Procuring modern security standards by governments&industry | IGF 2023 Open Forum #57

Wout de Natris

The Internet Standards, Security and Safety dynamic coalition is dedicated to enhancing the security and safety of the internet. They have formed three working groups to address specific areas: Security by design on the Internet of Things, Education and skills, and Procurement and Supply Chain Management and the Business Case. These groups aim to tackle various challenges and contribute to a more secure and safer online environment.

The coalition is actively engaged in several projects, including the deployment of DNSSEC (Domain Name System Security Extensions) and RPKI (Resource Public Key Infrastructure), as well as exploring emerging technologies and addressing data governance and privacy issues. These initiatives reflect the coalition’s commitment to promoting best practices and robust security measures in the digital landscape.

One of the key objectives of the coalition is to convince decision makers to invest in secure design and deployment of internet standards. To achieve this, they are developing a persuasive narrative that utilises political, economic, social, and security arguments. By providing compelling reasons, they aim to encourage decision-makers to prioritise and allocate resources towards implementing robust security measures.

The Procurement and Supply Chain Management and the Business Case working group have released their first report, which focuses on comparing global procurement policies. This report sheds light on the current landscape and provides insights into various approaches and practices in procurement. Consequently, this information can be utilised to identify areas for improvement and to advocate for more secure and transparent procurement processes.

An important observation highlighted by the coalition is the lack of recognition of open internet standards by government policies. This finding underscores the need for greater alignment and integration of these standards into policy frameworks. Universal recognition and adoption of standards for data protection, network and infrastructure security, website and application security, and communications security are seen as crucial steps toward a safer digital environment.

In addition, the coalition aims to provide a practical tool for decision makers and procurement officers. This tool, which includes a list of urgent internet standards, will help guide decision-making and procurement processes, ensuring that security considerations are effectively integrated into ICT procurement.

The coalition also seeks to improve procurement policies and the validation process for open internet standards in public procurement. They recognise the importance of streamlining and expediting these processes to ensure efficient and effective adoption of open standards. By doing so, procurement policies can be enhanced, leading to more secure and reliable digital infrastructure.

Overall, the Internet Standards, Security and Safety dynamic coalition is making significant efforts to enhance internet security and safety. Their work spans various areas, from promoting secure design and deployment of internet standards to advocating for the recognition and adoption of open internet standards in government policies. By collaborating and addressing key challenges, they aim to create a safer online landscape for individuals, organisations, and governments.

Audience

The speakers discussed the importance of promoting the international use of testing websites to uphold standards such as accessibility and sustainability. They highlighted the effectiveness of a Dutch testing website and advocated for its adoption globally. The positive sentiment was reinforced by the speaker’s personal experience of receiving a T-shirt after testing a website that scored 100%.

Shifting focus to India’s digital transformation, the discussion revealed concerns about the poor compliance status. Although India has made progress in digital public infrastructure, including the development of a vaccine website during the COVID-19 pandemic, there is a need for scaling up existing applications to meet the demands of the country’s population. The lack of multilingual applications and universal acceptance in India’s digital transformation was also brought to attention, with a specific mention of the problem of non-Latin scripts in domain names. The speakers highlighted ICANN’s efforts to resolve this issue and suggested incorporating testing for these aspects in the code of internet.nl.

The importance of digital standards was emphasized, but it was noted that India does not have a law mandating compliance with the latest standards. Instead, the speakers proposed nudging stakeholders through volunteer work and the periodic dissemination of test results.

Overall, the analysis provided a comprehensive overview of the discussions, including key points, arguments, and evidence presented. The speakers’ positive sentiments, concerns, and suggestions offer valuable insights for further exploration in the field of digital transformation and compliance.

Annemiek Toersen

Open standards play a crucial role in enhancing the interoperability, security, accessibility, and vendor neutrality of IT systems within the Dutch government. The Netherlands Standardization Forum, which advises the Dutch government on open standards, has identified about 40 open standards on the “comply or explain” list that are mandated for use in new IT systems or services.

To promote open standards adoption, the Dutch government has implemented a comprehensive strategy that includes mandating specific open standards, investing in community building, and closely monitoring their adoption. The Netherlands Standardization Forum has successfully secured agreements for implementing standards like HTTPS and DNSSEC. They also use internet.nl to regularly measure the usage of open standards across approximately 2,500 government domains.

To achieve wider acceptance, the Dutch government actively cooperates with vendors and international counterparts. For example, the Netherlands Standardization Forum has collaborated with Microsoft to ensure support for the DANE security standard by spring 2022. They are also sharing the code base of internet.nl with countries like Denmark, Australia, and Brazil to encourage broader adoption of open standards.

Despite these efforts, there is still work to be done, as many government tenders do not fully comply with open standards requirements. The Netherlands Standardization Forum regularly reports insufficient compliance to the Dutch cabinet.

Collaboration between internet.nl and other dashboards focusing on website accessibility can strengthen testing standards, including elements like accessibility and sustainability.

Convergence of different internet standards is necessary to avoid duplicating efforts, and the Ministry of Internal Affairs and Infrastructure is working towards a single dashboard to combine various standards.

Validating standards is crucial, and the Netherlands Standardization Forum emphasizes the need for scrutiny to ensure effectiveness and relevance.

The adaptation of standards is supported, but it requires common agreement among multiple organizations in the Netherlands. Overall, open standards are foundational to the Dutch government’s IT systems, and the Netherlands Standardization Forum continues to drive adoption. However, challenges such as compliance and convergence need to be addressed through ongoing cooperation, validation, and adaptation.

Mallory Knodel

The analysis emphasizes the significance of implementing global internet security standards in procurement and supply chain management policies. It highlights that while some countries, like The Netherlands, already incorporate references to standards in their procurement policies, there is a noticeable lack of standardisation across regions and countries. This lack of a unified and syndicated approach poses challenges in ensuring consistent and effective internet security measures throughout supply chains.

To address this issue, the promotion of multi-stakeholderism in procurement and supply chain management is advocated. The suggestion is to utilize platforms such as the Internet Governance Forum (IGF) as a means to advance this initiative. By involving various stakeholders, including governments, private sectors, and civil society, it is believed that a more comprehensive and collaborative approach towards internet security can be achieved.

Moreover, the analysis calls for greater transparency in procurement policies worldwide. Specifically, it points out the need for more countries to openly publish their procurement policies. This transparency not only enhances accountability but also allows for better knowledge-sharing among nations, fostering the adoption of best practices in internet security.

Another key argument made is that cybersecurity standards should be treated as reference points in international treaties. These standards can also be transformed into compliance mechanisms, ensuring that nations adhere to established protocols in internet security. Additionally, there are opportunities to utilize open cybersecurity standards, which provide a basis for common guidelines and practices that can be widely implemented.

In terms of potential future investigations, the relevance of standardisation in the EU procurement process is acknowledged. While not the main focus of the research, the impact of standardisation on EU procurement is considered an area worth exploring further. This suggests that standardisation has the potential to play a significant role in shaping procurement practices within the European market.

Furthermore, the analysis highlights the importance of market entry as a driving factor for companies to pursue standardisation. In some cases, US companies may opt to get their technology standardised at platforms like Etsy in order to meet the requirements of European governments or tender bids. This emphasizes the role of standardisation in facilitating market access and competitiveness in the European market.

In conclusion, the analysis underscores the need for global internet security standards in procurement and supply chain management policies. It calls for a more standardized and syndicated approach across nations, promoting multi-stakeholderism and transparency. By treating cybersecurity standards as reference points and compliance mechanisms, and utilizing open standards, greater consistency and effectiveness in internet security can be achieved. The relevance of standardisation in the EU procurement process and its impact on market entry are also recognized. Overall, this analysis provides valuable insights and recommendations for advancing internet security standards in the procurement and supply chain management domain.

Alisa Heaver

The Dutch government strongly supports the Platform Internet Standards and Forum Standardisation, recognizing the crucial role that standards play in various sectors. They view the adoption of standards as essential for driving innovation and fostering a strong digital infrastructure. The government actively forms public-private partnerships to further promote the adoption of these standards.

These partnerships have been instrumental in advancing the use of standards by the Dutch government. Collaborating with private entities allows them to leverage expertise and resources to implement and develop internet and other types of standards. This collaborative approach strengthens the government’s ability to adopt standards and encourages collective responsibility in their development and implementation.

The Dutch government’s support for internet standards extends beyond its borders. They actively encourage other governments to embrace these standards for procurement and promote global collaboration. Alyssa Iver, a representative of the Dutch government, emphasizes the importance of working with experts in respective countries on internet and other types of standards. This collaborative emphasis ensures that standards are tailored to meet the unique needs and contexts of different countries, contributing to the global adoption and implementation of standards.

In conclusion, the Dutch government’s strong support for the Platform Internet Standards and Forum Standardisation reflects their understanding of the vital role of standards in driving innovation and creating a robust digital infrastructure. Through public-private partnerships and global collaboration, they actively promote the adoption of standards both domestically and internationally. This commitment not only advances their own digital agenda but also contributes to the global framework for standards and collaboration.

Olaf Kolkman

The Internet Governance Forum (IGF) meeting focused on the importance of internet security for the common good. Olaf Kolkman, an advocate for protecting infrastructure, emphasized the need to safeguard the internet to benefit everyone, rather than just individual organizations. This highlights the collective responsibility to ensure the security and stability of the internet.

One of the challenges discussed at the meeting was the slow adoption processes for open internet standards. The adoption of these standards often takes several years before they are widely implemented. However, the meeting recognized that public-private partnerships can play a crucial role in promoting and accelerating the adoption of modern internet standards. By collaborating with various stakeholders, including governments and private organizations, the widespread adoption of these standards can be facilitated.

To further support the implementation of modern internet standards, effective tools were highlighted. The internet.nl test tool, for example, helps organizations and individuals assess if their websites, emails, and local connections are functioning in line with these standards. It is projected that over 1 million tests will be conducted using this tool by 2023. This demonstrates the practical impact and usefulness of such tools in facilitating the adoption of modern internet standards.

Knowledge sharing across countries was also emphasized as a means to promote the adoption of open internet standards. Countries like Brazil, Denmark, and Singapore have already initiated the adoption of these standards and tooling, setting an example for others to follow. The Platform Internet Standards, which was initiated as a public-private initiative, is open to learning from global experiments. This collaborative approach allows for the exchange of knowledge and best practices, enabling more countries to adopt these standards effectively.

Olaf Kolkman strongly supports the use of open internet standards as they enhance user safety, security, and online connectivity. He calls upon organizations to adopt these standards to ensure that the internet functions correctly and benefits everyone. These standards not only safeguard individual users and organizations but also contribute to the overall well-being of society.

Aside from discussions on internet security, the importance of accessibility and captioning in reducing inequalities was also acknowledged. The work done by Rochelle and her team in captioning was appreciated. Accessibility measures play a critical role in ensuring equal access to information and services for all individuals, regardless of abilities.

The Dutch Internet Standards Forum highlighted the need for wider use of testing and procurement methodologies to ensure the proliferation and adoption of internet standards. Olaf Kolkman pointed out the effectiveness of procurement methodologies and tools like internet.nl. He emphasized the practical impact of such initiatives, both in terms of financial considerations and wider deployment. It is imperative that regions and countries beyond the Dutch Internet Standards Forum begin utilizing similar tools to increase their usage and effectiveness.

In conclusion, the IGF meeting emphasized the importance of internet security, the challenges in adopting open internet standards, the role of public-private partnerships, the need for effective tools, and the significance of knowledge sharing and accessibility. It underscored the collective responsibility to protect infrastructure for the common good and to ensure that the internet functions in a safe, secure, and accessible manner for all. The discussions and insights gained from the meeting contribute to advancing the adoption and implementation of modern internet standards globally.

Gerben Klein Baltink

The adoption of modern internet standards is essential for ensuring safety, security, and efficient connectivity in today’s interconnected world. However, the process of accepting and implementing these standards can be slow and challenging. It requires the cooperation and agreement of both IT technicians and board members within an organization.

The Platform Internet Standards and internet.nl play a vital role in making modern internet standards more accessible. Internet.nl, for example, has experienced significant growth, with over one million tests conducted in 2023. It provides a platform that allows users to determine whether their website, email, or local connection is functioning correctly with modern standards. This enables organizations to identify and address any issues that may arise during the implementation process, facilitating the correct adoption of standards.

International cooperation and sharing of resources and strategies are crucial for the global success of modern internet standards. Several countries, such as Brazil, Denmark, and Singapore, have established similar initiatives and platforms to promote the adoption of these standards. The Platform Internet Standards is open to sharing its learnings and experiences with other countries and organizations interested in establishing similar initiatives. This collaborative approach promotes knowledge exchange and fosters a more unified and effective implementation of internet standards worldwide.

The Dutch Internet Standards Forum plays a significant role in implementing new internet standards. The process of adding new standards to internet.nl is based on a consensual agreement within the forum. This ensures that all stakeholders have a say in determining which standards should be included and how they should be implemented.

When integrating new standards, the team at internet.nl investigates existing open-source tests that comply with the desired standard. If suitable tests are not available or do not integrate well with the current test environment, they consider creating their own code. This flexible approach allows for the seamless integration of new standards, ensuring that the testing process aligns with the specific requirements of each organization.

In cases where certain standards, such as accessibility standards, do not integrate well with the current test environment, proactive promotion is recommended. Instead of disregarding or delaying the adoption of these standards, they should be promoted as future inclusions. This approach encourages continuous improvement and ensures that all aspects of internet standards are addressed in due course.

In conclusion, the adoption of modern internet standards is crucial for ensuring safety, security, and efficient connectivity. The Platform Internet Standards and internet.nl play a vital role in making these standards more accessible through testing tools and solutions. International cooperation and the sharing of resources are essential for global success. The Dutch Internet Standards Forum facilitates the implementation of new standards, and the integration process involves investigating existing tests or creating new code. Proactive promotion of standards that cannot be immediately integrated ensures a comprehensive approach to internet standards.

Flavio Kenji Yana

NIC-BR is a non-profit civil entity in Brazil that is responsible for the administrative and operational functions related to the .br domain. Their main focus is on improving the internet infrastructure in Brazil, and their projects and actions aim to benefit various sectors of Brazilian society. One significant project is the Test Padrões (Test Standards) project, which utilizes open source code provided by Dutch implementation. This project promotes the best security practices for websites, email services, and user connections to the internet. It was implemented in December 2021, and its effectiveness can be assessed on top.nic.br. By adopting these security standards, NIC-BR aims to enhance internet security in Brazil.

The Test Padrões project is part of Brazil’s Safer Internet program, which collaborates with ISPs (Internet Service Providers) and internet service providers, including operators. NIC-BR defines Key Performance Indicators (KPIs) to monitor the effectiveness of their actions. By working with ISPs and service providers, NIC-BR ensures widespread adoption of these security recommendations, creating a safer internet environment.

NIC-BR is actively involved in the Manners initiative, which encourages good online behavior. Brazil has the largest number of participants in this initiative, and there has been a significant annual increase in participation. This demonstrates Brazil’s commitment to creating a positive online environment and fostering partnerships for the Sustainable Development Goals (SDGs).

Brazil has a robust internet landscape with over 10,000 ISPs, including small and medium-sized operators nationwide. These ISPs account for approximately 50% of the internet traffic in Brazil. Many ISPs and Internet Service Provider Associations in Brazil actively support NIC-BR’s programs and initiatives, emphasizing their dedication to improving the internet ecosystem.

In summary, NIC-BR plays a crucial role in Brazil’s internet governance and infrastructure. Their projects, such as Test Padrões, and collaborations with ISPs contribute to a safer internet environment. Brazil’s active participation in initiatives like Manners showcases their commitment to responsible online behavior and partnerships for sustainable development. With the support of ISPs and service providers, NIC-BR is working towards enhancing internet security and improving the overall internet experience for users in Brazil.

Olaf Kolkman:
Okay, dear friends, last session at least for me and I think also for most of you, here we are in a meeting of the IS3C or the Internet Standards Security and Safety Coalition, which is actually the name of one of the dynamic coalitions here at the IEGF. The topic of this workshop is, the title of this workshop is Procuring Modern Security Standards by Governance and Industry and that’s part of the interest of this dynamic coalition. In general, when you look at security being deployed in organizations, then there is always an informed self-interest to protect yourself. The problem with securing the internet is that that is security for the common good and usually you’re securing something within your infrastructure to protect yourself partly, but also others. So there are all kinds of economic incentive problems that make the introduction of internet security standards and common practices might be difficult. And this dynamic coalition sets out to both study and stimulate the deployment of those modern internet standards. I’m looking at Voud, seeing if I’m summarizing this well. And we’re here to discuss a number of the work items that the coalition has been working on. Can I have the next slide? Ah, can I have the next slide? Yes. So we’re here with a bunch of speakers and panel members. My name is Olaf Kollekman, I’m from the Internet Society. We have Satish Babu. We have Flavio Kenji-Janai. Liz Orembo will join us later. Wouter Natris is here at the end of the table. Satish and Flavio are also at this table, of course. Gerben Klein-Bolting is online, if everything is well. Annemieke is to my left, to the right for the watchers. And Gilberta Zorrella is in Brazil and online. The layout of the session, you can skip this slide. Everybody knows by now that I’m that person. I’m giving the introduction at this moment. Then Gerben Klein-Bolting and Annemieke Toersen will talk a little bit about the role of open standards, particularly in procurement experience in the Netherlands, a nice presentation. Then, oh wait, wait, wait, then Wouter Natris will talk a little bit with Liz, who will be there. Then we have an opportunity for questions from the audience, both online and here in the room. Next slide. Satish Babu will then present some perspectives. At that time, we’re close to 2.30 already. And then we’ll have a panel discussion. Oh no, we will have Gilberta Zorrella and Flavio giving some perspective from Brazil. And after that, we have only a couple of minutes for a panel discussion and further questions. If everybody is still awake and not fallen asleep from sleep. a long, long week. So let’s go. Without further ado, the session on the platform internet standards in the Netherlands.

Alisa Heaver:
But before we go there, Alyssa Iver from the Dutch government, Ministry of Economic Affairs, is here. And she would like to say a couple of words. Camera swing to the microphone about this initiative. Yes, so my name is Alyssa Iver. I’m from the Dutch government, from the Ministry of Economic Affairs. And the Dutch government has been fully supportive of this platform internet standards and of the forum standardization where Anamika is from. And these two standard public-private partnerships have been really crucial in the Netherlands to, at least for the Dutch government, to further adopt standards that are deemed of importance. And I think it’s good that we’re having this session here. And I would also really like to encourage other governments to work together with experts in their countries on internet standards and on other types of standards to see which standards should be adopted by government and used for procurement. You’ll hear a lot more about that. And yeah, I really think that we should, well, I’m really pleased that we have this good relationship in the Netherlands. And I hope to see this spread across the world. So have a good session here. I guess that’s back to me.

Olaf Kolkman:
Yes, without further ado, I think we are going to listen to Gerben. So if the Zoom room can be opened. so that Gerben can speak, that would be great. Gerben, are you with us? I am with you, but can you hear me? And now we can hear you. Hello, Gerben.

Gerben Klein Baltink:
Good morning. Well, as mentioned by Olaf, talking about standards is not relevant just for the individual user of the internet, but for the common good. And it has been some, I think, 10 years ago that amongst other people, Olaf and I met at a meeting at the Ministry of Economic Affairs in the Netherlands, where we sat together with organizations across the board from, let’s say, the Internet Society in the Netherlands, as well as Dutch government. And all of us were involved in some way in trying to bring open modern standards forward. But we all realized that this was not an easy thing to do. The adoption process is sometimes very slow. It can take many years before the actual take-up of a new standard is realized. And we, discussing this topic, we realized that we could do something, perhaps, in close cooperation in a public-private initiative that then was called the Platform Internet Standards. Our first meeting was around nine years ago of this new body, of this new platform. And we soon realized that we really had to stick together, government, public organizations, private organizations, to make this work. And one of the things that we soon realized is that if we would like to make modern internet standards more acceptable for everybody, it would help if there would be some kind of test tool to make sure that everybody could see if their own website and email or local connection could actually use these modern standards and if they use them, whether these standards are set up in the right way. And of course, this is not something that many individuals will do themselves. So we initially focused at organizations hoping to attract both the technical people in such an organization, as well as the board members, because it’s not something that can be done by IT technicians alone, it has to be accepted by the board of an organization as well. This test tool, and some of you may know it or even use it, it can be found at the website internet.nl. And there we dive into many of these modern open standards, but we do not only explain the standard and test the standard, we also point out how you can go, and this is the procurement part, to your supplier if something is not set up correctly or if a standard is simply not used. So one of the things that we offer is insight in does your website, does your email, does your local connection function correctly with these modern standards? And if not, what would be the kind of solution that you can apply? At this website, you will also find the hall of fame of those websites that are already 100% up to speed with these modern standards, but also a hall of fame of hosting organizations that can help you if you want to have their support. to have your own website and email set up in a correct way. And we have seen that the use of internet.nl by many organizations and many individuals is growing and growing. I think we will pass over one million tests this year in the year 2023 itself. And we come from, let’s say, 650,000 tests last year. And we do also see tests in a more technical environment. Our API and our dashboard, where you can run multiple domains, multiple email servers at once, and see if these are all set up correctly. So these modern standards, we think, will benefit everybody because your safety and security and connectivity online will be enhanced greatly. So what we try to achieve is that as many people have, and organizations have, these modern standards so that we can all benefit from an internet that is functioning correctly. And the good news is, as Alisa mentioned in the beginning, it would be great if other countries would have the same idea about these modern open standards and applying them. And we are more than happy to help other organizations, other countries, to set up something similar. And some countries already have, like Brazil, like Denmark, like Singapore. So we see initiatives around the globe in the adoption of these standards and tooling. And we are open to learn from other experiments as well. And you can’t do without explanation. And the explanation can be found at the website itself, but also in the help and the help team that we have to provide. organizations with support. And we have also made some tooling available and not only from our platform internet standards, but also from international and national organizations that have the same kind of idea. So for now, I would like to hand over to Annemiek and let her explain what the Dutch government does with the forum standardization.

Olaf Kolkman:
And you’re more than welcome to visit internet.nl and make use of our test tools. Thank you.

Annemiek Toersen:
Thank you very much, Germen, for your introduction. And thank you for attending our session, all of you in the here and abroad. And my name is Annemiek Toersen from the Netherlands Standardization. And I like to tell more about how Holland and the Netherlands do something about adoption of open standards. Why, actually, open standards? Sorry. I am from the forum, Netherlands Standardization. And the standardization is a think tank and aims for more interoperability of the Dutch government. Open standards are key to this goal. And therefore, the standards from the forum actively promotes and advises the Dutch government about the usage of open standards. So the forum has about 25 members with various backgrounds, from government, business and science. And the main topic of the forum is the organization of the so-called comply or explain list of open standards. And this list should be applied by the complete public sector organizations, central as well as the central. So why open standards? All open standards we promote regards information exchange between governments and citizens and also between governments. themselves. So with open, we mean that the specifications of the standards is publicly available and that interested parties can participate in the standardization process. So there should be no single party that controls the standard. So open standards are more important because of the interoperability as mentioned here and the security which influences trust, of course, accessibility as government is obliged to inform the whole society, of the society as a whole, and vendor neutrality. When it comes to internet standards, the Dutch government has a threefold strategy shown here in the picture. I will go briefly through it. First, the standardization form can mandate specific open standards. We can do so by including standards on this list, the so-called comply or explain list. This is done after careful research in which we also consult technical experts. Standards on this list should be required when governments are investing in new IT systems or services. As we survey on some bigger IT organizations within the Dutch government, we have seen quite some progress using open standards. However, it also became clear that some organizations hadn’t moved yet. So therefore, in addition to the comply or explain list, standardization form can also make agreements, agreements with ultimate implementation dates. That might be handy because we have already done so for several modern internet standards like, you might know, HTTPS and DNSSEC. We have initial plans to make such an agreement for RPEG-EI as well. Sorry, I go back, because I wasn’t finished yet on that number two. I just finished the number one, the mandatory. If we go to corporations, we work together. Let me show a little bit more. We mandate also, apart from number two, we abide specific open standards law. For instance, the open standard HTTPS is now, since July the 1st in Holland, in the Netherlands, obliged by the law, the WDO, the digital government law. If we go to the second block on the left side, the corporation, we invest in community building. So we try to bridge the gap between technical experts and government officials. So therefore we are already happy with the internet standard platform Gerwin just mentioned, and are actively participating in this platform. This corporation enables us to be more effectively helpful to governments with their technical questions, and also with their questions regarding how to request the modern internet standards from their vendors. And the third block on your right side, we monitor the adoption of standards. So how do we do that? We review tenders and procurement documents, and for modern internet standards we happily use, of course, the internet.nl, Gerwin mentioned already, to frequently measure over about 2,500 government domains. A small note I can mention here is that since internet.nl now also has a test for RPKI, we will perform a large scale measurement for RPKI. The results of this measurement will be used in the decision process to set on ultimate implementation date for RPKI. All right, we go indeed to the next slide. In order to benefit the use of open standards, it’s very important to have a certain critical mass because if only one or two organizations use the standards, the public society has no advantage at all actually. So we need more and more participants using open standards and by creating more transparency, we create also more openness. We refer to an analysis of the Bureau of Economic Policy here in the note under these two downwards in the sheet. You can have a link if you like from us. Furthermore, I go to the mandatory, number one, specifically. As I told you, we have a complier explained list and on that list we have about 40 open standards. These standards are evaluated through four criteria, openness, added value, market support and proportionality, therefore the critical mass as mentioned before. The standards should be actually proven in practice, that’s very important. Open standards vary in different categories like, well, of course, the internet and security standards, document standards and web standards, but also, for instance, for administration like e-invoicing, but there are many more. And when the government invests, they should request for those relevant standards. Government should use these standards. In case they don’t use it, then they should report it and with a specific reason. For instance… If it costs extremely much money, then they can report it in their annual financial report why they didn’t use the open standards. Okay. We go to the next slide, please. I already mentioned 40 open standards of which about 15 are related to the Internet security. These standards prevent, for instance, from spoofing, eavesdropping, and, well, you might know better already, but those are some of those Internet standards. RPKI we already mentioned, but, well, especially DNSSEC and IPv4 6. In addition, security.txt is just a new one on our list. It’s very handy. Next sheet, please. We go, as you recognize it, to number two, the cooperation. So to get further in promoting the use of these open standards, we don’t only mandate, but also, indeed, cooperate, as I mentioned before. We do that in a couple of ways, nationally, internationally. Nationally, we already mentioned platform Internet standards, but also with the Secure Mail Coalition. Last week, my colleagues were together with a lot of European countries talking about international possibilities, and we reuse Internet.nl codes as much as possible, and Denmark, Australia, Brazil already started with it, but we invite you, as well, if you are interested, please take contact with us, because we can help you. The code is in English available, and, well, we can assist whenever you want. In order to create that critical mass again, because more people, then it works more efficient, and we have more knowledge gathering together, and get it better every day. Besides that, we contact vendors and hosters. So think about Cisco, Microsoft, of course, Open Exchange, Google, Akamai, well, we can mention much more. And as an example, Microsoft, we contacted them in order to implement Dane, support Dane security standards. And this inspired Denmark as well to write a letter. And the results are with success, because coming spring 2022, 2024, they will fully support the Dane security standards. So that is very, we look forward to see that next year. Microsoft will work together. Finally the monitoring where I was talking about, we evaluate the tendencies I mentioned on the relevant open standards and we research whether those open standards are included. So apart from that, we take also contact with governments in order to check whether they requested open standards and are included in the offers of suppliers. If they didn’t, then we call them and get in touch and ask why, because some of them don’t explain unfortunately in the reports. We also would like to know why they didn’t ask it. And a lot of procurement departments don’t even know how to start with it. So we support them with the text, special text for tenders. And we support them with a decision tree, which makes it handy for people who are not so technically, don’t have a technical background, but a procurement background, can support them to ask for those specific standards. Unfortunately, we conclude that these tenders still not fully complete with open standards. That’s a pity. And we report this once a year to the cabinet in the Netherlands. The internet.nl mentioned already a couple of times, you see also this nice t-shirt. If you score as a Dutch organization 100%, then you have a very special t-shirt, apart from the Hall of Fame, of course, as Gerwin mentioned. The actual usage of the open standards is measured twice a year. So twice a year we offer this also to the cabinet. And the tooling, we can do that en masse, but also if some organizations like to have their own measurement, that’s also possible. So please contact us. And we conclude that there is quite some growth in using the open standards due to the cooperation. So we mentioned already the cooperation with Microsoft, but also other vendors. And that might, yeah, well, that have results. That’s good to hear. So it works. That’s what it says. Good to know for you is that we sometimes dig deeper. So for instance, vendors who lag behind, we contact. And if there is room, we advise about the standards and so to use, so the use improves. And the last final, well, actually it says already, if you don’t ask it, you don’t get it. So that’s for sure. So there are some lessons learned. Please make sure whenever your government tender, ask for open standards. And check it with the tool, the toolinginternet.nl. Just like Denmark, Australia and Brazil did, who did reuse the code. So I invite you, if you have questions about that, but also hesitate, like, is it something for our country or our government, please feel free to question.

Olaf Kolkman:
Thank you very much. I hand it over to Ola. Thank you. And I just typed in my personal domain, xalx.nl. in internet.nl, and yes, 100%, that t-shirt is mine. Now, I also, just as a remark, I also have to smile a little bit when you talk about modern internet standards, because some of the standards that you refer to as modern are indeed a quarter of the age of the internet itself. However, the security.txt standard has been published as RFC 9116 in April 2022. So that is a really interesting, fresh standard. And just to give you a little bit of a feeling why that standard is so important, the security.txt standard is very simple. It says, publish contact information of the person who is responsible for the security of your website in a specific location of your website, so that somebody who finds a bug, a vulnerability, in your website knows where to find that contact information. It’s a very simple standard about, if you want to know something, look there. And by doing so, you help people that do security research being able to contact the people responsible for the problems. And that makes a great difference in the security of the internet. Again, this is not about your own infrastructure, although this one helps, but it’s also about collaborating in the greater good. And I think that security.txt is an easy, explainable example of this. A quick logistical question, Wout. Will you take your session now, or shall we first move on to a? You’ll take over, okay. Then Wout, you have something to report. I have. Thank you, Olaf.

Wout de Natris:
My name is Wout Ten Atries and I am a consultant based in the Netherlands. And within the IGF community, I’m the coordinator of a dynamic coalition called Internet Standards, Security and Safety, as you can see on this slide. And our strap line is making the internet more secure and safer. And that’s, of course, something that everybody tells you and everybody says. But we actually came up with an action plan to do that. Next slide, please. Next slide, please. And we started at the virtual IGF of 2020 with a concept of a dynamic coalition. In 2021, we were able to present three working groups. And that is number one, two, and three you see on this list. And the first one is security by design on the Internet of Things. And that working group released its report this Tuesday here at the IGF. The second one is education and skills. And that already released its first report last year in Addis. And we’ll come to number three very soon. And number five as well. Number four is internal but also does analysis of our relevance compared to the global digital compact and the sustainable development goals. And that last report was also presented here at the IGF. Number six is data governance and privacy. That was supposed to be released, but that was done together with UNDESA. And they decided not to release so that we could not share that information here. Number seven is a skeleton that never came true. But I had a meeting today that may actually reveal that. revive it very soon. So that is encouraging news. Number eight is on DNSSEC and RPKI deployment, two standards that have been mentioned many times at this table already. But this is not about talking about the technique of deployment, we are going to try and produce a narrative that convinces people in decision-taking positions to actually procure, secure by design. And it may be that they are always asked from a technical point of view, but these people probably need political, or economical, or social, or security arguments to be convinced to invest or demand these levels of security. Number nine we announced is on emerging technologies, and also there we had several talks here at the IGF. These are quite encouraging that we will be able to start this global comparison on policies that are being developed on AI, quantum, and perhaps in the future metaverses. Number 10 you see is a dot, number 11 is a dot, anyone who has an idea that would fit this dynamic coalition can step up and contact me or Mark Revell, who is not here but who is our senior policy advisor, and share your idea and then perhaps we will see what we can do together. So let me proceed to number three and number five, that is what we are presenting on here today. Next slide please. So the working group number three is called Procurement and Supply Chain Management and the Business Case. The person who should be presenting here is Lisa Rambo, but apparently her session took a lot longer than planned, and hopefully she still comes in, and if not I will do the presentation completely, but I have done it before, it is not really an issue. This working group produced its first report here at the IGF, so we released it on Tuesday and what we did, next slide please, is a global comparison of procurement policies of governments. Next slide please. That what this group did was try and see how many procurement documents are available on the internet, but also to see if they are from the government. or from the private sector. What we found are only public documents. So we found 11. Oh, Mallory, you can take over right away. There’s a chair for you. So I’ve only had the first slides. You can sit and present if you like.

Olaf Kolkman:
Yeah. Okay.

Wout de Natris:
Yeah. It’s a great timing because I’m at the first slide. So I’m explaining what we were trying to achieve. So thank you. This is Mallory Nodal and Mallory actually did the whole planning and part of the research that she was responsible together with Lisa Rambo for the report. So Mallory, great to have you here and please take over from me. Yeah.

Olaf Kolkman:
How much time do I have? I don’t want to go on and on. About 10? Okay. Good. Right.

Mallory Knodel:
Sorry to interrupt this whole flow, but I was at a different session and it just ended. So I’m glad to be here. I’m glad the timing’s worked out. So yes, this is then the first slide where we’re really explaining what the goal of this work has been defined as. When we look at the procurement and supply chain management in the business case, that of course is in addition to other tactics where we can further the security standards throughout the internet. But at this very particular point, we also wanted to consider what is then the internet governance’s role in this work. How could the IGF from where it sits and all the stakeholders that participate in it benefit from this sort of research and perspective and guidance when talking at a high level about norm setting around the recommendations for procurement and for supply chain management. So we will go to the next slide, please. Do I have to do that myself? Okay. Great. Great. wanted to then in the plan you know figure out where we’re headed and how we’re actually going to get there and it primarily to me seems as to be a research project assuming that there are in fact many procurement guidances out there already and the question really is do they include and consider security standards and if our guy if we are creating new guidance at the more global level we want it to of course be impactful and to be taken up so part of the research of figuring out what already exists in this space is an exercise in finding out who our main stakeholders would be and ensuring that the work product that comes out of it is any good so that’s what this slide really tells you the the text is of course too small for you to read here but we identify the outcome as meeting global internet security standards is a is a ubiquitous baseline requirement in any public or private sector procurement and supply chain management policy now the different objectives speak to some of the different strategies I’ve just mentioned we want to fully scope and map the variety of procurement policies that already exist to determine what are the what are the current challenges and opportunities for people setting those policies the second objective is to make sure that we can distill that into very actionable guidance for anyone who is writing these policies either or refining them for that matter or even implementing them and then the last thing is of course we want to create a group and a community a dynamic coalition if you will around this work so that it continues and it’s strengthened by iteration by continued research so those are the three different objectives there are different activities under each one that I’m not going to go ahead and elaborate but just suffice to say we’re really just in the first bucket we’re really only looking at this very early stage at the research itself and the scope of what we’re actually up to so that’s what we’ve been able to accomplish with this first research paper the next subsequent where we’re distilling it into real guidance where we’re building a community of practice around this that comes in the years to come so next slide please so yes so this is what our survey achieved. We really just had to, of course, create a research question, create sub-questions, actually go out and find source material to question, to, you know, be curious about. So we were asking what has been done by others on procurement and supply chain management guidance? What is already out there? There’s a really uneven spread. You know, we sort of assumed at some point that we would hit on a goldmine, maybe like a regional document had been created and then all of the countries in that region had followed the document, but that never really actually happened. In fact, it’s really patchy. You do have some European countries who have done something, but then you have, and you have some like Latin American countries, but, you know, it’s not even and it’s actually not clear where this sort of norm-setting could happen, which indicates that there’s a gap and that this is something we can actually do. So the next slide, please. I’m not going to go through the terminology, but for the purposes of the paper, we do try to define what these concepts mean. Next slide, please. So the methods was really quite straightforward. It was desk research. We didn’t get to a stage where we would do actually interviews with people. I feel like that might be next phases where we’re actually looking at, you know, what kind of guidance would be helpful and actionable. You actually talk to people who’ve done this before and try to understand from them what they’ve done in a qualitative kind of way, but this is very just let’s find all the documents we can that seem to fit the brief and read them and break them down. So we created sub questions when we’re asking. We were curious about only procurement that talks about cybersecurity, not all procurement. We don’t care where people’s pencils come from. We then distilled it into are they talking about, well obviously they had to be published, that was the second one, and then we were looking for clues that security standards would actually be present in those documents. Next slide, please. Yep, I think this is really straightforward. I just want to say that we did take care and making sure that we had representative samples we were hoping to have a Spread on language, but that was a challenge because the main researchers were English-speaking We wanted to make sure that we had not just global North countries, but also global South countries. We were looking of course for Places where there was synergy between different procurement policies and then obviously where there are also gaps Next slide, please We in order to present the findings we did actually track the findings We were we were looking as through looking through all of these We struggled to figure out at first how to present all the different findings because it was such a patchwork Sampling and not there was not the synergy that we expected So we went ahead and adopted an existing framework that comes from NIST That at least takes cyber security functions and breaks them out So this just allowed us to be a little bit more incisive as we were Distilling some of the advice that we found in the different documents So I’m not going to go through this but in the report it helps It helps orient the reader a bit to this NIST framework so that you can see why we rationalized Presenting the findings in the way that we did next slide, please There the conclusions I think are the most important part so I won’t rush through them so much of it I’ll let you read them. I will Just point out a few so Actually, I’ll just point out two I’m gonna focus on the Netherlands for both of them So, you know and we can all be proud of how well the Netherlands is done in this area It’s not it’s something that we knew to expect going into it, but specifically the two that we thought were worth mentioning was that one of the very few procurement policies that even mentions standards at all was The coming out of the Dutch ministry and I’m not going to be able to pronounce to pronounce the name of the? Postul of Leghuislijst and we just had a presentation about both of these. Wonderful, so you all know already how terrific they were but they turned up in our research as examples of things that we would like to see others potentially will make it into our guidance to follow. So next slide please. The other sort of real conclusions here that I think are worth mentioning is then where this research points to future work because it was our intention all along to not really do anything new with this research but actually point the way towards what could be done. And so I think we’ve done a good job of identifying and making a case for why we need to take future action and this is for others who really wanna take up this work and want to use the IGF as a platform to move some of this significant work forward. So the open standards, open cybersecurity standards should be points of reference and there’s an opportunity to make use of that. There are some international treaties that also could be translated into compliance mechanisms that could implicate procurement and supply chain. There are many places that do not even have standalone documents and it might be a good opportunity or that haven’t published them openly. I guess we could maybe give that caveat but that’s an opportunity to do that and to encourage it. So if you have procurement policies, please publish them. If you don’t yet have them, maybe you ought to consider it because it’s quite important. The fourth future work area is that we could also develop these frameworks. So this I would imagine would be in the larger work within the dynamic coalition where you connect this strategy, remembering it’s one of many, to the larger work that other people are doing within a framework. There is also a need to do proper documentation not in the sense of norm setting but just in the sense of learning, monitoring and evaluation of how this works when there is an incident. We’re folding that in and trying to learn from it in the context of procurement. And then the very last thing is just it would be really great in the IGF again to leverage the multi-stakeholderism of this and to encourage more coordination. We often feel like this might be a conflict of interest to have industry and governments, especially. when those industry are going after, you know, those contracts, those procurement contracts. But in fact, that ability to collaborate and work more closely, I think, could have good effects. So that should be the last slide. But maybe we’ll go one more. Let’s see. Yeah. So of course, you can contact us. This is all information that’s also in the report itself, so you don’t need to worry about this slide. And I think that’s it then. So thanks. I hope that was on time. I didn’t. Thank you, Marilyn. That was perfect. Wout? No, I’m going on with the next slide. Ah, good. Then it’s not perfect, but we’ll manage.

Wout de Natris:
It’s definitely perfect what Malorie said, as you could, she voices it much, much better than I ever could. So thank you, Malorie, for joining us. But I think, and this is not on the slide, but from the other research that we’ve done, for example, on IoT security, what we see is the same what comes out here, is that this open internet standards that we’re talking about are almost not recognized by government. They’re not in policy papers, let alone in legislation, which we’re not advocating here. But the fact that governments don’t recognize the existence of exactly that what makes the internet work is worrying. Because does it mean that they don’t know it exists? Do they don’t understand what the implications are? If you don’t protect that inner core of the internet. So that is a question that comes up in all our research. As you can see that we went through procurement study and global comparison study with the recommendations and the conclusions that you just saw. We also have a working group that is called Prioritizing and Listing Existing Security-Related Internet Standards and ICT Best Practices. What this working group has done and also just like the procurement, thanks to the RIPE Community Fund that graciously funded all this work, is that if governments are to start procuring, there are probably 10,000 standards that need to be procured at some point in time and it will probably be very overwhelming to explain to somebody who doesn’t even know the first one exists. So we got together a team of experts and we asked them to list the most urgent existing open security standards out there. And it won’t be a surprise that we asked the project manager of forum standardization to step in to help. But with people from India, from Latin America, from Singapore and a few other countries, they got together and started talking. And through the past months, they came up with a list which has been on consultation since last Tuesday. But what we try to do is to provide decision takers and procurement officers involved in ICT procurement with a list containing these most urgent internet standards so that they can actually have a tool to start working with and start understanding why this is so important. And then comes the working group I mentioned on the narrative that is going to be another little component of this whole thing the IS3C is trying to produce. Next slide please. So and well as I said that there is a consultation going on since the 10th and you are happy to join it. The link can be provided at any moment. It closes on Sunday the 5th of November. But what is it exactly that we are consulting? Next slide please. So what did our advisory panel do? First they started to grasp what the meaning is. After that they decided it needs scoping. And that scoping came down to four parts and you can see that three of the four are the same as was presented just now by Annemieke. So the first one the standards have to be interoperable. So that means that you do not only protect yourself but you also protect somebody else but somebody else also has to protect you. So it’s about two sides that need protection to have an effect. The second one is they are all security related. So that leaves out a lot of other sort of standards. All these standards have to have an open process. So available for everybody. You don’t have to pay for them. You can access them. You can start using them without having to become a member of an organization or without nothing. You can just find it on the internet and deploy them. And finally they have to be proven as a success. So others must have deployed them as well and successfully. And that’s number four is different than from the forum standardization. So you can see that this is an influence coming from other parties as well. When we decided on the scoping we came to categories. And after a lot, lot, lot of discussions we came to four categories. The first is data protection and privacy. The second network and infrastructure security. The third website and applications, web application security. And finally communications security. And what was debated the most, should there be a fifth one on cloud security? Because that is one of the biggest topics out there at this moment. But most of the experts said no, because these four categories go for the cloud, so we don’t need a separate cloud component. They all function within the cloud, so cloud should adhere to these four. So the next step was when we had that, we could start thinking about which standards are actually going to be in that list. And that proves a lot easier than the scoping and the categories, because that was done in a few days, and everybody more or less agreed except the ones that I want that one and that one. But we want about 40, so that’s manageable. And we have a concept list at this point in time. Next slide, please. So I’m not going to mention which are in there, but a lot have been mentioned by Anamika, because the most urgent one will be in her list, but there are differences. So people, other people from other places in the world stressed another standard. And that is what we’re going to do next. In this consultation document, we explain what we try to do. We motivate with arguments why we made the decisions that we make, but we want the wider community in the world to come in as well. Tell us if we scoped right, or give us very good arguments to change it. Make good arguments why we need another category, and suggest other standards. So if that happens, then in the second half of November, we come together as an expert team, and I am the coordinator. I’m not an expert. I’ll tell a historian doing a lot of work in this field, but not at hardcore techniques. It’s decision time. So we’re going to decide, the experts are going to decide whether a standard will be in there or not, or that the categories are changed based on the arguments made. So hopefully, by the half of December, we are able to present this tool, and have another tangible outcome of this IGF process. And that then needs to be proliferated, and that’s exactly what Mallory says. It is something that will go immediately under her report. that as much as possible and share it with governments and from there hopefully we’ll get the traction to improve procurement policies in the near future. So that will be a second project and with that I conclude. Thank you, Olaf.

Olaf Kolkman:
Perfect. Thank you. I promised that there would be some question time and I will allow for questions but I hope there are none because then we are exactly in the planned time scale again. I do have a question but I’ll leave it till after the session so that, yeah.

Audience:
I have a question about the testing website for, at least in the Netherlands, for websites which is really working very well. I just tested my own website that was 100% so I won a T-shirt and I think it would be a really good idea to, and that’s what you are doing here as well, to promote the use of these kind of testing websites internationally. There may also be some interesting advancements of the Dutch website. For instance, I’m thinking of a few more soft standards such as accessibility or maybe in the future testing the sustainability elements of your website. So I would love to make a strong case for including those kind of standards on that website as well. I think that the people responsible are in the room. It doesn’t work, yeah.

Annemiek Toersen:
Well we are not responsible for that but people can apply those standards. And accessibility, of course, is already on it, because it’s obliged in the Netherlands, WCHG. And I know that there is developing in the Netherlands, also at the Ministry of Internal Affairs and Infrastructure also, are combining internet.nl with other dashboards like accessibility. So people are thinking about it, but now it’s a thing to get all the ideas together, because everyone is inventing the wheel again. And that’s not good, of course. So it’s a good issue you point out, Valerie. So there must be more experts to get it, to combine that, and one dashboard. So we’re pushing that as well. Good suggestion. Thank you. Person at the mic was Valerie Frissen, just for the record. Good.

Olaf Kolkman:
The next part of the session, but I just noticed something. And we often forget that these sessions are made possible and accessible, actually, on that point of accessibility, by people doing real work. And I just saw a name in the Zoom room. Rochelle is doing the captioning. And I would like to thank Rochelle and her team for her hard work here, because it really makes a difference in these type of environments. Let’s see. Yeah, I think that’s appropriate. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Satish, you have perspectives from India. Thanks very much, Olaf.

Audience:
My name is Satish, and I’m from India. And I’m going to share two slides on what, or three slides on what we’re getting a good picture of. current status of compliance and it is pretty bad. So we are trying to kind of monitor this bunch every six months and we will then see the kind of transition what happens, you know, over the period of time. So in India, the whole digital thing is very, very important for us. India is betting heavily on digital technologies for its growth. It has made several strides in digital transformation. For example, the digital public infrastructure called IndiaStack and multiple digital public goods including the, when the COVID was there, we had this huge, you know, website for vaccines. Now, India is one of the most populous country in the world, if not the most populous. And the IndiaStack, so whatever application we build, it has got to be scalable to that citizen scale, which is 1 billion plus. So these are really large applications and these include, you know, financial, health, logistics, even the smallest villages, we see people using mobile phones to transact money, I mean, move money. Now, some of us are very nervous when you see this growth. It is good in a way, but when you look at the underlying, the core internet itself, we find that they’re not kind of complying to the latest standards. So this is actually worrying and that is why we kind of created, thought about this initiative. This is completely based on volunteer work and currently we’re trying to raise some seed funding for recreating internet.nl kind of a thing for India. Now, India, as was mentioned about accessibility, we have some additional requirements and one important thing is the multilingual part of it. And we also have something called the universal acceptance, which is a challenge. Now, this is when you create a domain name in a script other than Latin, say in Hindi, the Devanagari script, and you create an email out of it and then we find that that email does not work. It does not work in many websites. So the reason is that the programmers who created that software have not programmed for this kind of email IDs. So this is a huge problem. It doesn’t even work in the big tech companies like Google. So the ICANN is trying to now resolve that problem, but for India, when you want to test for these things, we have to test. test on these angles as well. So we’re trying to add to the code, of course, while making it open source itself, so that other people can also use it. So we’re trying to recreate the internet.nl with some more features that are specific to Indian requirements. And we plan to periodically run this test and disseminate the results to all stakeholders in the country. And we hope to be nudging or pushing them to adopt these standards. As was mentioned earlier, India has, like many other countries, India has no law that says you have to comply with all this. So we’re trying to work from bottom up through the community effort to kind of get these institutions to start implementing these standards. I’ll stop here.

Olaf Kolkman:
Thank you very much. That was very fast. Well, we have more discussion time at the end now. Oh, yeah, I need to use the microphone. That’s true. Yeah, thank you for that. That was very clear, very concise, and even comprehensive. Thank you. The Brazilian situation, Gilberto and Flavio, let’s see if Gilberto is audible. So Gilberto on Zoom, can you speak something? Yes. Perfect. We hear you. So I now hand over the microphone to you and to Flavio.

Flavio Kenji Yana:
OK, I’m sharing my presentation. OK, can you see my presentation? Yes, we can. OK, good. Thank you very much for the opportunity to participate in this event. I am Gilberto Zorrello. I am a product manager from Brazilian Network Information Center, NIC.br, that implements the decisions and projects by Brazilian Internet Steering Committee, CGIBI, which is responsible for. the coordination and integration of all internet service initiatives in the country. Presentation is about the top test padrões in Portuguese or test standards in English, based on the internet.nl tool in the security recommendations that must be adopted on networks on Brazil. NIC-BR is proposing these standards to Brazil. That’s the idea. That’s our agenda for this presentation. Of NIC-BR, the Brazilian Network Information Center. NIC-BR is a non-profit civil entity that since 2005 has been assigned with an administrative and operational functions related to the .br domain in Brazil. In addition to providing and maintaining the domain names registration activity, NIC-BR goes beyond similar entities in other countries. We invest in actions and projects that bring a series of benefits to improve the internet infrastructure in Brazil. With a revenue collected exclusively through the provision of the domain registration. Some of our efforts are focused on many sectors of Brazilian society, disseminating knowledge about best practice to be adopted in new networks and related areas. In some cases, we threaten relationships with private governmental and non-profit entities to encourage the adoption of best practice to be adopted in. and internet services. The top project here in Brazil. The project was developed by NICPR to disseminate the best secret press in Brazil for websites, email service and user connection to internet. It uses the open source code provided by Dutch implementation. The project is part of the program of Safer Internet in Brazil, which works with ISPs, internet service providers and including the operators to disseminate the best security practices that they should implement on their respective networks. Then, top BR in Brazil, we are using in this program, as a part of this program, okay? The operation was started in December of 2021 and can be assessed by top.nic.br in this domain. A little about the program, okay? The program is acts in support of internet technical community in reduction of denial of service attacks. A set PR team inside the NICPR says notification to the technical community in Brazil about these problems. Improvement of the network routing security according MANRS recommendations. MANRS is a internet society initiative. We, the program spreads, then execute best practices according top recommendations. Disseminate the best practices to configuring websites and email services according top recommendations. recommendations to encourage the implementation of IPv6 in final users and internet services using top as a testing tool. The plans of action performed by NIC-BR. We have several teams inside the NIC-BR. SEP-BR is a security, SEP-TRO, internet products, registry of domains, ix.br and systems. That these groups creates technical teaching materials and some good practices, raising awareness in the technical community by lectures, course and training, having direct interaction with network operators by bilateral meetings to explain how to implement the best practice and recommended in each situation. Defining KPIs to monitor the effectiveness of actions. That’s the ideas of the plan. Some results of the plan now. We have some statistics. This statistics shows the quantity of IP addresses notified with misconfigured service. Note the reduction of the, since the beginning of the program. And now the reduction is about 70% of this kind of problems. The other issue that we work in inside the program is implementation of manners in Brazil. Manners, this statistic shows the distribution by country of internet providers participating of manners initiative. that Brazil has the largest number of participants in as increasing every year. 20, 25% of the manners participants comes from Brazil. And now we have some statistics for the top implementation. We started at the end of 2021st and we have some, we are increasing the tests. This shows the number of connection tests performing, the percentage of recursive DNS server and users with IPv6 implemented, the percentage of DNS services validating the protocol DNSSEC. Now we have some statistics about the website tests, the number of unique domains tested, the number of percent and percentage of tests that passed by some tests and the number of sites that get tested 100%, the hall of fame in our case. It is similar statistic for email tests. Many associations, ISPs, Internet Service Provider Association support the program here in Brazil, including, of course, TOP and Academia too. Academia is an RNP and the other, the Connexus is Incumbent Operators Association and other association here are Association of Internet Service Providers. Brazil has more than 10,000 Internet Service Providers, small, and medium operators around the country. That’s a specific situation of Brazil, okay? We have, of course, incumbents responsible for about 50% of the internet traffic in Brazil and the rest of the traffic, these small and medium operators are responsible for the rest of the traffic in Brazil. Some remarks of the implementation. TOP was delivered in end of the 21st, greatly running version 1.4 of internet.nl. Today, we don’t have a securitization state yet and RPKI, okay? But the version 1.7 is implemented in test server. We are now validated the implementation. We intend to deliver the end of this year. The best practice recommended by the two are recommended from NIC.br to technical community in Brazil. Then the idea is this best practice NIC proposed for the technical community in Brazil together with best practices of manners and the best practice proposed by SERT.br. The two is being the same net together with the program in the country and the technical events for specific sectors, such government, academia, internet operators. The accounting area of Brazil’s region. legislature carried out many tests some months ago. They said that the government started using the tool to test their sites, but this is in the beginning. That’s the point here in Brazil. The top tool provides important indications of the implementation status of recommended best practice and provides a baseline for operators to implement them in their networks. That’s a main point of the talk. They created this baseline in order these operators under this line, they work to get this baseline. This is a very important tool for our country. Brazil has continental dimensions, and it’s a challenge to keep up with the evolution of the use of these standards here in Brazil. That’s my short presentation. We are ready for any questions if you have.

Olaf Kolkman:
Thank you very much. Flavio, were you adding something or just for the questions? No, no, yes. Yeah. OK. OK. Thank you for this, Gioberto. Very good to have you with us. We are exactly on the dot on time. It’s quarter to 3. Are there any questions? I’m looking around. I’m looking online. There was a question earlier whether these sessions are being recorded, and they are recorded and will be made available on the IGF website later. I do have a substantive question, though. I’m not quite sure who on the panel could answer that. Maybe somebody in the audience. Takes a little bit of introduction. In Europe, we have a regulation, it’s quite involved, regulation number 1025-2012. So this is a regulation from 2012 which allows the identification of technical specifications that are eligible for public procurement. There is a whole procurement law in Europe which I’m not a specialist on. But the idea was that specifications that were not made by formal standards organizations such as, you know, like ETSI, ISO, ITU, and national standards bodies would need to be whitelisted, identified in order to be used in European procurement and perhaps even in the member states. I do not know exactly. The standards from fora and consortia are not by default on those lists. And the fora and consortia that we’re talking about are IEEE, ITF, W3C, and all those type of things. When the forum was set up, we went through a quite extensive process to whitelist a number of standards. And DNSSEC is in there, DKIM is on there, IPv6 is on there. So there are a couple of them. But that standard, that process sort of halted. And so this is not to comment on that process but more on the question if you do procurement, do you run into the situation that the public authorities can only refer to standards made by formal standards bodies? That was a long-winded question but I think that that final question said it all. Yeah. Valtanatris, that the only thing I can share with you here is that when we started the dynamic coalition, the commission pointed us to a person in the commission who was involved in this process with the measure.

Wout de Natris:
And when I talked to them, basically it came down to we’re not doing very much anymore because it took more than one and a half year to even start talking about an open standard, let alone deciding that it was validated by this commission. And this is the last news I have from two years ago, so I don’t know what it is now, but they never came back online to me since. So maybe you know more, Alisa, but it was not an encouraging answer I got from these people. So that’s what I know. The question is, of course, how did the Netherlands come up with the comply and complain list? Did they compel, whatever, I’m tired, sorry. But explain this, that were they validated or just decided it just makes common sense to have this on, do you know? Thank you.

Annemiek Toersen:
I don’t know whether it’s on, that list. No, I don’t know. The European, because you said… The DNSSEC is on your list. Yeah, sorry. Yeah, the DNSSEC is on our list. Have they been whitelisted by the Dutch government first, or we just decided we have to have them on the list?

Wout de Natris:
Because in Europe, they are not validated in the European Commission. Well, those standards are supplied by a maintenance, other people.

Annemiek Toersen:
They offer the standard, like this is very important. So I’m not sure if it is IETF or who’s doing it, yeah, IETF, but a lot of organizations like NCSC says this is a very important standard, we adjust it, and if more organizations in Holland says that, then it’s proven experience that it is practiced. So that is one of the criteria in order to come to the comply or explain list. So, I think we have a research question here.

Mallory Knodel:
Looking at Mallory. Well, so, I mean, just to say, this doesn’t come up in our research because we weren’t looking for it. It could be maybe a separate question that could be done. I actually think the source material for this would be different as well because maybe you’re actually asking, in practice, how does this work? It could also be qualitatively done. I will just say, anecdotally, I know there are some US companies that when they’re considering going for a contract with a government in Europe, or tendering, or so on, they will then often initiate the standardization then. So, it may be just a consideration of workflow, right? If I’ve got a technology and I’d like procurement in the EU, then I need to demonstrate that the standards I’m using in this are either in existing bodies that have been listed, or that you can initiate the whitelisting at that point, or you’ve got technology that hasn’t yet been standardized at all, and you might as well start doing it in Etsy because that will be the quickest track. So, I know that the companies have that calculus in their heads about how to go after contracts. So, maybe that’s another answer to the question is it’s not always a predetermined, oh, I know that this standard is going to be important in the European market. It might come only when the market entrance actually happens.

Olaf Kolkman:
Are there other questions from the audience or from the panel? Oh, go ahead. Thanks, Olaf. Walter Nathus, is Gerwin still online? Yes, he is. Yes, hi, Gerwin. Who is it? How are you? I’m fine, here.

Wout de Natris:
I’ve got a question for you because the internet.nl, the standards that are there are often, something is added to it. What would be the next that you are thinking of and how do you come to the decision

Olaf Kolkman:
to add specifically that standard?

Gerben Klein Baltink:
So what is the next phase for internet.nl? Well, it is more or less the same as explained by Annemieke. Participants in the Dutch Internet Standards Forum can contribute by asking if the others agree that, for example, universal acceptance as one of the standards that we have considered should be added to our test environment. And then the process is simple. If everybody agrees that it is a good standard to dive into, the next step will be that we look into available tests already from the international community, open source. And if they are available, how well they would combine with internet.nl. Can we actually implement them in the test tool? And if not available, we look into the possibility to create our own code. Sometimes that works just as well as finding stuff already open source online. But sometimes you also have to conclude, for example, in relation to the accessibility standards, that they do not integrate too well in our current test environment. So then we decide to promote them. So have a news item featuring universal acceptance or the accessibility standards. And we will keep them more or less as spares for the future whenever we have the resources or the technology available to include them. That’s more or less the process.

Olaf Kolkman:
And as we learned from the other session, sometimes there was another session on internet.nl this week. Sometimes it’s just. impossible to measure something, like route validation. We were talking about routing security in that session. Looking around once more, going, going, gone. That ends this panel. I think what we learned here is that there are tools to increase the visibility of the standards that are needed to secure our global environment. Name and shame in the form of internet NL, more name than shame, granted. But also procurement methodologies, making sure that the initiative is felt where it’s felt most, namely in the wallet. And I think these are great initiatives. I think that the next thing that needs to happen is that more countries or environments or regions start using tools like this. So we have another deployment issue that we need to tackle. And with that, I leave that in the good hands of the Dynamic Coalition and would like to all thank you for being here. Have safe travels home. And have a good sleep. The consultation, yes. Yeah, yeah, yeah. The consultation, maybe that slide can be reprojected quickly. Let me just tell it. We have a website, www.is3, the number three, coalition.org. The reports that I mentioned can be found there. And the consultation is announced there. It has a link to a Google Doc where everything is included. And everybody is allowed to, has that link, is allowed to make remarks. And we close it on the 5th of November. Thank you for the opportunity again, Olaf. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you.