and the creation of a business case.
Following the introduction, four experts gave a short presentation on the importance of a safer internet and the deployment of security standards.
Jonas Grätz-Hoffmann – Office of the Special Envoy for Cyber Foreign and Security Policy, Federal Department of Foreign Affairs, Switzerland – spoke about the importance of digital governance for the Swiss Government. He also warned of the fragmentation of global rules and standards and the Internet as a whole. He stressed that the Dynamic Coalition could become a key milestone in strengthening the IGF in new ways in terms of creating concrete, actionable outcomes.
Olaf Kolkman - Principal, Internet Technology, Policy and Advocacy, Internet Society – spoke about positive examples of standard deployment and the reasons behind them. Based on a book by Everett Rogers, ‘Diffusion of Innovations’, he explained that the deployment of innovations generally goes through five stages:
- Knowledge/awareness is necessary;
- The innovation needs to seem useful to the potential user;
- Decision will be made on deployment;
- Implementation phase;
- Confirmation that the innovation works and you keep using it.
For the persuasion phase, five factors are at play:
- Relative advantage;
- Complexity;
- Compatibility;
- Try-ability (without breaking the system);
- Observability.
Security standards have serious issues on all these five factors. The relative advantage is often missing, especially for first movers. We see deployment especially lacking when complexity is high. Also new standards are often inherently incompatible with other standards. On top of that, big challenges exist with being able to try new standards and observing that a standard has been implemented. Initiatives should focus on improving these five factors.
Raymond Onuoha – Associate Member, African ICT Foundation – showed the challenges that exist in standards deployment in an African context. One report showed the importance of network security as a shared responsibility. Therefore, initiatives exist to avoid duplication of efforts and to bridge capacity deficits. Furthermore, the necessity of capacity building was stressed, which can be considered by Working Group 2 of the DC-ISSS. Lastly, he highlighted that national governments are key actors for promoting best practices and facilitate information sharing.
Ghislain de Salins – Digital Security Policy, OECD – gave a presentation on IoT security by design. He explained the work being done in the OECD and the importance of IoT security. Also, the different stages in which vulnerabilities can appear, such as in the microprocessors, meaning that a once secure product is not necessarily secure forever. Also, an issue with IoT products is legacy products, or products that are no longer updated by the manufacturer. One of the issues is the misalignment of market incentives. The OECD designed a policy tool kit which goes from raising awareness to liability legislation.
Presenting the DC-ISSS
In the following part of the session Mark Carvell recounted the road taken from the pilot project around the IGF in Berlin to the current session. He stressed the commitment to sustain the momentum, including a series of individual stakeholder consultations on key issues and priorities for the first phase of taking the work further under the auspices of the IGF and thus bring the topic of deployment to a next level. The goal is to use the IGF framework to deliver tangible policy outcomes.
The themes of the three DC-ISSS Working Groups were then presented:
WG1: Security by Design: Sub-group 1 - Internet of Things
Yurii Kargapolov – Chair of IoT Special Interest Group, Internet Society – laid out the proposed work for the working group on Internet of Things. He stressed the importance of protecting websites against the most common vulnerabilities and of enhancing the trustworthiness of platforms. It will also be important to avoid duplication of other IoT-related initiatives. The first aim of the working group will be creating guidelines of best practices. Secondly, the working group will aim to identify current barriers to deployment and how to overcome these barriers. Another topic that was touched upon was the disclosure of vulnerabilities which is necessary for safe IoT-devices.
Participants asked if there will be more working groups on security by design. These are foreseen and can be activated by request or when it is necessary to do so.
WG2: Education and Skills
Janice Richardson – International Advisor, Insight S.A. Luxembourg – presented the goals for the second working group on education and skills. She stressed the importance of including Internet security in education and skills programmes. She explained that some of the information or communication technology courses, e.g. at university and the vocational level, currently do not include digital security, which is problematic. The working group will identify best practices. In addition, the security of online learning platforms is important, but might be addressed in another working group. In conclusion, she believes that educational curricula should include greater coverage of Internet security, safety, governance, and architecture depending on the level. Rather than working on public awareness, the working group aims to reach relevant organisations such as ministries of education and universities. Other outreach options were also discussed.
WG3: Procurement, Supply Chain Management and the Business Case
Alejandro Pisanty – Universidad Nacional Autonomico de Mexico (UNAM) – illustrated the difficulty of having many competing standards. He explained that many rules are being created but often not followed up on. This working group on procurement, supply chain management and business case will look at how the normative role of the government can be used to increase deployment of standards. The purchasing power of the state and large corporations should be put to good use to include these standards in their purchasing requirements. One of the goals will be to create a comprehensive practical guide on incorporating relevant and optimal security standards in procurements, including SMEs. Also, knowledge gaps and inconsistencies between countries should be bridged. Best practices are to be shared by the participants, as well as bad practices from the past.
Closing remarks
The three remaining themes, a) regulation, b) human rights and consumer protection, and c) responsible disclosure of vulnerabilities will start at a later phase of the project, as soon as it is opportune to do so. This is the same for other sub-themes in WG1 on Security by design, e.g. for websites, platforms, data storage, software, etc.
The Chair concluded the session by thanking all speakers and inviting everyone who is interested to join and share their knowledge and ideas. It was also requested that people who are interested in chairing one of the working groups get in touch with the leadership.
Furthermore, the need for funding to actively support the work within and progress of this Dynamic Coalition is stressed by the Chair. He concluded by highlighting the progress that has been made on this topic within the IGF framework. Now the real work on content will start. A special thanks goes out to the Swiss Federal Ministry of Foreign Affairs for its support in making the launch of the DC possible.
The working groups will meet on Tuesday 24 November (WG1), Wednesday 25 November (WG2) and Friday 27 November (WG3), all at 12.00 UTC. More information and the link to sign up to the mailing list can be found here.