How IS3C is going to make the Internet more secure and safer | IGF 2023

Moderator – Wout de Natris

The session titled “How IS3C is going to save the internet” was introduced by Wout de Natris, who coordinates the session. The session is part of the Dynamic Coalition on Internet Standards, Security, and Safety (IS3C) under the Internet Governance Forum (IGF). The aim of the session is to promote a more secure and safe internet through the deployment of internet standards. The overarching goal is to safeguard the internet and ensure its resilience and inclusivity.

Marc Garvel, the senior policy advisor for the IS3C, was praised for his credentials and contribution to the coalition. He assists with steering the IS3C in its efforts to achieve their objectives. His expertise and experience play a crucial role in the development and implementation of policies for internet security standards.

Stephen Tan, a member of the advisory panel, is working on developing a tool that will allow governments and industries to effectively utilize internet standards. The tool, referred to as “the list,” is aimed at ensuring the timely updating and deployment of internet standards. By providing a comprehensive resource, it will help stakeholders navigate the complexities and rapidly evolving landscape of internet standards.

The session focused on several key aspects related to internet security and safety, including education and skills, IoT security, and emerging technologies. Janice Richardson chairs the Working Group on Education and Skills, Nicolas Fiumarelli chairs the Security by Design of the Internet of Things Group, and Maarten Botterman serves as the vice-chair of the Working Group on emerging technologies. These working groups play a vital role in addressing the challenges and opportunities in their respective areas of focus.

One of the working groups, Working Group 6, encountered a delay in publishing their report, which was a regrettable occurrence. However, the session did not provide any details or reasons for the delay.

Concerns were raised regarding the major challenges facing IoT security, particularly regarding the lack of implementation of existing standards and security measures. The significance of user involvement in threat management and the role of global standard unification were highlighted. It was acknowledged that many businesses lack the incentive to deploy improved security measures, and the lack of unified standards poses a significant obstacle to IoT security.

The importance of a comprehensive security by design approach for IoT was emphasized by Working Group 1. They have developed recommendations after analyzing over 30 documents and 400 best practices. This approach focuses on integrating security measures into the design and development of IoT systems from the outset.

The session also highlighted the importance of effective procurement and supply chain management for IoT security. Concerns were raised about the lack of a level playing field for companies that implement robust security measures, as they face higher costs. The procurement documents studied hardly ever discussed cybersecurity or demanded internet standards, which poses a significant risk to overall IoT security.

Advocacy for the mandatory implementation of security standards in the procurement process was expressed. Examples were provided, such as the Dutch Ministry of Interior enforcing the mandatory implementation of 43 open standards, and Microsoft gradually being pushed to deploy DNSSEC and other standards due to such policies. The Internet.nl tool, which allows users to check a company’s security score, was also highlighted as a valuable resource.

The session informed participants that new reports on IoT and procurement are available for access through QR code scanning or website links. This digital distribution of reports represents a modern approach to sharing knowledge, replacing the previous method of printing physical copies.

The session also highlighted the progress of the working groups. Two of the working groups are already functioning, and efforts are underway to generate new outcomes. Additionally, a new working group is expected to start in 2024, further expanding the spectrum of topics and expertise within the coalition.

Wout de Natris expressed his anticipation for positive outcomes from the current and future working groups. In particular, Stephen Tan, an expert in the advisory panel of Working Group 8, was expected to explain the group’s objectives, contributing to the coalition’s overall goals.

The IS3C coalition is currently running a public consultation to invite critique and enhancements to their guiding compass list. This list serves as a foundational guide for decision-makers in making secure and informed ICT procurement decisions. The coalition believes that global collaboration and transparency are vital for navigating the complexities of the digital realm and ensuring a secure, reliable, and inclusive internet for all.

The session also touched on the importance of internet security standards, such as DNSSEC and RPKI, and their low adoption rates globally. Despite being in existence for a long time, many industries and governments have yet to fully implement these standards, leaving the internet vulnerable to attacks.

The need for a change in how these security standards are described and communicated to CEOs and directors was advocated. The aim is to bridge the gap between technical terminology and non-technical decision-makers, ensuring a better understanding and adoption of these crucial security measures.

The session emphasized the importance of IS3C’s work in contributing to the United Nations’ Sustainable Development Goals (SDGs). By promoting a secure and resilient internet infrastructure and raising awareness about the importance of deploying global internet standards, the IS3C is actively working towards achieving SDG targets related to good health and well-being, industry, innovation, and infrastructure, sustainable cities and communities, and more.

The session concluded by addressing the global nature of internet security, stressing the importance of organizations such as ICANN and RIPE NCC in supporting the successful deployment of NSSEC and RPKI. It also acknowledged the multidimensional nature of security, extending beyond technical aspects and involving values, attitudes, skills, knowledge, and critical understanding. The session underscored the need for prevention, rather than mitigation, in cybersecurity, and stressed the importance of consumer advocacy and standardized protocols for vulnerability disclosure.

Overall, the session was an opportunity to discuss and shed light on the various challenges and opportunities in internet standards, security, and safety. It emphasized the urgency and collaborative efforts required to address these challenges effectively, with the ultimate goal of creating a safer and more secure digital landscape for users worldwide.

Audience

The analysis provides a comprehensive examination of various aspects of internet security protocols and policy development. One argument put forward is that the adoption of internet security protocols is not happening fast enough. This is attributed to the fact that the underlying protocols, such as the Domain Name System (DNS) and routing BGP, were developed in the previous century without initially considering security. The analysis highlights a negative sentiment towards this issue.

The analysis also argues that if these security protocol adoption issues are not addressed promptly, there is a risk of potential service interruptions that could significantly impact online businesses. The sentiment surrounding this argument is also negative. The inclusion of security features at the fundamental level is deemed crucial to ensuring the smooth functioning and reliability of the internet.

Regulation is another topic of concern raised in the analysis. It is suggested that if security protocols are not adopted rapidly enough, legislators may consider stepping in to regulate the industry. However, there is recognition that regulation could have unintended consequences, which adds a negative sentiment to this argument.

On a more positive note, the analysis introduces the idea that a multi-stakeholder context can play a pivotal role in solving the challenges of security protocol adoption. It is mentioned that the knowledge and experiences necessary to address security issues are available. Contrary to common perception, the analysis highlights that solving these issues is not as technically complex or expensive as many might believe. Furthermore, the adoption of security protocols is deemed beneficial for everyone involved.

In the realm of IoT security, the analysis suggests the need to continue analyzing new policy documents, incorporating new conclusions and recommendations. It is argued that these policy documents can help enhance current standards and practices related to IoT security.

The analysis also touches upon the challenges associated with compliance requirements and communication to engineering teams in the context of regulation. It is noted that tackling compliance requirements and effectively communicating them to engineering teams can be a significant challenge. The negative sentiment attached to this argument reflects the difficulty observed in finding relevant documents on the subject.

There is increasing pressure for policy makers to be more actively involved in future cybersecurity processes. The analysis emphasizes the importance of increased awareness activities and training for policy makers in this field. The positive sentiment associated with this argument indicates the significance placed on policy makers’ engagement.

Another noteworthy point discussed is the ethical responsibility and preparedness of cybersecurity professionals in relation to their societal roles. The analysis draws a comparison between cybersecurity professionals and undercover officers using dangerous tools to test systems. The sentiment here is negative, suggesting concerns over the ethical conduct of cybersecurity professionals in their line of work.

The analysis also highlights the importance of incorporating security by design for online safety. The sentiment attached to this argument is positive as security by design is considered crucial to mitigate safety risks posed by products that do not adopt this approach. In addition, the analysis underscores the need for education to complement awareness of internet safety measures, as awareness alone is deemed insufficient. A negative sentiment is associated with this argument.

Regarding the training of next-generation cybersecurity professionals, the analysis suggests that it is a learning challenge. The sentiment is neutral, indicating a balance between understanding the highly specific and potentially dangerous knowledge in the cybersecurity space and the need for professionals to comprehend their role in ensuring security.

The analysis also sheds light on the progress made by a coalition in researching and strengthening the platform’s security through tangible outcomes. It is mentioned that the coalition plans to launch a hub and welcomes active involvement and contributions from the public. The sentiment associated with this topic is positive, suggesting a recognition of the value of collaboration and public engagement.

Lastly, the analysis addresses the challenges in implementing security standards, highlighting that these challenges are not solely technical but often influenced by political and economic factors. The analysis also points out a lack of shared understanding or agreement on legal matters across different jurisdictions. This highlights the need for harmonization and collaboration in the international cybersecurity landscape, and the sentiment is neutral.

In conclusion, the analysis provides a comprehensive overview of various aspects of internet security protocols and policy development. It highlights the need for faster adoption of security protocols, the potential consequences of inaction, the possibility of regulation, and the importance of a multi-stakeholder context in addressing these issues. It also emphasizes the significance of IoT security, compliance requirements, policy maker involvement, the ethical conduct of cybersecurity professionals, education, and public engagement. The analysis underlines the importance of incorporating security by design and the challenges surrounding training next-generation cybersecurity professionals. Furthermore, it acknowledges the progress made by a coalition in researching and strengthening cybersecurity efforts. Finally, it recognizes the political, economic, and legal challenges associated with implementing security standards. These insights and observations provide valuable input for policymakers, stakeholders, and anyone involved in the field of internet security.

David Huberman

The overall success of the internet in seamlessly connecting devices and networks can be attributed to standardisation. Engineers have embraced common standards, enabling the internet to work uniformly across various devices and networks. This standardisation has played a vital role in ensuring interoperability and enabling the internet to function consistently for users on iPhones, Android devices, and other platforms. The very foundation of the internet was built upon these widely adopted standards.

Two fundamental standards, BGP (Border Gateway Protocol) and DNS (Domain Name System), serve as the building blocks for all internet services. BGP facilitates routing, allowing different networks to communicate with each other effectively. Without BGP, the internet would face difficulties in routing data packets and maintaining efficient connectivity. DNS, on the other hand, is responsible for translating human-readable domain names into IP (Internet Protocol) addresses, making it possible for users to access websites using familiar domain names rather than complex numerical addresses. DNS enables the scaling of the internet beyond just IP addresses, enhancing usability and accessibility for users worldwide.

Unfortunately, when it comes to internet security, the adoption of DNSSEC (Domain Name System Security Extensions) and RPKI (Resource Public Key Infrastructure) standards has proven to be insufficient. DNSSEC aims to secure the DNS by providing authentication and integrity checks, preventing DNS spoofing and other malicious activities. However, the global deployment of DNSSEC currently stands at only around 15-20%. Similarly, RPKI, which provides a framework for verifying the legitimacy of routing information, also lacks sufficient adoption. The insufficient adoption of these security standards poses risks to the stability and security of the internet.

In light of these challenges, policy makers and decision makers are urged to prioritise the adoption of DNSSEC and RPKI as basic standards for a safer internet. DNSSEC and RPKI play critical roles in ensuring the security of the DNS and BGP, respectively. The current level of adoption falls short, emphasising the need for concerted efforts towards implementing these standards. By embracing DNSSEC and RPKI, stakeholders can work towards a more secure and resilient internet infrastructure, safeguarding users’ data and protecting against various threats.

In conclusion, standardisation has been instrumental in allowing the internet to function seamlessly across devices and networks. BGP and DNS serve as essential standards for enabling internet services. However, the adoption of DNSSEC and RPKI security standards has been inadequate, highlighting the need for increased emphasis and adoption. Policy makers and decision makers have an important role to play in prioritising these security standards to build a safer internet environment for all users.

Janice Richardson

According to a survey conducted in 66 countries, there is a significant gap between the skills that the cybersecurity industry requires and the skills that tertiary education institutes provide. The industry demands graduates who understand how the internet and cloud work, whereas universities are producing graduates skilled in coding and ethical challenges, but lacking in practical knowledge. This skills mismatch has serious implications for the industry.

The survey also reveals that a high percentage of graduates, 67%, lack essential soft transversal skills that are crucial for adapting to future challenges in cybersecurity. Moreover, cyber attacks are increasing at a faster rate than the allocation of resources to combat them, highlighting the urgency to address this issue.

To bridge the skills gap and promote collaboration, the establishment of a cybersecurity hub is necessary. Such a hub would coordinate efforts, drive diversity, provide authentic learning resources, and gather best practices to meet the real needs of the cybersecurity industry. Denmark’s approach to a similar hub has shown promising progress.

In addition to the skills gap, the lack of diversity in the cybersecurity industry, particularly in terms of gender, is hindering innovation and creative problem-solving. Encouraging a more diverse workforce, including women, can bring fresh perspectives and varied approaches to enhance the industry’s progress.

The survey also identifies users as the weakest link in maintaining cybersecurity. Although users are often aware of what is right in terms of internet safety, they fail to consistently practice safe online behavior. Thus, increasing awareness and providing education on best practices is crucial to address this issue.

Merely being aware of cybersecurity risks is insufficient without proper education. It is imperative to understand the impact and consequences of one’s actions. However, the expensive nature of resources for cybersecurity education limits access, exacerbating the problem. Efforts should be made to make cybersecurity education more accessible to all.

Users must go beyond simply learning to use technology and strive to understand how it works. This understanding allows for better navigation of ethical challenges in the technology-driven world. Ethical understanding in technology is meaningless without a comprehension of the underlying mechanisms.

Moreover, knowledge in cybersecurity should be accompanied by values. The Council of Europe emphasizes the importance of teaching values, attitudes, skills, and knowledge together in the field of cybersecurity. Pairing technical competence with values is essential for responsible use of cybersecurity skills.

While cybersecurity knowledge is powerful, there is a need to make products less vulnerable to hacking. Implementing security standards can help mitigate the risks associated with the misuse of cybersecurity knowledge. Additionally, ethical hackers can play a significant role in bolstering cybersecurity if employed effectively.

In summary, the analysis reveals significant challenges and gaps in the cybersecurity field, including the skills gap, lack of diversity, user behavior, insufficient awareness without education, the importance of understanding how technology works, and the need to intertwine knowledge with values and ethics. Collaborative efforts, diverse representation, user education, and a holistic approach to cybersecurity education are necessary to address these issues effectively and promote a safer digital environment.

Maarten Botterman

The analysis explores the perspectives of Maarten Botterman on the governance of emerging technologies, with a particular focus on AI and Quantum technology. Botterman emphasises the importance of proactive governance strategies to effectively navigate advancements in these fields.

According to Botterman, AI is already pervasive in various sectors, and there is a need to catch up in terms of governance. He advocates for the development of a roadmap for governance strategies to regulate the use of AI effectively. Similarly, proactive governance is vital for the responsible and secure development of Quantum technology, which is currently limited to technical circles.

Botterman also stresses the need for a comprehensive approach that considers both the risks and opportunities associated with emerging technologies. He argues that mapping the current risks and opportunities is crucial, but the focus should not be exclusively on risks. Recognising the potential benefits and the need for responsible deployment promotes informed decision-making and innovation.

Furthermore, Botterman highlights the significance of standardisation and global collaboration in governing emerging technologies. While progress is being made, coordination and effective communication between different stakeholders are still lacking. Botterman emphasises the necessity of developing standards in cooperation with international partners, avoiding isolated approaches. This collaboration will enable the establishment of universally accepted governance frameworks for AI and Quantum technology.

Additionally, Botterman supports the creation of a comparative report examining existing governance frameworks worldwide. This report would provide valuable insights for policymakers and researchers, assessing the strengths and weaknesses of different approaches. Botterman mentions examples such as the proposed Algorithmic Accountability Act in the United States and the EU AI Act.

Regarding IoT security, Botterman expresses a keen interest in research in this area and chairs the dynamic coalition for IoT. He highlights the ongoing work needed for IoT security, indicating the need for further efforts to ensure the security and privacy of connected devices.

In the context of internet regulation, Botterman raises questions about how new initiatives can effectively reach relevant authorities and influence their understanding. He emphasises the importance of improved communication channels between regulatory bodies and new initiatives, ensuring a comprehensive and up-to-date approach to internet regulation. Botterman suggests that existing frameworks and the IETF should be open to new ideas, promoting a proactive and receptive approach.

In summary, Botterman’s perspectives emphasise the need for proactive governance strategies, balanced consideration of risks and opportunities, global collaboration, the creation of comparative reports, and improved communication channels to effectively govern emerging technologies such as AI, Quantum technology, IoT security, and internet regulation.

Abraham Selby

Abraham Selby has shared a QR code that allows for the immediate download of reports on topics related to the Internet of Things (IoT) and procurement. These reports are available on their website, and a link to access the reports will also be shared in the chat. Abraham Selby expresses appreciation for the effort that has been put into compiling these reports.

The International Secure and Resilient Internet and Cybersecurity Community (IS3C) is dedicated to creating a secure and resilient Internet infrastructure while promoting global internet standards for online security and data privacy. They actively work towards addressing various Internet challenges through international cooperation and collaboration.

IS3C’s specific working groups contribute to several United Nations Sustainable Development Goals (SDGs), including SDG 3 for good health and well-being, SDG 8 for decent work and economic growth, and SDG 9 for industry, innovation, and infrastructure. These working groups focus on specific areas such as promoting a secure internet and data protection, which are directly aligned with the SDGs. IS3C’s work also contributes to the Global Digital Compact through collaborative efforts.

In summary, Abraham Selby’s sharing of the QR code signifies the availability of reports on IoT and procurement, highlighting their commitment to providing access to relevant information. Additionally, IS3C’s work in creating a secure internet infrastructure and promoting global internet standards reflects their dedication to sustainable development and contributing to the SDGs.

Mark Carvell

The coalition has made significant progress, especially in the last year, and has overcome numerous challenges. Launched a few years ago, the coalition has been working diligently to tackle issues related to cybersecurity and security standards. Through its working groups, the coalition has conducted valuable research that has advanced the understanding and implementation of security standards.

The research conducted by the coalition’s working groups has yielded tangible outcomes and provided a resilient platform for the future. This indicates that the coalition’s efforts have been successful and have resulted in practical and actionable results, which will contribute to further progress in cybersecurity.

Continued support and involvement from participants are crucial for the coalition’s success. The coalition emphasizes the need for help from the audience and advocates for spreading awareness about its objectives. By inviting contributions in areas such as security by design and launching the hub, the coalition seeks to foster a collaborative environment where individuals with knowledge and expertise can come together to address security challenges.

Furthermore, the coalition advocates for proactive global coordination to effectively address security issues. It envisions the establishment of a hub that brings together experts from different fields to bridge gaps in the deployment of key security standards. Such an approach would allow for comprehensive and coordinated efforts to tackle security issues globally, enhancing the effectiveness of security measures and ensuring the development and implementation of robust security standards.

In conclusion, the coalition has made remarkable progress, especially in the last year, and has overcome various challenges through its dedicated efforts. The tangible outcomes achieved provide a solid foundation for future advancements in the field of cybersecurity. Continued support and involvement from participants are necessary for the coalition’s success, and proactive global coordination is advocated to address security issues effectively. The establishment of a hub that brings together experts from diverse backgrounds would enable a collaborative approach to address gaps in security standards deployment.

Stephen WG5

Working Group 5 has taken steps towards facilitating governments and organizations in making secure ICT procurement decisions. They have developed a comprehensive list that serves as a guide for procurement officers, ensuring that security is embedded in their decisions. This is of utmost importance in today’s era, where the lack of essential standards can leave users vulnerable to cyber threats.

The developed list focuses on four core domains: data protection and privacy, network and infrastructure security, website and web application security, and communication security. By addressing these areas, procurement officers can make informed decisions, ensuring that the ICT products and services they acquire meet the necessary security standards.

The list is based on four foundational principles: interoperability, robust security, openness, and ecosystem-wide readiness and implementation. These principles ensure that the ICT solutions acquired align with existing infrastructure, are secure and resilient, are accessible to all stakeholders, and can be readily implemented on a global scale.

One key aspect highlighted is the hidden nature of essential standards. In the current landscape, first-mover disadvantages are prevalent, and it is crucial for organizations to adopt the recommended standards. The developed list acts as a valuable resource, guiding procurement officers and preventing them from unknowingly acquiring products and services that do not meet the necessary security requirements.

Working Group 5 encourages collective intelligence and invites cyber and ICT experts to propose enhancements to the list. By leveraging the expertise and knowledge of these professionals, the group aims to ensure that the list remains dynamic, relevant, and globally applicable. This approach emphasizes the importance of collaboration and continual improvement in the field of ICT procurement.

Global initiatives play a significant role in the implementation of these advocated standards. The validation and amplification of the applicability of these standards by initiatives such as Internet.nl by the Dutch government, the Internet Hygiene Portal by the Singapore government, and WebChat PT by the Portuguese government are crucial in putting these standards into operation. By showcasing successful implementations, these initiatives demonstrate the importance and practicality of adhering to the recommended standards.

In conclusion, Working Group 5’s development of the list serves as a valuable resource for procurement officers. By addressing key domains and principles, the list ensures that secure and informed ICT procurement decisions are made. The encouragement of collective intelligence and the validation of these standards through global initiatives further enhance the list’s relevance and applicability. Overall, this work contributes to the broader goal of promoting security and stability in the procurement of ICT solutions.

Nicolas Fiumarelli

The analysis encompasses a range of documents and discussions on IoT security, highlighting the crucial need for a comprehensive security by design approach. This approach is essential in maintaining the integrity of the interconnected ecosystem. By implementing security measures from the beginning, IoT devices can be better protected against potential threats and vulnerabilities.

Collaboration and multi-stakeholder involvement are also vital in ensuring robust IoT security. The analysis suggests that joint efforts and partnerships play a significant role in bolstering the security of IoT systems. Examples of inclusive policies, such as those observed in Korea, demonstrate the benefits of engaging multiple stakeholders in addressing security challenges.

The use of open standards is recommended to enhance IoT device security. Specifically, standards proposed by organizations like the Internet Engineering Task Force (IETF) are valued for promoting transparency, collaboration, and interoperability. These open standards provide a framework for developing secure and compatible IoT devices and systems.

Proactive threat management and user empowerment are identified as crucial elements in IoT security. The literature emphasizes the need for proactive vulnerability disclosure policies and highlights the importance of user awareness, transparency, and international cooperation. Empowering users to actively engage in security practices significantly improves the overall security of IoT systems.

Integrating security updates directly with device warranty policies is recommended to ensure long-term security. This approach guarantees that IoT devices receive regular updates to address emerging threats and vulnerabilities, ensuring ongoing protection and functionality. Embedding security within the framework of device warranties incentivizes manufacturers to provide timely updates.

Awareness campaigns and education are essential for policymakers to stay informed about the standards and practices needed to address IoT security. Promoting awareness campaigns and organizing tutorials ensures that policymakers are well-informed about the best practices to adopt. This enables them to make informed decisions regarding policy development and regulatory frameworks.

Manufacturers and service providers are encouraged to take the lead in implementing security measures. Strong passwords and continuous software updates are highlighted as essential security practices that should be ensured during the design and manufacturing phases. By taking responsibility for these security measures, manufacturers and service providers can enhance the overall security of IoT devices without burdening users.

Policy documents should reference the work of standardization companies, such as the IETF, and their efforts in developing IoT protocols. This ensures that policymakers are aware of existing standards and can align their policies accordingly. However, the current policy documents do not sufficiently acknowledge the work of these standardization companies in critical areas such as Software Update on the Internet of Things and Trusted Security Environment Protocols.

The analysis suggests greater involvement of policymakers in improving processes related to IoT security. The pressure to enhance IoT security will require policymakers to actively engage in developing regulations and standards.

Lastly, organizing more awareness campaigns and training activities is recommended to increase understanding and awareness of IoT security issues. Interested parties can seek knowledge and training from organizations like the International Secure Systems Technical Centre (ISTC) to gain a deeper understanding of IoT security challenges and best practices.

In conclusion, the analysis emphasizes the importance of a comprehensive security by design approach, collaborative efforts, open standards, proactive threat management, user empowerment, integration of security updates, awareness campaigns, education, and policy maker involvement. Addressing these aspects is crucial in enhancing the security of IoT devices and systems and mitigating potential vulnerabilities in an increasingly interconnected world.

Moderator – Wout de Natris:
Okay, good morning, ladies and gentlemen, and welcome to this session, how IS3C is going to save the internet. And my name is Wouter Natris and I am the coordinator of the Dynamic Coalition on Internet Standards, Security and Safety, which runs under the IGF, and today we are going to present several tangible outcomes of our process, which hopefully will also be translated into actions in the near future. Who are with me on the table? On the left side is David Huberman from ICANN, and he is chair of Working Group 8, with Bastiaan de Vries, chair of RIPE NCC, sitting in the room. Next to David is Janice Richardson, and she’s the chair of our Working Group number two on education and skills, and she’s going to present a next phase to IS3C and a concept we’ve developed that hopefully will help the world further to move from the theory of reports to practice. Next to me is Nicolas Fiumarelli, he’s the chair of Working Group 1, Security by Design of the Internet of Things, and he’s going to present his report that he wrote together with a few other people on a global comparison of policy on IoT. On my right is Maarten Botterman, and he is the vice chair of our new Working Group on Emerging Technologies, and he will present the plan that we have to proceed in 2024. And at the end of the table is Marc Garvel, he’s our senior policy advisor and helping me with steering this little piece called IS3C through the future, basically, and helping me with a lot of good things in English, because he’s really perfect at that. Online we have Stephen Tan, and he is one of the people working in an advisory panel to make what we call the list, and that’s going to be a tool for governments and industry to work on the deployment of internet standards so that they’re updated in time and people become more secure by design because of the deployment of these standards. And that is the rationale of this DC, to make the world more secure and safe. Also online is Abraham Selby, and he is leading our work on the Sustainable Development Goals, so he’s defined how IS3C can literally assist the Sustainable Development Goals with the work that we’re doing, and hopefully translate them into practice. There’s also Mallory Nodal, she’s not present because she’s flying at this moment, she’s the chair of Working Group 3 on Procurement and Supply Chain Management, and I will do her presentation for her. And we have a Working Group 6, but that report is not published yet by UNDESA, so we can’t tell anything about it, so Louise Marie Morel leading that work on behalf of IS3C is not present because there’s nothing to say at this point in time, unfortunately. So with that, I will stop and give the word to Nicolas first, as chair of Working Group 3 on – sorry, 1 on IoT security. Thank you.

Nicolas Fiumarelli:
Hello everybody, is the presentation – perfect, thank you so much. Okay, hello everybody, and welcome for the Working Group 1 presentation on our report on IoT security. Well, some of you might remember from last year’s presentation where we introduced our initial findings on IoT security. Today, I am excited to present the finalized report, finally, complete with our conclusions and recommendations. In a nutshell, we emphasize the importance of this comprehensive security by design approach, which is paramount in ensuring the resilience and integrity of our increasingly interconnected ecosystem. IS3C sheds light on best practices on bolster IoT security, and this finding had vast repercussions for numerous sectors. As you know, IoT devices came from smart thermostats, wearable health devices, smart home security systems and connected appliances, refrigerators, smart lightings, connected cars, and so on. So here are some graphics about the evolution of the IoT for the following years, the quantity of devices worldwide, and then a regional distribution of policy documents that talk specifically about IoT security. Well, our research was focused on recent questions. We have five recent questions. I will just summarize some of them. This helped us to develop the recommendations and conclusions after, so we touched on questions about what are the responsibilities of the stakeholders involved in defining the future of IoT security. Then what are the policy and regulatory measures related to crashes, power shortages, and outages. Then about user empowerment, like labeling schemes or different methods or best practices regarding how users can be informed or how users can have an active role in developing or using the devices. Then about IoT security standards out there, how to adopt these recommended best practices. And finally, about the security updates with warranty policies and different things that are really important. So we have analyzed 30 documents from more than 400 best good practices found in these regulatory or policy documents of practices around the world. Here you have like the average picture of different documents per country, talking about different four policy areas that we identify in the research. We identified these four pillars of IoT security that are data privacy and confidentiality, secure updating, user empowerment, as I mentioned in some of the policy questions. So these areas came from the policy questions. And then operational resilience. This is just like, you know, they say that a picture is worth a thousand words. This is a picture where the countries are from our study. Not so much. And you can see a proliferation in the global north, that is the most important part. So here is the most important, and I think I am planning with time here. So the main conclusions from the research are the importance of collaboration. Rally Central defining its vital role of joint efforts in bolstering the IoT security. We have found these documents from prominent regions advocating for multi-stakeholder involvement, advocating for precise delineation of roles across the spectrum from the makers, you know, like the manufacturers, to the users. Then there are specific stakeholder policies, like this approach for crafting these policies targeting distinct stakeholder groups. They roll out and how to do the application. So a standout example is the Korean policy, for example, which breaches regulatory directives with practical guidance for each developer. IoT device security, for example, this anonymous push exists for developing these IoT devices that inadvertently prioritize security. This encompasses crafting devices resilient to common adversities and pre-empting cyber threats, notable denial of service attacks, with emphasis on this fault tolerance. Then the focus on the user involvement and threat management, you know, this sizable portion of the literature emphasizes the need for proactive vulnerability disclosure policies. And this systematic response to the IoT threats is central to promote user awareness here, transparency, and international cooperation, all conversion to elevate the IoT security to the next level. And to ensure adherence to the IoT security norms, these strategies for standard compliance is a mix of regulatory directives, incentives, and labeling systems sometimes are utilized. Yet the success of this mechanism varies depending on the rationale and specificities. Another one is the warranty tied to security. You know, there is a clear trend links the duration of the device warranties with the commitment to ongoing security updates. Also, regions like the European Union are led in this aspect. But a uniform global implementation is lacking. So finally, the need for global standard unification, despite a plethora of best practices that are available, as we mentioned, there is a significant gap in aligning with universally recognized security standards, like, for example, the one suggested by the IETF. This accentuates the pressing need for a more coordinated strategy to tackle the IoT security at the global level. So what are our recommendations from the research? Regarding accountability and developer-centric regulatory language, there is a clear need to delineate responsibility across the different stakeholders. As I say, from the developer, the manufacturers, to the users. Then to adopt an approach, as seen in the Korean policy document, providing practical examples, protocol schemes, code snippets, and device illustrations for every stakeholder to know what are the implicancies there. This will bridge the gap between the policy language and the actual steps for the developers. Another recommendation is recognize the developer as vital stakeholders, translating these regulatory directives into practical guidelines for robust IoT security implementation. About unauthenticated vulnerabilities, they allow, say, risk attacks or brute force attacks. There is a need to prioritize countermeasures for these attacks, which exploit vulnerabilities without requiring authentication sometimes. The issue of embedded security measures within IoT devices, recognizing that there are some constraints there, and regulatory efforts should concentrate on tailoring defenses against these unauthenticated threats. This is a common thing in every device. About coordinated vulnerability disclosures, promote the CBD as a cooperating strategy involving researchers, manufacturers, and also the users. Also using this vulnerability disclosure to detect, verify, and remedy vulnerabilities in a more coordinated manner. Policymakers should incentivize this adoption of vulnerability disclosure mechanisms, enhancing the overall of the IoT security through collective efforts. On the open standards part, it’s important to emphasize on open standards, like those made by the IETF or other standardizing companies, in enhancing the IoT device security. Such standards are promoting transparency, collaboration, and sometimes interoperability. So it will be good to have those to a robust defense against the security pitfalls we are talking about. Policymakers should also leverage and actively participate in the standard-setting forums. We have found that there is no mention in these policy documents about the IETF standards, so it will be great to encourage a global adoption of secure protocols and architectures. Finally, on the security updates and warranty policies integration, we have found and recommend that integrating security updates directly with the warranty policies will ensure prolonged device security and functionality. Maintaining these potential risks of outdated or unpatched devices is really important, so advocating also for the manufacturers to maintain these regular updates, ensuring the products remain secure and efficient throughout all the lifespan of the device, and also encourage a proactive stance against potential security vulnerabilities. You know, embedding the notion of security within the device warranty framework is something that is desired. So this is, in a nutshell, what we have to say about the Working Group 1 research on IoT security by design. Maybe at the end, if you have some questions, we will address it. Thank you so much.

Moderator – Wout de Natris:
Thank you, Nicolas. And one of the other authors is sitting here in the front, Joao Foucault. So also welcome in the room. As you heard, there are major challenges concerned IoT security, and a lot of them involved with not implementing existing standards and security measures that are out there sometimes for decades and have to be used more often. What is a way to actually could lead to deployment of these standards? And that is our other working group that was led by Mallory Nodal and Liz Orembo, who did the major research part. Both of them are on a plane at this moment towards Osaka, so they’re not in this room. And I have been asked to give the presentation in their stead. The working group is called Procurement and Supply Chain Management and the Business Case. And why the business case? The business case for deployments does not seem to be there for the simple reason that there’s no living playing field. If I would be a company and would deploy all these standards, that would cost me effort, money, time, et cetera, and probably higher prices. If all my competitors do not deploy, it means that I’m too expensive. So there’s no incentive to deploy because there’s no demand, and so there’s no supply for more secure ICT. What is a way to change that? And that is what we studied. We looked at procurement documents in the world, looking at the fact whether they took in security as a whole, and from there, if they look at cyber security, and next, whether they discuss internet standards or ICT best practices in that procurement document. We make one caveat because for the simple reason we could only study what we could find online. So what is not there, you can’t study. What we tried to do is ask the communities, does your company have a procurement document, and if so, are you willing to share that with us? From the government side, we got several, and people even helping us with the translation, so that was very kind, but from the industry side, we didn’t get anything. So does it mean it’s secret? Does it mean it is not there? We simply do not know because we did not receive any response. So from there, the plan two years ago that was made by Mallory is three stages. First is to go through the objectives, set the scoping, from there, do the actual research which was done by Liz, and then come up with this report, and hopefully in the next year, a second phase to this report so that the guidance actually reaches government and industry. So what they looked at first is terminology. They looked at what is procurement. As the context of digital technologies refers to the process of acquiring goods, services, or solutions from external sources to meet the needs and requirements of an organization. Security standards are critical in the procurement of digital technologies due to the increasing importance of protecting sensitive information systems and networks from cyber threats. So the methodology already explained the three stages that they went through, and what they looked at is common elements of best practice. They looked at whether there are shared problem barriers, and they looked at the global north and the global south because in the end, it works the same for everybody, no matter where you live. So what did they find? They used the methodology used by the National Institute of Standards and Technology from the United States, and they have five core cybersecurity functions that they identified in there and promote. The first is to identify, then to protect, to detect, respond, and recover, and they looked at whether that fitted that mold. But the conclusions are a bit devastating, to be honest. In all the documents that we found is that if there’s something on security, it is hardly ever on cybersecurity, so let alone demanding internet standards that would make the products that you buy more secure and safer. So everybody buys sort of off the shelf or forced by industry to buy what they offer, and especially in the global south, that is the case that we often hear. It’s either this or you don’t get anything. So that’s the choice that you are supposed to make. So what did they come up with? Best practices. Mallory decided to give best practice awards, and yes, I’m Dutch, so sorry to be looking a little bit like it. I’m biased here, but I am. I did not write this, remember that. First is the GDPR and the European Union, the privacy regulation. So this is not an internet standard in itself, but what it is, it has become a global standard that leads to the implementation of several of these standards because they have to adhere to privacy regulation. And the GDPR has become in the past years a standard for the rest of the world that’s being copied. Let me get to the Dutch side of things. The Netherlands Ministry of the Interior and Kingdom Relations has published, I think about six years ago, a mandatory list for governments, no matter what level of government. If you procure ICTs, you have to demand, I think it’s 43 open standards. That leads to the fact that these governments have to either comply or they have to literally explain why they do not adhere to this list. And that report is sent to the Dutch Parliament each year. So in other words, that is a driving force toward industry. And does this work? Yes, because even Microsoft is being slowly forced to deploy DNSSEC, for example. And now, next level, they have to deploy a standard called DENG, and I won’t explain what it is. Maybe I can’t even do it totally properly. But the fact is that even a big company like Microsoft is being pushed towards this mold. And the third award is going to an initiative called Internet.nl. And if you go to that website, Internet.nl, and you type in the domain name, the URL of any company that you think, I’d like to check that, that if you score 100%, then there’s a lady walking around here, and she gives T-shirts away if you get the 100%. So in other words, that is a tool that you can check, is the company I deal with secure? So check your bank, for example, and you will probably be very disappointed. This tool is open source and can be copied by anybody who likes making it up in your own language. So for example, Australia, Brazil, Denmark, Singapore, and Portugal have done so already. But the future work is how can we make use of these findings and then start translating them into the next phase. And that is something that we will be discussing here and with others in the near future, because we have to make sure that this is not just a digital piece of paper on a fairly obscure website called the Internet Governance Forum. This is a message that has to go out there, because governments and industry, when they start demanding these levels of security from their suppliers or from their devices or from their service provider, they can only change or be out of business. So that is an extremely strong force for more cybersecurity, and we should be starting to use that. So that ends my presentation on behalf of Mallory and Liz. And if there are any questions, we can go there at the end of the session. As Louise is not presenting, I think that Janice, you’re up next, because we’ve been talking about this future, and we had a big session on day zero on the cybersecurity hub led by Janice. And she will share with you the ideas that we have to go forward with this work, but first with education and skills, because I have to explain that Janice was the first to come with a report last year in Addis Ababa, and now we’re going to hopefully take that to the next level. Janice.

Janice Richardson:
Thank you. Good morning, everyone. Education and skills. Well, cybersecurity involves everyone, and we began with a few questions. When we began three years ago, I think it’s best that I take you back there so you see why we’re moving forward in the way we are. Question one, is there a gap between supply and demand? That is to say, between the young graduates who come out and the skills they have looking for a job in the cybersecurity industry and the young people that the cybersecurity industry is looking for. And the conclusion in a report, in a survey done in 66 countries, was yes, there is definitely a gap, whereas industry is looking for young people who understand how internet works, how the cloud works, and therefore can adapt with the emerging technology. Universities and the tertiary education system are putting out young people who know all about coding, who are good communicators, and also who understand the ethical challenges. On the other hand, according to industry, 67% of them simply don’t have the soft transversal skills that enable them to adapt to the future. From there, now that we see that there is really something to do, we’ve decided how do we go about it. And the future seems to be a cybersecurity hub, where we bring together industry, where we bring together universities, but also we cater to the cybersecurity challenges of firemen, for example, who would think that they have enormous cybersecurity challenges, farmers, almost anyone. So what would this hub do? First of all, yeah, it would coordinate. It would encourage more collaboration, but it would drive for diversity. Look around you. How many women are in this room, and how many women are here on the platform? This is pretty indicative of one of the big problems that the cybersecurity industry is suffering, this lack of diversity, lack of young people, lack of women, lack of the granular approach, the more granular approach that women can bring to the issue. Another area where the hub would, I think, be very instrumental would be providing authentic learning resources to universities, so that universities and the tertiary sector are actually helping young people learn the way it’s necessary for their future. The university industry, as we all know, have decided that it’s better to take young graduates out of school, secondary school, and to train them in their own way, and that way they have key in hand young people who are ready to do what they want. But these young people are blocked in a way. They don’t have the underlying skills. One of our very big objectives is to ensure that we are educating for the future. We are educating to enable young people to adapt to the real needs. It’s also to gather good practice. In Denmark, for example, something like the hub already exists, and it’s really created a much faster moving industry. Europol has pointed out that cyber attacks are multiplying by 20% every year, yet the allocation of resources, be it human or financial, is only increasing at 10% per year. So we can see that we’re losing the battle. The cyber hub aims to really put what we’ve learned into practice, bring the right people around the table, continue this collaboration so that education and skills are really responding to the challenge. But there is one thing further. You cannot suddenly understand internet, understand the cloud, if as a child you don’t learn how things function. So there is a need for a fundamental change in education systems so that young people right from the beginning are not just using the tool, but they are understanding what they’re using. And I think you can see how broad the impact of this could be. So we believe that if we have such a hub, we can also advise all of those education ministries who are very eager to know how do we help young people be safer and be more secure online. So I think the hub is the point where all of this will meet. Thanks. Walt.

Moderator – Wout de Natris:
Thank you, Janice. And this is a concept, it’s not that the hub is there, but we’re discussing how we’re going to organize this, where we’re going to organize this, and hopefully that will be within the IGF to produce more tangible outcomes in the future. It’s time now for an official moment because as you heard, we had the presentations on the reports, but at this moment they’re going to come online. So I’m going to ask Abraham Selby, who is in London in the horrible time, middle of the night, to share his screen and to show the QR code.

Abraham Selby:
Hello, Selby. Yes, please, Ruth. Let me share the QR code to the general. So if you like the report, then all you have to do is put your cell phone at the QR code and you can download the two reports immediately. So the first one on IoT and the second one on procurement. So this is the main page you can be able to scan and get all our reports on our website. We have all the resource reports that they all talked about, so all the reports are there on our website. But after our presentation, we’ll be able to come and also share the link to our report in the chat as well. I think Nicholas has shared some website links in the chat. So we are ready to go on that. Thank you very much, Selby, for the effort of getting all this together. They’re greatly appreciated by us all. Thank you. And we’ll come back to you later with the SDG report.

Moderator – Wout de Natris:
So this is a little less official than last year when we could hand over a printed report to Paul Mitchell, but this, I think, is a very more modern way to do it and it will be on the IGF website as well pretty soon so that everybody can read it. So that is where we are today, but what is it what we want to do in the near future? So there are three working groups that are, two of them, up and running but working towards a new result. And the third one is hoping to start in 2024. So the first that I would like to give the word is online, that is Stephen Tan, and he’s working for the Cyber Security Agency in Singapore, and he’s one of the experts in the advisory panel of Working Group 8, working on a tool of internet standards. So Stephen, please come online and show us what it is exactly that Working Group 5 is striving to do.

Stephen WG5:
Hi. Good morning, esteemed colleagues and attendees at IGF in Kyoto. So I’m Stephen, and glad to join you virtually today as a representative of Working Group 5, in short, WG5. So WG5 works, involves navigating the complexity of the internet standards and best practices with a dedicated focus on facilitating governments and organizations in making secure and informed ICT procurement decisions. So basically, at the heart of our efforts lies the list, as mentioned by Walt earlier. It’s not a mere checklist, but we see it as a guiding compass, a result of collective expertise and foresight. The conception of the list came from a pressing need. Basically, how can we assist decision makers and procurement officers to effectively navigate through a myriad of standards without being overwhelmed, and importantly, ensure that security is deeply embedded in their decisions? Our answer to this itself is articulated across four foundational principles that we have came up with. First, interoperability. Second, robust security. Third, it must be open and publicly available for use. And last but not least, a proven ecosystem-wide readiness and implementation. This would allow entities out there to build digital ecosystems that are not only robust and secure, but also transparently and efficaciously deployable. These principles have allowed us to discern four core domains, namely data protection and privacy, network and infrastructure security, website and web application security, and of course, communication security. Deriving from these standards includes standards such as DNSSEC, which Walt has mentioned earlier on as well, that helps with safeguards against unauthorized DNS alterations, and of course, DMARC, which we are still seeing a very low adoption at this point in time, that actually helps to prevent email spoofing, phishing, as well as scams by verifying sender authenticity. Meanwhile, it’s worth noting that while cloud computing permits numerous aspects of the digital sphere, it has not been singled out as a standalone domain in our framework. Our intention herein is to imbue an adaptive and an all-encompassing perspective towards standards, ensuring that they are all equally applicable and resilient in cloud environments and beyond. Now, you may be wondering, why is this list so crucial then? I think at this point in time, in this era where we have noticed that first mover disadvantages are evident, and essential standards often remain shrouded or under the hood, there’s an inherent need for transparency and collective action between countries globally. Products and services without the right guidance can inevitably leave users vulnerable. With this list, WG5 seeks to capitalize a global shift towards security by design. It’s our conviction that such a guiding framework can empower decision makers, especially doing procurement, to advocate for and ensure foundational security. Last but not least, acknowledging the merit of collective intelligence, we warmly invite cyber and ICT experts worldwide to critique, reflect upon, and propose enhancement to our framework. Your insights, aligned with our guiding principles, will be instrumental in refining the list, ensuring it remains dynamic, relevant, and globally applicable. We also want to take this opportunity to acknowledge several global initiatives vital in putting the standards we advocate into operation. I think both have mentioned them, I’ll just name them again. This includes some of the notable and diverse, such as Internet.nl by the Dutch government, the Internet Hygiene Portal, spearheaded by the Singapore government, and WebChat PT, developed by the Portugal government, in collaboration with its registry. These initiatives not only validate, but also help to amplify the applicability and impact of these standards in tangible real-world scenarios, underscoring their crucial role in augmenting cybersecurity and compliance. In wrapping up this portion, we proffer the list not as an end, but really as a starting point, and together, let’s navigate through the complexities of the digital realm, ensuring a secure, reliable, and inclusive Internet for all. The consultation will run from today until 5th November, 12 p.m. UTC. With that, thank you.

Moderator – Wout de Natris:
Thank you very much, Stephen. I think that is quite clear what the goal of the working group is, but also an invitation to work with us in this consultation. As a dynamic coalition, we can’t produce a report or a tool without consulting the broader IGF community and beyond, and that is something that we’ve done on all our reports so far, and we will do on this tool as well. So as of now, the consultation is open. You can go to our website, is3coalition.org, and if you go there, you’ll find the link to the Google Doc, where you can share your thoughts on this list, whether you agree with the scope that we made, whether you agree with the content, and agree with the standards themselves. So if you’ve got arguments to change it… then we will take that into consideration. We expect to be working on it in the second half of November and hopefully produce the final tool somewhere in December or very early in January. So that is the time scale that we’re operating on. And as Steven said, we see it as a start because it will be possible that we do this for health or for agriculture in the future as well. But we will see whether that is feasible or not. You can see the QR code. I think there’s also a QR code for the consultation. The second working group that is up and running since spring and is now in the process of starting an advisory panel of experts on this topic is the Working Group 8 on DNSSEC and RPKI deployment. Why these two? Well, our sponsors are ICANN and RIPE NCC. So that makes it more logical to look at the domain name system and at the routing system. But also that what we’re going to do is provide a blueprint that will, in the end, work for all internet standards and all organizations. But I won’t say anything more because otherwise David doesn’t have anything left to say. So I’ll give the microphone to David Huberman to please explain to us what Working Group 8 is going to do in this year and early next year.

David Huberman:
Thank you very much, Wael. So the internet’s kind of cool. The internet’s kind of cool because it works no matter how you access it. A lot of you are holding iPhones right now. A lot of you are holding Android devices. The internet works the same way on both of those devices. It works on your Mac laptops and your PC laptops and your desktop computers and your smart devices. Whatever you have, it works. But if you look in the scope of human history, that’s different. It doesn’t normally work like that. We’re here in Kyoto and if you go walk outside, you’ll see vehicles on the road. And you know what? They’re driving on the left side of the road. And those vehicles have their steering wheels on the right side of the cars. But if we just go across the sea to South Korea to our west, they’re driving on the right side of the road with the steering wheels on the left side of the car. And that means we’ve set two different sets of standards for safety, for operation, and for the manufacture of vehicles. For those of us who are visiting this beautiful country, you know what we all have in common right now? We’ve all brought these little travel adapters. Because when we want to charge our phones, we want to charge our devices, it’s a different standard here than it is in a different country or where we’re from. There are about five different standards for the shape of plugs and for the voltage of plugs. And yet the purpose of a plug is the same thing. It’s to provide power. If you open up my wallet right now, you’ll find Japanese yen, euros, and American dollars. And that’s kind of silly because the purpose of money in 2023, the purpose of currency, it’s the same thing. Everywhere in the world you go, and so I can go buy something. I can give you countless examples of the way we’ve standardized many different ways all around the world, but the internet is the exception. Starting in 1969, when four engineers built the first internet standard, it was some software on how the earliest internet router would work. Through today in 2023, we’re about to publish the 10,000th internet standard. We’ve developed a system of standards that all engineers who work on internet-connected networks have adopted. We haven’t adopted all of those 10,000 standards, but we’ve chosen the ones that work the best to build a network that works for everybody in the world. And of those standards, there are two that serve as the building block for all internet in the world. All the services you use, TikTok, YouTube, an application to do your banking, to make your plane reservations, they all rely on two protocols, BGP, which is used for routing so that all the networks in the world can talk to each other in a common language, and DNS. DNS allows us to scale the internet beyond the ability of just IP addresses. It’s the IP addresses that computers use to talk to one another, but there aren’t enough IP addresses for the computers to use. So we’re able to communicate via domain names. We’re able to give host names to devices. BGP and DNS are old. BGP was standardized now in 1995, that was almost 30 years ago. And DNS is older than that. DNS, next month, is going to celebrate its 40th birthday. And when we built these standards, we built them to work. What we didn’t do is we didn’t build them to give security. So over the years, we’ve seen security is actually very much, is just as important as reachability and interoperability. So the IETF has bolted on security standards to run in DNS and to run in BGP. And the two most important standards are DNSSEC and RPKI for routing. DNSSEC is 23 years old, and our deployment level is, I mean, Andrew, you can quibble with me on the numbers here, but globally, it’s about 15 to 20% at the max. That’s not very good for a security standard that everybody in the world needs to adopt to make the internet safer. RPKI is doing a little bit better. RPKI in some nations is 50, 60, 70, 80%, but in some nations, it’s 25%. In Africa, it’s right around 25%. So Working Group 8 is trying to develop a new narrative to convince policy makers and to convince decision makers that you have to adopt DNSSEC, and you have to adopt RPKI as a basic standard in everything you do, and that’s what Working Group 8 is working on today. That’s all I had to say. Thank you.

Moderator – Wout de Natris:
Yes, thank you, David. I think this message comes across quite clearly that for some reason, these standards are around for a long, long time, and they are not being used, and that exposes everybody to vulnerabilities that allows the dark side to attack the internet 24 hours a day. And they do, as we all know, with all the incidents that we read about almost on a daily basis. So the adoption of these standards would actually make us all more secure and safer. And you can see how all these working groups tie into each other because they all come up with the same message. Why are governments and industries not deploying these standards? And try and change the narrative from a technical point of view that may not convince a CEO or a Director General at a ministry to a narrative that he can understand and actually get a positive decision from. So that is also a sort of tool that we are going to develop that will also be consulted as soon as the text is ready, and you can share your ideas with us. And then somewhere early in the next year, we will probably be able to produce the tool and share it with you. The final working group that we have at this point in time, and I have to say that if anybody has an idea to start a new working group within IS3C, you can always contact either Mark or me to discuss that. But at this moment, the last person that approached us was Elif Cortes-Guizot, who is not here in Kyoto but may be online. But we agreed that the Vice Chair, Maarten Bottelman, of our Emerging Technologies Working Group would give the presentation. So I’ll hand over the microphone to you if you have your own mic, yes.

Maarten Botterman:
I know people online can hear me as well. So thank you all for that, and thanks Elif for asking me to speak. Actually, I’m assisting Elif because I believe governance of emerging technologies is key, and thinking ahead of what’s coming towards us is something we should try to do today rather than wait until it’s too late. Now, the two emerging technologies that are mentioned explicitly is quantum technologies and AI. For AI, we’re already almost running behind the wagon because it’s all over the place, it’s discussed everywhere. Quantum is still particularly in the more technical circles, I would say, today. Nevertheless, both subjects do deserve our attention and deserve to have that now. So the working group of IS3C, Working Group 9, aims to develop a roadmap for governance strategies for these emerging technologies. And the roadmap will set out the roles of the different players, stakeholders, governance, private sector, civil society stakeholders, and if I may add, technical community. And for getting there, the aim is to learn from what’s happening there and look ahead. So the particular goals of the working group are to raise awareness of the security and security issues, as IS3C’s focus is, on these relevant technologies and policy decisions related to it. Next to it, it’s also to investigate the emergent issues and make sure we’re up to date on what keeps stakeholders busy or should keep stakeholders busy with inputs from public and private sector, technical community, and civil society. And certainly, then ultimately, to come to develop policy recommendations as we’ve done in the previously presented reports and guidelines as IGF outcomes. So really also subject to consultation with the people at the IGF, in the IGF circles. So right now, the aim is to really get the project organized. And once we have it up and running, I’m sure it will be announced on the website. And the current thinking is that we would first focus on mapping the current risks and opportunities. That balance needs to be there. We’re not just focusing on the risks, because it’s also about the need to deploy these new technologies and how to benefit best from them. So that’s aimed at the quantum and AI. The second is publication of a comparative report of existing frameworks around the world. And some of us may be aware of the European Union’s AI Act discussions, the proposed algorithmic accountability act in the United States. And no doubt, there’s others. So I’ve been privy to the IOT security report and the comparison of over 40 countries with so many reports is something that is truly helpful to understand where policymaking stands in the world. And I look forward to have a similar inventory for quantum and AI as well. That makes us real. Now, one of the things that Niklas was sharing is that a lot is happening and it’s not coordinated that well yet. So I think IS3C and the working group specifically would be able to fulfill a specific role in helping to make people more aware and in that way also help towards standardization and global collaboration on subjects that are truly global from nature, even if it’s also in the specific interest of national governments and stakeholders. But they cannot develop any standards effectively within isolation. Something is breaking down. Something was breaking down. I hope it wasn’t me. At least the people in the room, I think, understood me well. If there’s questions online, please use the chat because our online moderator is keeping an eye on that. And with that, back to you, Wout.

Moderator – Wout de Natris:
Yes. Thank you, Maarten. There’s also a new working group that hopefully will start working in 2024 and we’re having our first discussions with potential funders pretty soon. Before I open the floor to you, there’s one more person who’s going to present because as I said when we started that IS3C does not want to do this work in isolation. So how have we contributed to the Global Digital Compact? The presentations in the deep dives, but also how are we holding up with the sustainable development goals? So, Selby, you are in London. And again, I ask you to come online and present to us what you have found and where you think we can actually completely match. And if you’d like to share your presentation, share your screen, please.

Abraham Selby:
Okay. All right. Thank you very much, Wout. So, basically, looking at IS3C, what all the working groups are presenting, we have been working in so deeply to address the processes in terms of the sustainable development goals. So, to present the IS3C, our contribution to sustainable development goals, because all these things that we are doing, we are looking at how sustainable, how does it align with the UN SDG goals. So, when we look at the 17 SDG goals, as we all know, we are working towards this. And this is our guidelines in terms of the work IS3C is doing. So, as you see, we all know about IS3C, which we are working collaboratively to make the Internet more safer and also put the best practices around the Internet. We have this objective that we are working on under the SDG goals, which includes promoting a secure and resilient Internet infrastructure, which also supports sustainable development. And we also want to create a greater awareness of the importance of deploying existing global Internet standards, which enhances online security and data privacy protection as well. We also want to support international cooperation and also collaborate to address the Internet challenges that are hindering the achievement of SDG goals. Now, we will look at some of the relevant work that we are doing, as Janice, Nicolas, Wooten, Sam, and other people are presenting, and also our future work and how it can contribute to SDG goals. We are looking at some three thematic areas whereby we are working towards good health and well-being. This has been another goal for some of the working groups and will be highlighted because of time. And we have a full document to share on our website that you can have a detour for our work. This also includes the descent of work and economic good, because IS3C believes that our work should be very decent, and it also has to promote the good of our economy. Internet standards also help in terms of, as we are all moving the digital aspect of the world, we are trying to create employment opportunities. So, when we have all these working policies, working standards within our section, it can also help to create a decent work and economy, which are also aligned to the SDG goal. We also have industry innovation infrastructure, because as we know ICANN has partnered with the DNS securities and other IoT, then other quantum technologies. We know that the emerging technology, AIs, these are all industry innovations, which is helping work to become easier. So, UN also admits that we must be able to make sure that the SDG goals, we must create an innovation and infrastructure and industry experience that will help us all to live within the global as well. Now, let’s see some of the working areas and the working groups. We can see that the working group one, security by design, which focuses on the good health work being SDG 9, industry innovation, SDG 11, that’s the sustainable cities and communities. When we get all the reports, basically on security by design, we’ll be able to understand and get a concept based on what working group one is trying to achieve, and what they have done, and what in the future, how it all contributes to the SDG goals. We have working group two, the education and schools by DNS group, which they are contributing many aspects of the SDG goals, meaning that they are focused on the SDG 1, SDG 4, SDG 5, SDG 10, the quality education, and also creating an impact within the industry, innovation and other good health as well. When we also look at the Working Group 3, that’s the procurement supply chain where Wood was talking about, we are focusing our work to relevant the SDG 3 and SDG 9, which indirectly we are also contributing as part of the SDG 16 because it’s a work focus that we want to partner institutions to make sure that the internet standards are sustainable. And we also have Working Group 5, which they are prioritizing the listing and security related of internet standards and ICT best practices. And the outcome is achieving to contribute to the SDG 3 and SDG 9, which is also our main focus goal for the sustainable development goals. And then we have the Working Group 6, which is data governance. They have more work focus in terms of the SDG 3, that is creating more secure and safer transfer to global online environment. So they want to support in terms of the governance aspect, how can we sustain it and this all align with the UN Sustainable Development Goals. And we have Working Group 8, the DNS 2nd and RPKI deployments, which also works in terms with them, making sure that we align our focus based on SDG 3, we align on SDG 8 and SDG 9. Regarding Sustainable Development Group and Economic Group, we’re also concerned about sustainable, innovative and industrialization as we were discussing sooner. And we also look at the Working Group 9, which will be starting in the coming year where we have that our working policies should be able to target to the UN Sustainable Goals, which focuses on the SDG 3, SDG 8, SDG 9, ensuring that the global infrastructure for this transformative technology is secured. And it’s supposed to be something which is sustainable. And at the end of the day, all the work that we are doing are combined as an IS3C Group and we hope to get more input about other areas that we can collaborate with work to make sure that our work is very focused to the UN Agenda 2030. Thank you very much. And I really appreciate the short while for giving me the time to speak about our work. And we have also contributed to the Global Digital Compact as well with Dr. Alison Wild, where these are all processes that align in terms of working to the Sustainable Development Goals. And I really appreciate all these people who help us to work together, all the Working Group leaders helped us, and we also appreciate Olivier Woods and Mark as well. Thank you very much for this opportunity. And you can scan this QR code and visit our website, view our report, and also contact us through this medium as we present this to you. Thank you very much for this kind of opportunity today. Woods.

Moderator – Wout de Natris:
Yes, thank you very much, Selby, for this excellent work. And thank you for your presentation and getting up in the middle of the night. So thank you for that. I’m going to open the floor for questions or comments, but first I’m going to look if there’s anything online. No, nothing. Then who has a question to one of the people who wrote the reports or have a comment or would like to know something more? So there’s a microphone, so please step up. It was all very, very clear. Bastiaan, I’m going to perhaps ask you a question. Why is it so important? David had to leave because of another session, but why is it so important for ICANN and the RIPE NCC to support an initiative like the NSSEC and RPKI deployment?

Audience:
Yes, thank you. Thanks a lot and thanks everyone for the updates and the reports that I look forward to read. My name is Bastiaan Gosslings. I’m Dutch. I work for the RIPE NCC. I’m part of their policy team, the RIPE NCC being the Regional Internet Registry for Europe, the Middle East, and certain parts of Central Asia. And what we basically do at the core is allocate and register certain number resources, IP addresses, used to be IPv4, now it’s IPv6 addresses, as well as autonomous systems number. Those resources are used by networks, and they become a member of us in order to get those resources. They are used in order to configure their networks and to interconnect with other networks for the routing to happen. And I think, you know, as David very eloquently summarized, you know, and also using some nice day-to-day examples, both when it comes to the DNS and, on the other hand, the routing part, these are building blocks when it comes to the Internet, right? Everything else at the end of the day, all digital services, applications, everything depends on the workings of those functionalities and the protocols that are associated with those. Because he also said that the protocols underlying those, and if I focus on routing BGP, that’s from the previous century, right? So that’s 30 years old, and security has not been built into that. It was at the time, you know, created. It’s also like the technicalities, the equipment, the computers, et cetera, of course, was not capable of what modern-day equipment can do. So it was basically meant to work, and everyone, you know, that used, that worked in this community and used this type of equipment and wanted to interconnect with each other, they knew each other. People trusted each other. So it used to, it had to be like an easy to work with protocol, no overhead, and it would just have to work. Well, seeing where we are now, everything depends on it. For work, leisure, business, even public services, right? It just works, the Internet, and you communicate with your thinking, you communicate with, you reach out to content and consume that, you know, when you think you want to do so. But at the end of the day, it depends on these protocols without security being built in. The problem that we have now basically boils down to the fact that the tools are available, have been available for quite a long time. Adoption is happening, but it’s not going fast enough. We need to secure these fundaments that underpin the workings of the Internet. For all of us, like we as a regional Internet registry, part of our mission is also to facilitate and to enable others to use the Internet, right? And to enable the further development and innovation of it. But before, you know, we make the next steps, we need to fix the fundaments and I think, you know, we can use this opportunity in a multi-stakeholder context with a different narrative to hopefully attempt, you know, in another way to convince people why this is important. It’s not quite as technically complex as people think it is. It’s not as expensive as people actually think it is. And it’s not only, oh, I’m doing it and I’m helping someone else. No, it’s beneficial for yourself, right? If you are an online business providing services, you depend on the continuity of service, right? You don’t want it to break. You don’t want something to go wrong and that affecting your reputation, right? And then, well, whatever comes from that. And the same from a public interest perspective. I think we need to get our act together here. We are willing to contribute here. We think we can do this together, right? With the private sector, with governments, with other stakeholders, right, that have an interest here, whether it’s end users, civil society, others, academia. If we don’t do it, then they’re certainly from the region I come from, I wouldn’t be surprised if at a certain point legislators are going to say, hey, this doesn’t work. We just wait for another big incident and they’re going to regulate it. And that might have unintended consequences. I think we can do it ourselves. Everything is available. The knowledge is there. The experiences are there. We just need to change the narrative and that’s what we look forward to use this working group for. I hope that answers your

Moderator – Wout de Natris:
question. Yes, thank you, Basiaan. I think, would you like to respond? A different question.

Maarten Botterman:
I have a different question. Thanks for that. By the way, you have a session shortly, right, on RPKI focused as well. At what time? Nicholas, thanks for the work done with the research on IoT security. My interest for that was also because I’m also chairman of the dynamic coalition for IoT. So, having seen this report, what are the plans for next steps? We haven’t talked about that, but I think that work is not done, right? May I respond first and then show how you have

Nicolas Fiumarelli:
an opportunity? Yes, there are several new policy mentioning on IoT security. So, the idea is to continue the report, analyzing the new documents that are measuring 2022 and 2023, and incorporate the new conclusions and recommendations in the same basis. I think that is the next steps. We also have the idea of promoting more awareness campaigns, also tutorials, more directed maybe to policymakers to make sure that they are aware on what to do regarding adopting these standards. So, that are some of the next steps we have concluded in our research. Maybe,

Audience:
João, you want to add some of the next? Thank you. Well, the straight through next step is to try to create a framework to provide governments and organizations that want to create their best practices, their policy documents related to IoT security. Because now that we have like the abroad understanding of what is good and what not in IoT security, we can go further and try to improve to create new policy documents related to the same subject.

Moderator – Wout de Natris:
Thank you, João. I’m going to ask you another question because you actually was one of the researchers doing the work and then helped with writing the report. What was the most surprising thing that came up in the research you’ve done? How is it possible? Okay, thank you. Well, when we looked up all the documents, one thing that came into our mind is

Audience:
how difficult it is to tackle this issue because we have a compliance requirement very clear in the documents, but we also need to approach the same requirements to the engineering teams. And we saw several documents trying to tackle this issue, try to communicate to both audiences. And, well, this is definitely a great difficulty and a great challenge for this kind of regulation.

Nicolas Fiumarelli:
An extra comment about that is that there are several practices. Just to put some examples, like you need to use a strong password in your devices. You need to have a software update that is more continuous. But these things cannot, the user cannot take the responsibility of doing this. These need to be by design. That is the main idea. From the manufacturer, from the services, the core, these need to be assured. You cannot have the possibility of creating a weak password for your device. These need to be assured by the manufacturer, right? And the same with all the several areas we have identified. So in that case, this will be granted by design, right? And I think this is the main key issue we have found. Also, in terms of engaging more with the standardizing company, we are repeating and repeating about this. We haven’t found mentioning on the IETF. There are several working groups right now at the IETF, Software Update on the Internet of Things, Trusted Security Environment Protocols. These kind of protocols that are, again, by design in the core of the technology, in the core of the device, are not being seen in the policy documents. So that are some of the main conclusions as well.

Moderator – Wout de Natris:
Thank you, Joao. Thank you, Nicolas. I think that Martin, you want to respond?

Maarten Botterman:
Yeah, one additional question. How can new initiatives reach you and flow into your understanding of this? Because IETF isn’t standing still, nor is the regulation around it. Will there be an explicit inventory, or will there at least be an openness to receive suggestions or whatever? What is the plan? Yes, I think that we will analyze. We’ll see

Nicolas Fiumarelli:
how this goes over the next years. I think there will be some kind of pressure for doing the things better. Yes, this is how the policy makers need to be more involved in the processes for having these things emerge in the future. I think that that is the response from that. Sorry? Yes, yes, or in case that they are interested in knowing more about what are the things that they can do, they can also put in contact with the ISTC and see how we can organize some training or several activities we can do for more awareness, right, about these issues. I think that that would be definitely important, maybe to have a more global view

Audience:
of the assumptions for everyone. Well, now I changed mic because I have a question. So, Janice, when you talked about the responsibility and the ethics in the work on cybersecurity, this touched one part of me that is really worried because when I see, well, I work with cybersecurity, and when I see the day-to-day work, what we do resembles a lot with the right use of force because we use tools, we use really like dangerous pieces of software to test systems. And I think the professionals aren’t actually prepared to handle this and to contribute and to understand their pieces in society because when you keep like, I can see some resemblance with like undercover officers that have to use tools, have to like do things that resemble breaking laws, and at the end they just go home and expect not to use any of their knowledge to do harm. And how this challenge is seen in the education space. Thank you, Joel. If I understand the

Janice Richardson:
question correctly, the greatest danger on internet is actually the user himself. And many times, I work a lot with young people, also with university students, many times they know the right thing to do, but in fact, they don’t do it. One of the concerns that I have, security by design, there are always going to be products that don’t adopt the security by design. So finally, it goes back to the user himself. We’ve talked a lot about awareness, but awareness means absolutely nothing if it’s not education. You can be aware of something, but if you don’t incorporate it, advocate it to other people, then it’s not actually a part of you and you’re not practicing it. And I think this is what you’re saying, you know, but you go home and do something different. And why is it? It’s because we don’t understand the impact of what we’re doing. Because it’s a little bit like when you drive a car. My father always insisted if you get your driver’s license, you cannot drive until you know how to change a spark plug, I don’t know if they exist anymore, and how to change a tire. Unfortunately, this is just not happening now. We don’t understand that. We may, yeah, I was surprised that organizations, cyber security organizations say the young graduates who come to them have a good ethical understanding. An ethical understanding is no good if you don’t understand how things work and where you can apply those ethics. I’d also like to add another point. It’s not as gloomy as what I say, because a lot of cyber security experts who are working in industry are actually also university lecturers. They’re also the ones who, one day a week or a few hours a week, are actually giving these courses, but then they’re blocked, because they’re forced to follow a curriculum. They don’t have the resources. The resources are too expensive for them to get their hands on, and therefore, although they have good intentions, they’re also blocked. I think the question you asked was very large. I’ve tried to touch on many areas of it, but it’s a very vast thing. We keep hearing about awareness. Awareness is absolutely nothing if it doesn’t become firmly ingrained and if it is not education. Thanks for your question.

Audience:
Can I go further in one of the aspects that I touched in my question? Great. Janice, one of the things that burdens me is that we are training the next generation of cyber security professionals. These people will have a very specific knowledge, and actually, you can consider also a very dangerous knowledge, because as I worked in the past years, we learned and executed several security testings. I literally hacked systems to check if they were vulnerable or not. To me, this is actually an also learning challenge, because these people need to understand their role in this security space, because what I learned, what people that work with me learned, is actually quite dangerous if you use in the wrong way. How can we tackle this issue?

Janice Richardson:
What you’re saying is knowledge is power, and this is never more true than in the cyber security sector, but this knowledge has to come with the value. At the Council of Europe, we say that there are four areas of competences, and they must all be taught together. There are values, attitudes, skills, and knowledge and critical understanding. I suppose, seeing what you’re doing now, that you got these values at the same time as you got the knowledge, and this is what we as educators have to strive to do. Yes, there is always this bad apple who is going to use it and going to turn the things around, and this is where your standards come in. This is where the products must be less vulnerable to hackers, but also turn the thing around the other way. No one is more powerful in cyber security than a converted hacker, or as we call them, ethical hackers. Your knowledge has to come with the values, and has to be a full area of knowledge, and not just knowing how to do something, but not understanding all the repercussions.

Moderator – Wout de Natris:
Thank you. Thank you, Janice and Joao, for the question. I think we’re going slowly to the wrapping up of this session. I think the message that shines out from all the research is that, whether it’s on IoT, whether it’s on procurement, or having to make a list with the most important and urgent internet standards, and education, and skills, it all shows that we are not working on cyber security in a correct way. We’re working on mitigation, and in mitigation, there are billions to make money on, which is happening on maybe even a daily basis, but why not move to prevention? In prevention, that makes sure that some mistakes can’t happen anymore. The threats will disappear. Not all of them, but a lot of them, because the opportunity closes, and the technical community has made all these solutions to make that actually happen. What does it take for industry to actually deploy these measures, and these opportunities, and these solutions? What everybody is telling us, and also today we heard from Basia, it may not be a good idea to regulate, because regulate may lead to, as we saw in the policy comparisons, lead to completely different explanations even of a certain word. So how can industry deploy 93 standards of the same topic, perhaps, but it may happen if every country starts inventing the rules themselves. So if they do, it will take a global coordination, so that there is an understanding of what we’re doing. So that innovation may not be hampered, although that is something that I sincerely doubt, because all other industries that are regulated do have innovation, but that is a discussion that we’re not having today, but we’re trying to prevent regulation. But a simple act, if we can convince our decision makers, and decision takers, and our procurement officers to start demanding security, just like they demand security when they buy a car. Nobody goes, buy a car, and drive away, and find that the lights are not in there, that the brakes are not working, that there’s not even an engine in the car, that you have to push it yourself. So in other words, that is something that comes for granted, but why does it come for granted? Because governments did act at some point, saying you need the safety belts, you need a brake, you need a driver’s license, et cetera. So that is something that in internet, in fact, the technical community is doing for us. So now it’s about making sure that the people who lead this world, and lead organizations, start acting upon it. And then we start moving towards prevention, and not only mitigation. This dynamic coalition is now running for three years. So we announced ourselves at the virtual IGF in 2020. In 2021, in Katowice, in Poland, we were able to present our research plans. And in 2022, in Addis, we had our first report, and the serious announcement of work going to happen in this year. Now we are in Kyoto. And as you saw, we have delivered a lot of reports, upcoming tools, new ideas for work. As I said at the beginning, if you have an idea that fits under this dynamic coalition, and you think this should start a new working group on, then you can approach us. One of the things that are in the open at this moment, we’ve tried to start a working group last year on consumer advocacy. The funding did not come through, so that’s where the person who was leading it stepped out. But what if consumer organizations start testing products with the digital component included? That all shows up red, it would mean that consumers get alerted. It will probably make the news if these smart devices are shown as not secure. What about consumer regulators? What is in the laws already today that they can use to say to organizations and to industry, you’re not taking care of your customers? So is there an option there to do? So what could we do to convince these regulators to actually step in and step up their game? What about vulnerability disclosure? As Nicolas said, as a recommendation, what if we could align the world to test everything on the internet 24-7, just like the bad guys are doing, and make sure that there are protocols around that so that it’s all on the white side, and that what comes out is sent to the manufacturer or the developer or the service provider saying, your product is not secure. Can we have a discussion on that, that some sort of a global alignment is agreed upon and then disseminated so that governments can adopt that policy? We started with emerging technologies, also an idea that came up. So are there other ideas? I don’t know. I’m just saying what is sort of floating at this moment as potential working groups, but it could be something totally different, and it can come from any of you. I have five minutes left. Mark, I’m going to ask you, you’ve been on this trip with me from the very beginning. What are your thoughts on how we developed and what have you seen changed over the past three years?

Mark Carvell:
Well, thank you, Wout, and hello, everybody. Yes, I’ve been working with Wout from pretty much the concept stage before we launched the coalition. It seems a long time ago, and there have been many challenges, but we’ve moved forward incredibly, especially in the last year, with all the research, the incredibly valuable research that’s been undertaken by the working groups, as you’ve heard today with all our chairs of the working groups’ presentations on their outcomes. And these are tangible outcomes. They are providing us, really, with a resilient platform to go forward. So we need your help, and please follow up with us and spread the word about our objectives, our particular areas of focus, and also, as Wout described, our open invitation for you to contribute your ideas on what we do next, particularly in the areas of security by design and launching the hub, which Janice described in her presentation. There’s a lot of good thinking going on in terms of making that a real, impactful, practical proposition, a hub that brings together key experts in industry, in education, with outreach to policymakers worldwide on addressing what is our overall objective, the gaps in deployment of key security standards, and also, routing, and also, with the work we’re undertaking on emerging technologies. Thanks very much. Back to you, Wout.

Audience:
Yes. Thank you, Mark. Final question. Yes. Thank you. My name is Carlos Vera from IGF Ecuador. Thank you very much. Very interesting discussion. I would like to remark that not all the time, this is only a technical issue. Most of the time, this is a political or economical issue. Maybe the technicians are not understanding that this really is political and economic. Technical barrier for political or economical reasons. It’s simple, technically, to do very nice things. Also, there is a problem who say what is white or what is black or what is right or what is wrong. In some countries, the legal issues, the good things, they think is bad. Nicaragua, Cuba, has opposite vision that USA, Europe. So if the technician doesn’t understand that we work for the people that make politics and have the money, we lost the fight, definitely. What do you think? Thank you.

Moderator – Wout de Natris:
Thank you. I think you hit the nail on the head here because what we’ve been trying to say here in RS3C that this is not technical. If the decision is made, as soon as a boss said, I want this standard to be there, it’s there in five minutes probably. Or maybe somebody has to go to a course and then a week later he can deploy it. This is indeed a political, social, economic, and perhaps even, I don’t know, a human rights sort of thing in a way. So that is why we have working group eight that is going to work on that narrative to move it away from the technical side so that the decision maker gets a different choice and not just on a technical basis but based on political or economic or social, et cetera, reasons. So thank you for that question and that’s what we will try to do. We are at the final minute. I see it moving to the last minute. I think that you’ve heard that we’ve moved a long way, as we said, from an idea to actually putting out reports and showing that the IGF is able to come up with reports that are quite tangible. That’s not the reason why we’re doing it. We’re doing it for the security and to make the world safer and more secure for everyone. Mark already said that you can join us. You can join us by signing up through the IGF website. If you go to the dynamic coalitions and there click on internet safety and security coalition, you can join the mailing list. We won’t bombard you with all sort of spam. We’ll just announce meetings that we organize or announce new working groups. So please join there. We’re also always looking for funding so if you’re in a situation that could help one of the research that we’re doing, that would be most welcome as well because that’s the only way that we can make sure that we have professional reports because we can’t depend on volunteers only. But volunteer work is definitely welcome and that’s why I want to thank all the chairs here present for their work because it’s not Mark and me that are pushing this work but it’s the people who lead the working groups that actually make sure that things happen. We hope to be able to share the tools with you that next year we’re sitting here that we can rehearse. Here was Martin and Elif will come up with emerging technologies that we hear what the hub is doing that is being lifted and going forward and that we can actually find ways and that’s I think the most important point where I’m going to end with. It must not remain a digital piece of paper on the IGF website. We have to make sure that it translates into actions and that these actions is going to be what makes the world more secure and safer. So with that, I thank everybody here behind the table presented. Also Stephen in Singapore but especially Selby in London where it’s, I don’t know, at this moment it’s four o’clock or something or three o’clock. So I thank you all. Thank you all for being present and I hope that you’ve learned what we do but also that you appreciate what we do and if you like, join us and thank you very much for being present. Thank you. Thank you. Thank you.