Security of digital products: Industry and enhancing trust

11 Nov 2020 12:20h - 13:20h

Event report

The session, co-moderated by Mr Vladimir Radunovic (Director, E-diplomacy, DiploFoundation) and Ms Marília Maciel (Digital Policy Senior Researcher, DiploFoundation), addressed best practices and examples for creating global, resilient, and ethical digital products. This event drew on the Geneva Dialogue on Responsible Behaviour in Cyberspace, a project implemented by the Federal Department of Foreign Affairs of Switzerland and DiploFoundation.

The first part of the session tackled policy and regulatory approaches to increase the security of digital products from the perspective of governments. Mr David Koh (Commissioner of Cybersecurity and Chief Executive, Cyber Security Agency of Singapore) argued that the greater our reliance in digital technologies, the more trust needs to be enhanced. Trust is essential in the current context of accelerating digital transformation, and cybersecurity can be considered as its main driver.

Singapore implements cybersecurity best practices on various levels. Regionally, Singapore is active in the context of the Association of Southeast Asian Nations (ASEAN) in developing a long-term regional cybersecurity action plan for the implementation of new cyber norms. At the national level, Singapore developed a number of initiatives to work with the industry in strengthening cybersecurity. It launched the Safer Cyberspace Masterplan 2020 to strengthen cybersecurity among business communities, and small and medium-sized businesses and organisations. Singapore also published security-by-design guidelines, as well as a cybersecurity labelling scheme to raise the security levels of Internet of Things (IoT) devices. Mr Jon Albert Fanzun (Special Envoy for Cyber Foreign and Security Policy, Federal Department of Foreign Affairs of Switzerland) explained that, as technological competition intensifies and geopolitical tensions remain on the rise, the application of global norms and existing international laws to cyberspace is still uncertain and contested. This situation translates into a dramatic decline of trust. To address these challenges, Switzerland works to clarify the international rules in cyberspace, especially in the framework of the UN. Switzerland has also recently launched its new digital foreign policy strategy. Its four fields of action are: digital governance, prosperity and sustainable development, cybersecurity, and digital self-determination. The strategy highlights the importance of private actors in enhancing trust and security, and addressing current issues in digital governance, well-illustrated by the Geneva Dialogue on Responsible Behaviour in Cyberspace, which began in 2018.

The session addressed good corporate practices, especially in defining key terminologies, but also in building capacities and a security culture within the private sector. Ms Anastasiya Kazakova (Public Affairs Manager, Kaspersky) highlighted the role of the Geneva Dialogue in facilitating discussions on industry best practices and handling vulnerabilities, as well as offering a space to define a common terminology around the concepts of security-by-design, security-by-default, and trustworthiness. The Geneva Dialogue also provides an opportunity to exchange industry best practices, in an effort to enhance trust and avoid duplications. In terms of good practices, Mr Nestor Serravalle (Global Chief Sales Officer, VU) insisted on the need to develop and invest in the security culture of companies. This is not only a reputational problem, but also a matter of social responsibility. To enhance trust, the internal processes of businesses need to evolve in order to maintain the digital security of the people using their products. Mr Barrack Otieno (Trustee, Kenya ICT Action Network) explained that the majority of start-ups and small enterprises in the Global South usually face harsh economic environments and struggle to stay afloat. The issue of security-by-design can thus become secondary in their business operations. This also translates into a lack of adherence to non-mandatory security standards. Additionally, Otieno mentioned the fact that security is not understood similarly in all parts of the world. Koh agreed that cultural differences and nuances need to be taken into account to enhance trust, as was shown for instance in the recent debates around contact tracing in the context of the COVID-19 pandemic. Trust is not only a technical issue, but has also a human dimension.

The session was highly interactive, and several participants took the floor while number of participants exchanged reflections and discussed issues in the chat. The audience noted that public-private partnerships (PPP) is important to bridge trust gaps. A participant noted that governments should create collaborative environments. It was also noted that it is necessary to assess how new products and technologies can impact the society. The need for transparency in digital products by letting the community review codes were also highlighted.

In the chat, participants highlighted the interdependence between trust and security. Norms on cybersecurity were identified as building blocks of trust and collaboration among relevant actors.   It was noted that trust it is not only about technology, it heavily depends on individual’s perceptions.  Some preconditions for enhancing trust and security mentioned by the participants are accountability, predictability, transparency, consistency, reliability, dependability and awareness.

The role of standards in promoting security was also mentioned. There were discussions on how to strengthen the adoption of security standards. The recently launched IGF Dynamic Coalition on Internet Standards, Security and Safety (DC-ISSS) was identified as a hub to continue discussions on this topic.

Some participants mentioned the interplay between encryption technologies and trust. There were different views on whether encryption strengthens or undermines trust. Quantum was pointed out as a potential way to overcome the shortcomings of encryption technologies.

The session concluded with Radunovic inviting participants to comment on the ouput document of the Geneva Dialogue.