IGF 2021 WS #200 Security of digital products – A coordinated approach

Background

The threat landscape continuously evolves, with an increasing sophistication in techniques, tactics, and procedures of adversaries. The exploitation of vulnerabilities in digital products is an essential component of cyberattacks. Resourced adversaries – such as the advanced persistent threat (APT) groups – exploit vulnerabilities for economic, political, or military gain, causing effects which result in economic or social damage, destabilising cyberspace, or impacting international peace.

At the same time, the digital supply chain ecosystem is becoming increasingly complex, with numerous small and medium enterprises and start-ups, as well as non-tech industries, providing important yet vulnerable elements of the supply chain. Products and market practices are being shaped at a much faster pace than standards and the regulatory and normative environment. Real life examples, like SolarWinds attack, suggest that even companies which comply with the standards and certifications, are not necessarily capable of fending off sophisticated attacks.

High socio-economic and political impact of cyberattacks demands approaches to secure our 'smart environment' which transcend market competition and opt-in compliance. A coordinated approach to reducing vulnerabilities should connect good industry practices, international and community standards, emerging regulatory environment, and global norms and principles.

Security of digital products is addressed in parallel by various fora:

• companies, through their 'security by design' practices (e.g. collected by the Geneva Dialogue, or the Charter of Trust),
• standard setting organisations and communities (e.g. ISO/IEC, ITU, IEEE and IETF),
• national regulators, through policies and regulations (e.g. labelling and certification schemes, as in Singapore and the European Union, or software bill of materials as in the USA),
• multistakeholders, through various principles and guidelines (e.g. Paris Call and WEF), regional organisations, through policy principles and confidence building measures (e.g. OECD, or OSCE and ASEAN),
• international organisations (e.g. UN OEWG norms related to supply chain security and reducing vulnerabilities).

All the previously mentioned fora face similar challenges:

• How to reconcile fast pace of tech development with slow policy processes
• How to strike the balance between a neutral approach towards cybersecurity practices and standards, and the increasing (geo)political importance of cybersecurity
• How to increase the diversity of stakeholders (especially SMEs and start-ups, open-source communities, etc.) in policy-making processes, while not further making those processes more complex and slower
• How to ensure the implementation of the agreed practices, standards, and principles, particularly by those stakeholders which play critical roles, but have limited resources, awareness, and incentives

At the same time, such fora often operate out of sync with each other. The IGF is an ideal setting for enhancing such dialogue and connecting the stakeholders.

Background documents

• Geneva Dialogue document ‘Security of digital products and services: Reducing vulnerabilities and secure design - Good practices’ (2020)
• Geneva Dialogue report from the online event ‘Security of digital products and international standards’ (2021)
• Geneva Dialogue report from the online event ‘Security of digital products and the regulatory environment’ (2021) 
• Geneva Dialogue and the ETHZ CSS research ‘Governance Approaches to the security of digital products’ (2021) 
• Paris Call Working Group 6 report ‘Securing ICT supply chains’ (2021)

Description:

The exploitation of vulnerabilities in digital products is an essential component of cyberattacks. Resourced adversaries increasingly exploit vulnerabilities for economic, political, or military gain, causing effects which result in economic or social damage, or destabilise cyberspace. Several multilateral and multi-stakeholder fora develop norms and principles to reduce such vulnerabilities. Standard-setting organisations cope with developing new standards, while various national regulators propose baseline requirements, and certification and labelling schemes. Under the Geneva Dialogue on Responsible Behaviour in Cyberspace (Geneva Dialogue), a dozen leading global companies jointly developed a set of good corporate practices, that translate high-level principles into day-to-day operations.

Each of those actors, however, face similar challenges: fast pace and increasing complexity of technological development; emergence of new players (e.g. open source communities and start-ups) that provide critical elements of the supply chain – particularly in the era of the pandemic; increasing (geo)political importance and politicisation of cybersecurity; limited resources, awareness, and incentives of various actors in implementing the agreed requirements, practices, standards, norms, and principles.

This workshop brings together representatives of various organisations and communities – companies and tech communities, standard-setting organisations, national regulators and diplomats, regional and international organisations, as well as the academic and civil society groups – to openly discuss challenges and ways ahead for a common approach to this emerging concern.

The session will build on the successful workshop on the security of digital products organised by the Geneva Dialogue (https://genevadialogue.ch/) at the IGF 2020, as well as the ongoing work of the Geneva Dialogue in this field. A research on the emerging trends in national regulatory environments about security of digital products, conducted by the ETHZ, and expected to be published by September 2021, will be fed directly into this discussion.

To stimulate the open exchange among stakeholders, the session will be organised in format of a moderated open discussion. Results of the research by ETHZ will help setting the stage, while several representatives of various stakeholders will be invited as discussants, to boost the discussion and the exchange.

SESSION OUTLINE:

[45'] Part I: Security of digital products – Different perspectives

• Introductory address: 'Relevance of the norms and principles and the Geneva Dialogue', Ambassador Benedikt Wechsler, Head of Division for Digitalisation, Federal Department of Foreign Affairs (FDFA), Switzerland
• Industry perspective: 'Vulnerabilities in digital products', Alexey Kuznetsov, Head of Security Analysis, BI.ZONE
• Presentation of the research results: 'Governance Approaches to the Security of Digital Products: A Comparative Analysis', Nele Achten, Senior Researcher for Cyber Security and Foreign Policy, ETHZ Center for Security Studies
• Open discussion 
  • Bilel Jamoussi, Chief, Study Groups Department, Telecommunication Standardization Bureau, International Telecommunication Union
  • Edwin Sin, Singapore Cybersecurity Authority
  • Participants

[45'] Part II: Connecting the dots – A coordinated approach

• Roundtable: 'Who's doing what'
  • Geneva Dialogue by Jonas Grätz-Hoffmann, FDFA, Switzerland
  • Paris Call (Working Group 6) by Anastasiya Kazakova, Senior Public Affairs Manager, Kaspersky
  • IGF Best Practice Forum on Cybersecurity by Sheetal Kumar, Head of Global Engagement and Advocacy, Global Partners Digital
  • Charter of Trust by Stefan Saatman, Global Coordinator Cybersecurity Policy, Siemens
  • Cybersecurity Tech Accord (invited)
  • OECD (invited)
• Open discussion
• Messages and closing

Moderator: Vladimir Radunovic, Director, E-diplomacy and Cybersecurity, DiploFoundation

Remote moderator: Andrijana Gavrilovic, Digital Policy Researcher, DiploFoundation

Rapporteur: Efrat Daskal, Digital Policy Researcher, DiploFoundation