Security of digital products – a coordinated approach

Event report

The exploitation of vulnerabilities in digital products is an essential component of cyberattacks. Several multilateral and multistakeholder forums develop norms and principles to reduce such vulnerabilities. Standard-setting organisations cope with developing new standards, while national regulators propose baseline requirements and certification and labelling schemes. The Geneva Dialogue on Responsible Behaviour in Cyberspace project (Geneva Dialogue) brings together global companies to develop a set of good corporate practices that translate high-level principles into day-to-day operations. The session, moderated by Mr Vladimir Radunović, was built on the workshop on the security of digital products organised by the Geneva Dialogue at the IGF 2020 and its ongoing work in this field.

The Geneva Dialogue initiative was introduced briefly by Mr Benedikt Wechsler (Head of Division for Digitalisation, Federal Department of Foreign Affairs (FDFA) of Switzerland) who explained that its purpose is to build a bridge between the principles and the practical level by applying a bottom-up approach. This approach brings together the private sector, the regulators, the information technology (IT) community, and the civil sector. Its main strength is its ability to be practical and non-ideological and to develop actionable principles for the security of digital products.

Mr Lexey Kuznetsov (Head of Security Analysis, BI.ZONE) elaborated on the magnitude of the problem derived from the security of digital products today. There is an increase in the number of attacks and vulnerabilities these days, especially since IT infrastructure is becoming more code-based. As codes become more complex (with digital products ending up as part of the critical infrastructure) and developers don’t have enough security knowledge, there is a need to improve transparency and apply a more responsible approach to digital products.

From the perspective of policy and regulation, digital products constitute a new field of governance and regulation. Ms Nele Achten (Senior Researcher for Cyber Security and Foreign Policy, ETHZ Center for Security Studies) presented her research on the topic noting that the term digital products is not used in regulatory instruments or guidelines on the operational level. Furthermore, her analysis revealed that the industry is not against mandatory security requirements, but there is a need for better transnational recognition of certifications. This raises two questions: Which actors are capable of advancing policies of digital products security on an international level? Can we develop policies applicable for all types of digital products?

Mr Edwin Sin (Singapore Cybersecurity Authority) provided a possible answer to some of Achten’s questions by presenting the Singapore CLS initiative. The CLS demonstrates how stakeholders can collaborate (in this case, the regulator and the private sector) in creating labels for securing digital products. Furthermore, the collaboration between Singapore and Finland in recognising each other’s labels demonstrates that states can collaborate and bridge the gap on a more international level.

Work by the Paris Call provides another example of a multistakeholder initiative dealing with ICT supply chain security. Ms Anastasiya Kazakova (Senior Public Affairs Manager, Kaspersky) presented the project in brief. The objective of the work is to shed light on the implementation of the existing OECD recommendations on the topic and share practical, actionable steps stakeholder groups can take for stronger ICT supply chain security. The main conclusion is that all actors have a role to play towards stronger ICT supply chain security. She explicitly highlighted the need to create incentives for security-focused behaviour on both the supply and demand side, enhancing ICT supply chain transparency by the public and private sector, and ensuring harmonisation across emerging national regulatory and industry approaches.

The topic of harmonisation was echoed in the discussion that followed around the issue of standardisation organisations and regulators and the need to incorporate them in the talks.

By Efrat Daskal

Session in numbers and graphs

Automated summary

Diplo’s AI Lab experiments with automated summaries generated from the IGF sessions. They will complement our traditional reporting. Please let us know if you would like to learn more about this experiment at ai@diplomacy.edu. The automated summary of this session can be found at this link.