On how to procure/purchase secure by design ICT | IGF 2023 Day 0 Event #23

Knowledge Graph of Debate

Session report

David Huberman

The analysis addresses various topics related to internet standards, security, and vulnerabilities. It starts by highlighting that the Border Gateway Protocol (BGP) and Domain Name System (DNS) are outdated protocols that were not originally designed with security in mind. However, efforts have been made over the past two decades by the Internet Engineering Task Force to enhance the security of these protocols.

The analysis emphasises that enhancements such as Resource Public Key Infrastructure (RPKI) and Domain Name System Security Extensions (DNSSEC) have proven effective in improving internet security. RPKI enables providers to authenticate the origins of routing information, protecting against malicious route hijacking, misconfigurations, and IP spoofing. DNSSEC ensures the integrity of DNS queries, ensuring users receive the intended data from website administrators.

While RPKI and DNSSEC have shown promise, there is a need to increase their adoption. Currently, DNSSEC is only used by approximately 25% of all domain names, while RPKI has greater deployment, particularly among Internet Service Providers (ISPs). However, broader deployment of RPKI throughout the global routing system is necessary to enhance overall internet security.

The analysis also underscores the importance of stakeholder involvement in internet standards development. Governments and civil societies should actively participate in shaping these standards to meet the demands of a global scale in 2023. The Dutch government’s integration of internet standards with public policy, as demonstrated by their internet.nl website, is commendable.

Furthermore, the analysis highlights the significance of understanding internet vulnerabilities. Regardless of a country’s geopolitical situation, vulnerabilities present opportunities for exploitation for personal gain or the creation of chaos. Therefore, it is crucial for every country, regardless of size or peacefulness, to comprehend these vulnerabilities and implement regulations to minimize risks and secure their networks.

Overall, the analysis concludes that enhancing internet security and promoting the adoption of standards are essential for protecting users and ensuring the stability of the global internet ecosystem. Recognition by the United States government of routing as a matter of national security signifies their commitment to adopting RPKI and verifying Route Origin Authorizations (ROAs). By implementing measures to understand and address internet vulnerabilities, the digital landscape can be better safeguarded, ensuring the safety and stability of the global internet ecosystem.

Annemiek ( Dutch government)

The Dutch government has implemented a comply or explain list for ICT services, which includes approximately 40 open standards, including specific standards such as internet safety. Maintainers suggest which standards should be included in the list. Although the use of these standards is mandatory, there are no penalties for non-compliance; instead, they are recommended for use in services.

To ensure the adoption of these standards, the government actively monitors their utilization, particularly in procurement. Monitoring reports are submitted to the Ministry of Internal Affairs and then to Parliament. Tenders that fail to use any listed standard need to explain why in their annual report. The internet.nl tool is used for monitoring purposes.

Furthermore, the government encourages community collaboration and engages with major suppliers. The internet.nl tool is used to facilitate discussions, and Microsoft, one of the suppliers, has shown openness to discussions and plans to implement the open standard Dane in their email servers.

Regarding accessibility, the Dutch government is developing dashboards that integrate internet.nl for accessibility purposes. This demonstrates the government’s commitment to digital accessibility and reducing inequalities.

Additionally, the Dutch government advocates for the adoption of their developed dashboard system for digital accessibility, encouraging other countries to follow their lead.

The government also promotes the use of IPv6, recognizing the societal benefits it can bring.

Rather than enforcing rules, the government emphasizes practical application and experience in the field. They adopt a stimulating approach to encourage the use of standards.

In procurement processes, the Dutch government uses a special tender website that supports open standards. This website includes CPV codes to support the procurement of goods and services adhering to these standards.

Raising awareness and understanding among procurement departments about the technical aspects of standards is considered crucial. The procurement department needs to communicate with the architecture or other employees to understand the technical details, as most procurement departments lack technical knowledge.

The government also advocates for online security through the implementation of open standards. They employ the internet.nl tool to verify the application of open standards in organizations.

To incentivize organizations to use open standards, the Dutch government operates a Hall of Fame. Organizations that score 100% on internet.nl, fully implementing all open standards, are rewarded with t-shirts.

In conclusion, the Dutch government has taken significant steps to promote the adoption of open standards in various sectors. Their comply or explain list, monitoring initiatives, community collaboration, and emphasis on practical application demonstrate their commitment to industry innovation and infrastructure. By developing dashboards for accessibility, encouraging other countries to follow their lead, and supporting online security, the Dutch government strives for a more inclusive and secure digital environment.

Mark Carvell

Procurement and supply chain management play a crucial role in driving the adoption of essential security-related standards. These standards are vital for safeguarding businesses, organizations, and individuals against security breaches and ensuring the integrity and confidentiality of sensitive information. By implementing these standards in the procurement and supply chain processes, secure practices are maintained throughout the entire supply chain, from sourcing raw materials to delivering the final product.

The IS3C (Information Sharing and Analysis and Operations Centers) is instrumental in gathering valuable information on procurement and supply chain management. This knowledge base provides insights and best practices that can be used to enhance security standards. However, it is recommended to incorporate experiences from other countries to widen the scope and applicability of this resource, ultimately creating a more comprehensive and globally relevant framework.

Unfortunately, incidents of security failures in the UK, such as data breaches affecting police forces and financial services, are reported without appropriate follow-up remedial measures. These security failures can have severe consequences, including compromised data, financial losses, and potential risks to national security. To address this issue, it is imperative to establish a consistent reporting mechanism that accurately documents the consequences of security failures. Furthermore, remedial measures should be widely distributed through channels like the IS3C, enabling organizations to learn from past mistakes and take proactive measures to prevent similar breaches.

In conclusion, procurement and supply chain management are integral to adopting critical security-related standards. The IS3C’s efforts to collate valuable information are commendable, but it is necessary to expand this resource by incorporating experiences from other countries. Additionally, addressing the lack of follow-up remedial measures in response to security failures is crucial. By implementing proper reporting and distribution mechanisms through channels like the IS3C, security practices can be enhanced, and future breaches can be mitigated.

Audience

The analysis of the provided data reveals several key points regarding the government’s adoption of digital standards and the implementation of cybersecurity measures in Canada and the Netherlands, as well as the importance of accessibility in public procurement.

One of the main findings is that the Canadian government lacks a consistent standard in procurement, leading to negative sentiment among the audience. The absence of a single set of standards used by the same government department is a significant drawback. Additionally, each province in Canada has its own legislation governing privacy and digital communications, further contributing to inconsistency in the procurement process.

On the other hand, there is a potential for legislative change in Canada, as Senator Colin Deacon has been spearheading various legislative frameworks. This development is viewed positively by the audience, as it could lead to improved standards and practices in digital adoption within the government.

In terms of accessibility, it is noteworthy that public procurement for accessible digital goods and services is being adopted by several countries, with a focus on the inclusion of persons with disabilities. Standards for accessibility procurement exist in the US and EU and have been adopted by countries like Australia, India, and Kenya. However, it is highlighted that despite the existence of a monitoring system for web accessibility in government procurement in Australia, lack of funding led to its discontinuation.

Turning to the Netherlands, the Dutch government is actively developing dashboards such as internet.nl for accessibility purposes. This initiative is positively received, as it demonstrates their commitment to improving accessibility for digital products and services.

In terms of cybersecurity, efforts are being made by the RIPE NCC and ICANN to improve the adoption of techniques like DNSSEC (Domain Name System Security Extensions) and RPKI (Resource Public Key Infrastructure). The audience appreciates the efforts made by Dutch public authorities and the government in terms of standardization and cybersecurity.

Education and stakeholder involvement are highlighted as crucial factors in ensuring cybersecurity. Both civil society organizations and personal training have proven to be effective in fostering informed discourse and persuading operators to adopt security measures. Additionally, the analysis highlights the importance of proactive implementation of internet security measures to prevent potential digital mishaps that could be costly in terms of time, money, and stress.

The analysis also notes the challenges faced by telecom carriers in implementing new security technologies due to cost and scaling requirements. However, it suggests that subscription services could provide a steady source of funding for ongoing security improvements.

The lack of skilled engineers is identified as another challenge in the implementation of cybersecurity measures, as highlighted by the example of Kyoto University being unable to implement certain security measures due to a shortage of skilled personnel.

Overall, the analysis underscores the importance of consistent standards in procurement, legislative change, accessibility, and cybersecurity in the digital governance efforts of Canada and the Netherlands. It also recognizes the positive steps taken by various stakeholders, such as Senator Colin Deacon and the Dutch government, in driving these initiatives forward.

Wout de Natris

In the realm of cybersecurity, there is a pressing need for a stronger focus on prevention. This can be achieved through secure-by-design procurement and the implementation of internet standards. Initially, internet standards were created by the technical community without prioritizing security, resulting in vulnerabilities. Most procurement documents do not mention security, and when they do, they fail to specifically address cybersecurity or internet standards. Governments can help improve cybersecurity by demanding the incorporation of these standards when procuring software or services. By doing so, they can significantly enhance cybersecurity measures and reduce the risk of cyber attacks.

The DNSSEC and RPKI Deployment working group aims to bring about a transformation in the cybersecurity conversation. This initiative represents a shift towards prevention and secure-by-design concepts, moving away from solely focusing on mitigation efforts. The goal of the working group is to translate ideas into tangible actions, aligning with the objectives set by the UN Secretary-General.

Securing the public core of the internet is of paramount importance. This includes both the physical infrastructure and the standards guiding its operation. Currently, there is a lack of recognition and implementation of these standards, leaving the system vulnerable to cyber attacks.

While tools and standards to enhance security have been available for a significant amount of time, their adoption has been sluggish. This highlights the need for greater awareness and proactive efforts in implementing these measures.

The existing state of the internet infrastructure can be seen as a market failure, necessitating governmental or legislative intervention. The internet infrastructure is outdated and requires improvements. The European Union has already implemented significant legislation affecting both the infrastructure and the ecosystem.

Wout de Natris, an active participant in the discussion, advocates for a change in the narrative surrounding cybersecurity. He emphasizes the importance of persuading people in leadership positions to prioritize cybersecurity from the outset, rather than treating it as an afterthought.

The protection of the routing infrastructure is now considered critical for national security by the United States government. Government officials are actively discussing routing security principles and the use of technical terms such as RPKI (Resource Public Key Infrastructure) and ROA (Route Origin Authorization). There is an intention to leverage government power to enforce regulations and ensure the secure functioning of the routing infrastructure.

If organizations do not voluntarily adopt internet security standards, the government may impose regulations on them. This highlights the importance of voluntary adoption and proactive implementation of security measures within organizations.

Government procurement is identified as a potential game-changer for the deployment of secure internet design standards. De Natris suggests that if regulation is avoided, procurement can be a powerful tool for promoting security standards.

IS3C aims to hand over knowledge and tools for cybersecurity, with the responsibility of implementation and deployment lying with respective countries. Their work has broader implications beyond internet standards, as they also focus on emerging technologies such as artificial intelligence, quantum computing, and the metaverse. This broad scope aligns with the Sustainable Development Goals and the need for global cooperation.

In the area of Internet of Things (IoT) security, there is an opportunity to enhance security through the adoption of open standards. The existing policies on IoT security across the globe are predominantly voluntary, necessitating a global transformation in the regulatory framework.

In conclusion, a shift towards prevention in cybersecurity and the prioritization of secure-by-design procurement are imperative. The implementation of internet standards and the proactive adoption of security measures are crucial to mitigate vulnerabilities. Governmental involvement, through procurement and regulatory intervention, is necessary to promote and enforce these measures. The work of initiatives like the DNSSEC and RPKI Deployment group and IS3C contribute to transforming the narrative and addressing emerging challenges in cybersecurity.

Speakers