On how to procure/purchase secure by design ICT | IGF 2023 Day 0 Event #23
Table of contents
Disclaimer: It should be noted that the reporting, analysis and chatbot answers are generated automatically by DiploGPT from the official UN transcripts and, in case of just-in-time reporting, the audiovisual recordings on UN Web TV. The accuracy and completeness of the resources and results can therefore not be guaranteed.
Knowledge Graph of Debate
Session report
Full session report
David Huberman
The analysis addresses various topics related to internet standards, security, and vulnerabilities. It starts by highlighting that the Border Gateway Protocol (BGP) and Domain Name System (DNS) are outdated protocols that were not originally designed with security in mind. However, efforts have been made over the past two decades by the Internet Engineering Task Force to enhance the security of these protocols.
The analysis emphasises that enhancements such as Resource Public Key Infrastructure (RPKI) and Domain Name System Security Extensions (DNSSEC) have proven effective in improving internet security. RPKI enables providers to authenticate the origins of routing information, protecting against malicious route hijacking, misconfigurations, and IP spoofing. DNSSEC ensures the integrity of DNS queries, ensuring users receive the intended data from website administrators.
While RPKI and DNSSEC have shown promise, there is a need to increase their adoption. Currently, DNSSEC is only used by approximately 25% of all domain names, while RPKI has greater deployment, particularly among Internet Service Providers (ISPs). However, broader deployment of RPKI throughout the global routing system is necessary to enhance overall internet security.
The analysis also underscores the importance of stakeholder involvement in internet standards development. Governments and civil societies should actively participate in shaping these standards to meet the demands of a global scale in 2023. The Dutch government’s integration of internet standards with public policy, as demonstrated by their internet.nl website, is commendable.
Furthermore, the analysis highlights the significance of understanding internet vulnerabilities. Regardless of a country’s geopolitical situation, vulnerabilities present opportunities for exploitation for personal gain or the creation of chaos. Therefore, it is crucial for every country, regardless of size or peacefulness, to comprehend these vulnerabilities and implement regulations to minimize risks and secure their networks.
Overall, the analysis concludes that enhancing internet security and promoting the adoption of standards are essential for protecting users and ensuring the stability of the global internet ecosystem. Recognition by the United States government of routing as a matter of national security signifies their commitment to adopting RPKI and verifying Route Origin Authorizations (ROAs). By implementing measures to understand and address internet vulnerabilities, the digital landscape can be better safeguarded, ensuring the safety and stability of the global internet ecosystem.
Annemiek ( Dutch government)
The Dutch government has implemented a comply or explain list for ICT services, which includes approximately 40 open standards, including specific standards such as internet safety. Maintainers suggest which standards should be included in the list. Although the use of these standards is mandatory, there are no penalties for non-compliance; instead, they are recommended for use in services.
To ensure the adoption of these standards, the government actively monitors their utilization, particularly in procurement. Monitoring reports are submitted to the Ministry of Internal Affairs and then to Parliament. Tenders that fail to use any listed standard need to explain why in their annual report. The internet.nl tool is used for monitoring purposes.
Furthermore, the government encourages community collaboration and engages with major suppliers. The internet.nl tool is used to facilitate discussions, and Microsoft, one of the suppliers, has shown openness to discussions and plans to implement the open standard Dane in their email servers.
Regarding accessibility, the Dutch government is developing dashboards that integrate internet.nl for accessibility purposes. This demonstrates the government’s commitment to digital accessibility and reducing inequalities.
Additionally, the Dutch government advocates for the adoption of their developed dashboard system for digital accessibility, encouraging other countries to follow their lead.
The government also promotes the use of IPv6, recognizing the societal benefits it can bring.
Rather than enforcing rules, the government emphasizes practical application and experience in the field. They adopt a stimulating approach to encourage the use of standards.
In procurement processes, the Dutch government uses a special tender website that supports open standards. This website includes CPV codes to support the procurement of goods and services adhering to these standards.
Raising awareness and understanding among procurement departments about the technical aspects of standards is considered crucial. The procurement department needs to communicate with the architecture or other employees to understand the technical details, as most procurement departments lack technical knowledge.
The government also advocates for online security through the implementation of open standards. They employ the internet.nl tool to verify the application of open standards in organizations.
To incentivize organizations to use open standards, the Dutch government operates a Hall of Fame. Organizations that score 100% on internet.nl, fully implementing all open standards, are rewarded with t-shirts.
In conclusion, the Dutch government has taken significant steps to promote the adoption of open standards in various sectors. Their comply or explain list, monitoring initiatives, community collaboration, and emphasis on practical application demonstrate their commitment to industry innovation and infrastructure. By developing dashboards for accessibility, encouraging other countries to follow their lead, and supporting online security, the Dutch government strives for a more inclusive and secure digital environment.
Mark Carvell
Procurement and supply chain management play a crucial role in driving the adoption of essential security-related standards. These standards are vital for safeguarding businesses, organizations, and individuals against security breaches and ensuring the integrity and confidentiality of sensitive information. By implementing these standards in the procurement and supply chain processes, secure practices are maintained throughout the entire supply chain, from sourcing raw materials to delivering the final product.
The IS3C (Information Sharing and Analysis and Operations Centers) is instrumental in gathering valuable information on procurement and supply chain management. This knowledge base provides insights and best practices that can be used to enhance security standards. However, it is recommended to incorporate experiences from other countries to widen the scope and applicability of this resource, ultimately creating a more comprehensive and globally relevant framework.
Unfortunately, incidents of security failures in the UK, such as data breaches affecting police forces and financial services, are reported without appropriate follow-up remedial measures. These security failures can have severe consequences, including compromised data, financial losses, and potential risks to national security. To address this issue, it is imperative to establish a consistent reporting mechanism that accurately documents the consequences of security failures. Furthermore, remedial measures should be widely distributed through channels like the IS3C, enabling organizations to learn from past mistakes and take proactive measures to prevent similar breaches.
In conclusion, procurement and supply chain management are integral to adopting critical security-related standards. The IS3C’s efforts to collate valuable information are commendable, but it is necessary to expand this resource by incorporating experiences from other countries. Additionally, addressing the lack of follow-up remedial measures in response to security failures is crucial. By implementing proper reporting and distribution mechanisms through channels like the IS3C, security practices can be enhanced, and future breaches can be mitigated.
Audience
The analysis of the provided data reveals several key points regarding the government’s adoption of digital standards and the implementation of cybersecurity measures in Canada and the Netherlands, as well as the importance of accessibility in public procurement.
One of the main findings is that the Canadian government lacks a consistent standard in procurement, leading to negative sentiment among the audience. The absence of a single set of standards used by the same government department is a significant drawback. Additionally, each province in Canada has its own legislation governing privacy and digital communications, further contributing to inconsistency in the procurement process.
On the other hand, there is a potential for legislative change in Canada, as Senator Colin Deacon has been spearheading various legislative frameworks. This development is viewed positively by the audience, as it could lead to improved standards and practices in digital adoption within the government.
In terms of accessibility, it is noteworthy that public procurement for accessible digital goods and services is being adopted by several countries, with a focus on the inclusion of persons with disabilities. Standards for accessibility procurement exist in the US and EU and have been adopted by countries like Australia, India, and Kenya. However, it is highlighted that despite the existence of a monitoring system for web accessibility in government procurement in Australia, lack of funding led to its discontinuation.
Turning to the Netherlands, the Dutch government is actively developing dashboards such as internet.nl for accessibility purposes. This initiative is positively received, as it demonstrates their commitment to improving accessibility for digital products and services.
In terms of cybersecurity, efforts are being made by the RIPE NCC and ICANN to improve the adoption of techniques like DNSSEC (Domain Name System Security Extensions) and RPKI (Resource Public Key Infrastructure). The audience appreciates the efforts made by Dutch public authorities and the government in terms of standardization and cybersecurity.
Education and stakeholder involvement are highlighted as crucial factors in ensuring cybersecurity. Both civil society organizations and personal training have proven to be effective in fostering informed discourse and persuading operators to adopt security measures. Additionally, the analysis highlights the importance of proactive implementation of internet security measures to prevent potential digital mishaps that could be costly in terms of time, money, and stress.
The analysis also notes the challenges faced by telecom carriers in implementing new security technologies due to cost and scaling requirements. However, it suggests that subscription services could provide a steady source of funding for ongoing security improvements.
The lack of skilled engineers is identified as another challenge in the implementation of cybersecurity measures, as highlighted by the example of Kyoto University being unable to implement certain security measures due to a shortage of skilled personnel.
Overall, the analysis underscores the importance of consistent standards in procurement, legislative change, accessibility, and cybersecurity in the digital governance efforts of Canada and the Netherlands. It also recognizes the positive steps taken by various stakeholders, such as Senator Colin Deacon and the Dutch government, in driving these initiatives forward.
Wout de Natris
In the realm of cybersecurity, there is a pressing need for a stronger focus on prevention. This can be achieved through secure-by-design procurement and the implementation of internet standards. Initially, internet standards were created by the technical community without prioritizing security, resulting in vulnerabilities. Most procurement documents do not mention security, and when they do, they fail to specifically address cybersecurity or internet standards. Governments can help improve cybersecurity by demanding the incorporation of these standards when procuring software or services. By doing so, they can significantly enhance cybersecurity measures and reduce the risk of cyber attacks.
The DNSSEC and RPKI Deployment working group aims to bring about a transformation in the cybersecurity conversation. This initiative represents a shift towards prevention and secure-by-design concepts, moving away from solely focusing on mitigation efforts. The goal of the working group is to translate ideas into tangible actions, aligning with the objectives set by the UN Secretary-General.
Securing the public core of the internet is of paramount importance. This includes both the physical infrastructure and the standards guiding its operation. Currently, there is a lack of recognition and implementation of these standards, leaving the system vulnerable to cyber attacks.
While tools and standards to enhance security have been available for a significant amount of time, their adoption has been sluggish. This highlights the need for greater awareness and proactive efforts in implementing these measures.
The existing state of the internet infrastructure can be seen as a market failure, necessitating governmental or legislative intervention. The internet infrastructure is outdated and requires improvements. The European Union has already implemented significant legislation affecting both the infrastructure and the ecosystem.
Wout de Natris, an active participant in the discussion, advocates for a change in the narrative surrounding cybersecurity. He emphasizes the importance of persuading people in leadership positions to prioritize cybersecurity from the outset, rather than treating it as an afterthought.
The protection of the routing infrastructure is now considered critical for national security by the United States government. Government officials are actively discussing routing security principles and the use of technical terms such as RPKI (Resource Public Key Infrastructure) and ROA (Route Origin Authorization). There is an intention to leverage government power to enforce regulations and ensure the secure functioning of the routing infrastructure.
If organizations do not voluntarily adopt internet security standards, the government may impose regulations on them. This highlights the importance of voluntary adoption and proactive implementation of security measures within organizations.
Government procurement is identified as a potential game-changer for the deployment of secure internet design standards. De Natris suggests that if regulation is avoided, procurement can be a powerful tool for promoting security standards.
IS3C aims to hand over knowledge and tools for cybersecurity, with the responsibility of implementation and deployment lying with respective countries. Their work has broader implications beyond internet standards, as they also focus on emerging technologies such as artificial intelligence, quantum computing, and the metaverse. This broad scope aligns with the Sustainable Development Goals and the need for global cooperation.
In the area of Internet of Things (IoT) security, there is an opportunity to enhance security through the adoption of open standards. The existing policies on IoT security across the globe are predominantly voluntary, necessitating a global transformation in the regulatory framework.
In conclusion, a shift towards prevention in cybersecurity and the prioritization of secure-by-design procurement are imperative. The implementation of internet standards and the proactive adoption of security measures are crucial to mitigate vulnerabilities. Governmental involvement, through procurement and regulatory intervention, is necessary to promote and enforce these measures. The work of initiatives like the DNSSEC and RPKI Deployment group and IS3C contribute to transforming the narrative and addressing emerging challenges in cybersecurity.
Session transcript
Wout de Natris:
The light was on when it was off, so it’s on. And now the light is off again. Okay, so it’s on. Welcome to this session on ISVC’s presentation on procurement, government procurement and supply chain management. What you saw online almost doesn’t exist anymore in the invitation because the people there are not here and not able to be present online. So we changed it around a little bit, but not a lot. My name is Wouter Natris and I am the coordinator of the IGF Dynamic Coalition on Internet Standards, Security and Safety Coalition, IS3C. And we’ve been around since the virtual IGF of 2020. We announced an idea there and then we had to find people, funding, et cetera to start working. On my left side is our senior policy advisor, Mark Ravel. He is our online moderator today. And on my right side is David Uberman of ICANN and together with Basia Gosselin sitting there, they’re the chair and vice chair of our working group on DNSSEC and RPKI deployment and why that is relevant we’ll explain in a little while. When we got to 2021 in Katowice, we were able to present a real plan. We introduced three working groups, one on IoT security by design, one on procurement and supply chain management and one on education and skills. In 2022 in Addis, we presented our first report by the education and skills working group, which is having their session right now, which I had to run out of to moderate two sessions at the same time, which as you see is impossible. Luckily, the chair of education skills, Janice Richardson took over, but what you can see what as I3C we try to do, we don’t try just to produce a report. Or an idea, we want to try to translate it into actions and to something tangible. And that is in line with what the Secretary General of the UN is striving for, to have the IGF come up with tangible outcomes. In that room right now, room E, the idea of a cybersecurity hub is introduced. It’s again a concept, an idea, it doesn’t exist yet. But the idea is to, in that hub, translate the outcomes of the education skills working group into something that universities and industry together could start working on to make sure that the knowledge gap between supply and demand in education is somehow solved. So that is what is happening today here as well at the IGF. We are here for a different reason. And I’ll put on my glasses to be able to read a little bit. This is on procurement. And why procurement? In the first place, because in our opinion, when we talk about cybersecurity, you always see that it’s about mitigation. It’s always about having to buy antivirus, something to have a firewall installed to have a cybersecurity institute or CSIRT or CERT as a government or a big organization. But that is all after you got into trouble. The internet runs on internet standards created by the technical community. And these standards were created somewhere in the late 1960s up to, let’s say, 2000. In that time period, it was not necessary to think about security. And that’s literally what Vint Cerf says nowadays. If we had known where this beast would go to based on something they created in 1972, then we would have done it differently. Well, we discussed it for about two seconds and then thought, well, we know everybody who’s connected, so why do we need security? And 20 years later, slowly but surely, the whole world started to come online. And we all know what sort of problems we run into. But David will tell you about that more eloquently than I could ever do in English, and even with the knowledge I have compared to what he has. So why procurement? If governments would start procuring secure by design, it would mean that they would demand these internet standards to be in place when they buy, when they buy software, that it’s tested software and not something that just comes off a shelf without knowing what it is. When you create a website that you created, you build it according to the latest standards of security, and not something that has holes in it all over. So on procurement, we started this working group in 2020, the idea. To my surprise, we found that there’s very little interest, couldn’t find the funding, we couldn’t find the people, except one person said, I want to share this. And she wrote a whole program and we had to wait for two years until we found funding from the RIPE organization, the RIPE Community Fund. And that research started this year in January, February, and we’re able to present our report here at the IGF on Tuesday. So the research done by Mallory Nodal and Lisa Rembo, who are supposed to be here, but could not be here because they’re traveling. But what it shows, this research, is that there’s very little publicly available procurement documents online. I think they found 11 from 11 countries. We asked around, they found three more. We could not find anything in the public sector. And we asked thousands of people, could you share, even if it’s anonymized, something with us so that we can do a global study? So if it’s not there, and that’s the caveat we have to make, is that is it because there is nothing or is it because it’s behind bars somewhere where nobody’s allowed to look at? But the ones that we could study shows an awful lot. Most of them don’t mention security in any way. When they mention security, it’s not cyber security. And if it’s cyber security, then it’s not about these sort of standards, but on the mitigation side and not on the prevention side. We have one exception that we found in the room. That is, on Amica there, the Dutch government has the procurement list of, I think, 46 or 43 standards that are all but mandatory to deploy. And that’s the only one that we could find in the whole world. The Dutch government also developed something called internet.nl, which allows you to check if your organization or another organization has any security in place for the domain name, for routing, for etc. So that is what the situation is. The report will be presented on Tuesday in our own dynamic coalition session and an open forum again with the forum standardization from the Netherlands on Thursday. So we have found very little documents on government procurement and none from the private sector. So can we draw very firm conclusions? The answer is no, because perhaps there is a lot more in the world, just we’re not able to access it. But can we draw some conclusions anyway? And I think that the answer is yes, we can. Because it’s quite obvious, as I said, that Internet standards are not recognised. And I think that that is something that is important to understand. The Internet runs on Internet standards. And if we talk about the public core of the Internet, and defending the public core of the Internet, then it’s not only about the physical cables, but also on the standards that make that Internet run. And if they’re allowed to be attacked 24 hours a day by everybody who feels like attacking it and abusing it and misusing it, then it is a question, why are governments not recognising these open standards in one way or another? So I think that that is an important conclusion, that despite discussions on defending the public core, the public core is not recognised for what it is. So how do we make sure that that happens? I think that there is, in other words, a world of security to win for everybody. But we have to stop talking about prevention only. Sorry, about mitigation only. We have to start talking about prevention. And the fastest way to do that, in our opinion, is procurement. But then the next step is, how do we convince people in decision-taking positions to actually procure secure by design, and actually renegotiate a contract at the moment that renegotiates your job, that you bring in these sort of standards. And that is one of the working groups that we are starting this year, and it is called DNS Sec and RPKI Deployment. But it goes, in the end, for everything on internet standards. But we took two examples. But we don’t start talking about it in the way that it has been spoken about for about 20 years. We’re going to try to change the narrative. And I think that I will give the microphone to David in a few minutes. What we’d like from this session is that I’ve said about everything that I wanted to say about this topic. What we’d like to learn from you is what is your experience? What are your ideas? What would you, how could you contribute to this discussion? And from there, see what we can go home with. As I said, we’re introducing this concept of a cybersecurity hub. How can we actually activate it? How can we make sure the right people start working together there from the different stakeholder groups and come up with tangible ideas that are translatable either in direct programs or in capacity building programs or whatever we like to call it. But the fact is that something needs to change because the discussion is running in the same direction for a long, long time without very noticeable changes. So how to convince decision-takers by design? And I think that that is the starting point of our working group on DNSSEC and RPKI deployment. So, David, I’m going to hand over to you right now to explain what your plans are.
David Huberman:
Thank you, Al. Good afternoon, everybody. My name is David Huberman, and I’m with ICANN. When one of the things we’re trying to get people to understand is when they pick up their device and they watch a TikTok video or they send an email or even if they’re involved in a chat, a group chat or on WhatsApp or Line or just SMS, a lot of people think, well, that’s the internet. But it’s not. Those are applications on the internet. In fact, they run on a whole system of routers. and servers and switches and firewalls, all of which are the underlying framework that we use these applications. This system of framework, however, is built on common protocols, and there are two protocols that stand as the foundation for almost all of the modern Internet. One of them is called BGP, Border Gateway Protocol, and it’s the system of routing, how networks talk to each other. And the other is the DNS, the Domain Name System, which is used as a backbone of communication so that we can use semantic names that we as humans understand to translate into the IP addresses that computers understand. Now, as Wout noted in his conversation with Vint Cerf, BGP and DNS are very old protocols. BGP, the version we’re using now, was standardized in 1995, and DNS is even older than that. It comes from November 1983. It’s going to turn 40 years old next month. And when we developed these protocols, the intention was to get them just to work. We just wanted to be able to push packets to and from networks. Did you get it? Did it come back? Yay, it worked. And what’s nice about these protocols is they scale. The reason we’re still using them 30 and 40 years later is because they scale infinitely. But as Wout noted, they weren’t built with security in mind whatsoever. So over the last 20 years, what the IETF, the Internet Engineering Task Force, has been doing has been redeveloping these, bolting on security. And for BGP, one of the primary drivers today of routing security is a new system called RPKI, Routing Public Key Infrastructure. And essentially, it allows providers to talk to each other but authenticate. the origins of routing information. This has a lot of benefits. It benefits us against malicious hijacks of routes. It benefits against accidental misconfigurations. And hopefully it can help prevent IP spoofing and other things that attackers use to do bad things. DNS has a similar suite of security tools that we call DNSSEC. And DNSSEC is very important because when you go to a website, when you go to www.un.org, we want to ensure that the data that you receive back is actually the data that the people who run un.org intended you to have. So DNSSEC allows for you to assure the integrity of the DNS queries and the data that you’re receiving back. These security enhancements to these two fundamental protocols can significantly increase the security posture of the entire Internet ecosystem for all users in the world. But yet, the adoption of DNSSEC is at about 25% of all the domain names. And RPKI, while it enjoys much fuller deployment, especially in the ISPs around the world, we’re still working on increasing the deployment to all of the networks that participate in the global routing system to get them to digitally sign their routes so that everybody else can validate them. So how do we increase penetration? How do we increase this deployment? This is what one of the newest working groups of IS3C is working on. We’ve put together a panel of world-class experts, and we are developing a new narrative that we’re going to test against decision-makers at ISPs, decision-makers in public policy, and decision-makers in network operations to help… motivate them to increase the deployment of these very secure protocols that in 2023 ought to be a baseline standard that everybody adopts.
Wout de Natris:
Thank you, David. Perhaps, Annemiek, that you would like to say in a few lines what exactly is what the Dutch government is doing. Sorry, the… You’re done. Thank you very much. Thank you very much.
Annemiek ( Dutch government):
The Dutch government is using a comply or explain list for ICT services and on that list there are about 40 standards, open standards, including general standards but also specific 15, for instance, internet safety standards. They should be used in ICT services. And we have a process of organising that. That means maintainers can tell which standard should be on that list and we organise with experts from all Netherlands. To see which standards should be on that list. And those open standards are mandated. and we suggest them. So we cannot, how do you say that, give penalties if they don’t use them, but we just suggest those standards. And if they use them in their services, we name them, so we’re not shaming them, but we’re naming them in order to adopt standards more positively, more increasingly. Besides that, comply or explain list, we monitor. So we’re monitoring those standards, especially in procurement. And so all the tenders in Holland, in the Netherlands, we do for ICT services by the government. We research, we have researched, and if there are any standards not used in the procurement, in the tender, then they should explain it in their annual report. Monitoring is very positive for adoption of open standards, because twice a year we monitor the special internet safety standards, and we offer that to the parliament, actually. First it goes to the Ministry of Internal Affairs, and we say, oh, you’re doing well, or you’re doing not so well, you have to increase. And we use the tool Wout mentioned, internet.nl, which is very sufficient to measure this. And we public the figures, so it’s more like naming and a little bit of shaming. And in addition, we have community, we encourage community. So we use this internet.nl tool in order to get in the discussion with large suppliers. For instance, Microsoft. using Dane, the open standard Dane, and the Netherlands, it turns out that it’s not used, as you know, as you might know, and in discussion with Microsoft, we, for instance, that’s one of the suppliers, we found out that they are open for discussion, and they will change their email server with Dane, and that is a very nice announcement. Coming year, they will also do the fully Dane execution, I understood. So, therefore, we use internet.nl for community, and getting cooperation with other suppliers, and that is very nice to have. So, those are the three points, mandate, monitoring, and community. Thank you.
Wout de Natris:
Thank you, Annemieke, sorry for putting you on the spot, but I think it’s a nice explanation what you hear, and if you are online, and you go to internet.nl, just type in any domain name that you can think of, and you will see the results popping up within a few seconds. David wants to respond first.
David Huberman:
Thank you. So, what the Dutch government is doing with this is exemplar of a really nice way for government and public policy to integrate with the world of internet standards, which is primarily an engineering-based endeavor. It’s interesting, we are here today, those of us in the room are here in Kyoto, and for those of us who aren’t from this beautiful country, there’s something we all have in common right now. We all have brought along with us these little travel adapters that we use when we want to. Charge our devices. Why? because the shape and the voltages of the plugs in Japan are not the same as The shape or the voltages that we use in our home countries And why is that? Because we have a set of standards for some countries and a different set of standards for other countries and other standards for other Countries, we have lots of standards, but no global standard In my wallet right now, you’ll find Japanese yen You’ll find euros and you’ll find American dollars, but it’s funny because they all do the same thing I hand them over to someone when I want to buy something from them The purpose of currency in 2023 is very straightforward. I give you sell I give It’s the same purpose around the world, but we use different currency In Japan we drive on the left side of the road and our steering wheel is on the right side of the car In other countries we drive on the right side of the road with the steering wheel on the left side of the car That’s not only Challenging for those of us as drivers It’s also challenging for the manufacturers of those vehicles because they have to have a whole different set of standards For safety and for operation when the steering wheel is on a different side of the car Internet standards don’t work like that Internet standards from the beginning from 1969 with RFC 1 through today in 2023 We have almost 10,000 published standards Internet standards are Intended to be fully interoperable all around the world Whether you are in China whether in Kenya whether you’re in Paraguay whether you’re in Iceland No matter where you are in the world. If you’re online on the Internet, we’re all using the same standards and That’s really important because it allows for a fully interoperable fully global Internet that, in itself, enables innovation. It’s because it works everywhere that people are able to develop applications and platforms and do amazing things, because it works the same way no matter where you are. And this is where the Dutch government, and this is where other governments can really show leadership, because in the development of those standards, it’s 2023, the Internet’s everywhere in the world, it’s not 1969 anymore. We can’t develop these in a vacuum. We can’t just develop these as pure engineering exercises. Instead, we have to think about the real-world implications of new technologies, the implications of new protocol and protocol development. And so, here at IGF this week, strongly encouraging governments, parliamentarians, public policy, civil society, to become involved in Internet standards development, to offer your expertise to the development’s process, while at the same time, understanding and respecting that so much of what we’ve created is due to it being an engineering-driven endeavor, and the engineers are the true experts in how to do this. So, it’s a real commendation. It speaks very well of the Dutch government. Internet.nl is a wonderful site that works really well, helping your organization understand where you sit in this world of standards. That’s about what I wanted to share.
Wout de Natris:
Well, thank you, David. I’ll just pause for a second. So, thank you very much. I think that from this side of the table, that is what we wanted to share with you. So, I think you now understand what the IS3C is about, what we try to achieve, but also what we try to achieve in the near future. For now, we would like to learn from you, how does this concept come across? Does it make sense? We would like to know also, Do you know about any of the procurement schemes in your country of your organization? But also to discuss a little the plans that David was together with Bastiaan has to change the narrative of how to convince people in leadership to really think about cybersecurity upfront and not as an issue that pops up after you bought something. So the mic is there in the middle of the room. I can also pass a mic around. I think the first question is what you’ve heard this, how does it come across? What do you think of this plan? Does it make sense? Would you do it different yourself? Just anything that you’d like to share of us what we can learn from. So the microphone is there. Just introduce yourself first, please. And then just share your thoughts with us, please.
Audience:
Hi, Jan. Hi. Okay, it’s on. Perfect. Viet Vu from Toronto Metropolitan University in Toronto, Canada. This is actually opportune timing because literally about two weeks ago, I just published a paper on Canadian government’s digital adoption. And a couple of things on how that lands, what we’ve discussed so far. The first thing is that the incredible thing about the Canadian government is that not only is there no standard in procurement, there isn’t a single set of standards that the same government department uses. And the problem even becomes more complex when you go down to the provincial, which is the second level of governance in Canada, goes federal and provincial. Think of US states or prefectures in Japan. Each of them actually has their own legislation that governs privacy, that governs digital communications. And so that creates a challenge. Now, in terms of what we think might work or the key part that has prevented, let’s say the conversation of digital to sort of surface to the top. It is very much just the fact that there really isn’t anyone who is actually empowered to raise those issues. The Canadian government recently created Canadian Digital Services, which was this out-of-government group that is there to deliver government services in-house, kind of. They’re the first time that the government has done so, but at the assistant deputy minister level, which is sort of the minister, deputy minister, and assistant deputy minister, that’s why you kind of need the people who are kind of empowered to raise the issue of digital and there just isn’t any. And so, in terms of Canadian context, the one person you probably want to talk to is a senator, Colin Deacon, he’s been sort of spearheading a lot of legislative framework. I can put you in contact with him after the session if that’s of interest. This will be a short follow-up question. How has your report landed? Have you got any response from the government side, or is it still university? It’s a great question. It landed really well, actually. I did a couple of radio rounds, literally, before boarding the plane to Kyoto. It was 9 a.m., I was actually giving a panel talk on the topic, and then 3 p.m. I was on my flight here. Once I’m back, in November, we’re actually delivering a workshop to sort of high-level decision-makers. So, we’re talking deputy minister, assistant deputy minister, and director generals within those three hierarchies in Ottawa in November, particularly on thinking about policy solutions. So, we know that the general topic lands well right now with them. Well, congratulations, and I think your invitation to introduce us, I think that would be very much welcome.
Wout de Natris:
Thank you. Any other ideas in the room, how this lands, Basia and the lady there? Yeah. So, you can stand in line.
Audience:
Hello, my name is Gonalea Sprink, chairing the Internet Society Accessibility Standing Group. And accessibility in this respect talks about accessibility for persons with disability. And we know that there’s a number of countries who have looked at public procurement for accessible digital goods and services. And there are standards in the U.S. and in the EU, and that have been adopted in countries like Australia and India and Kenya. And then it’s, of course, this common issue of implementation. So I was very interested in the Dutch initiative, and we found in Australia, for example, that when it comes to web accessibility and procurement by governments, there was a monitoring system. And then there wasn’t funding enough to continue it. And that’s what we’re hoping, that other countries and systems will be able to continue that type of implementation of a policy. And I should also mention here that in the EU, there’s an Accessibility Act, which is going to be a directive for all EU countries to ensure that any supplier to a European country should have accessibility built in to those digital products. And that’s supposed to be mandatory. So we will see how those sort of systems work. And it will be very interesting to see how that intersects with what we’re talking about here today. Thank you.
Annemiek ( Dutch government):
That’s also interesting, because in Holland and the Netherlands, we also develop dashboards, including internet.nl, for accessibility. purposes. So follow the Dutch government in that way and you might be using also the dashboard in future. And internet.nl is integrated into the dashboard. So, nice hearing.
Audience:
No, no problem at all. I have a question for you, actually. From the RIPE NCC. Together with ICANN working in a new working group to improve, you know, to see to it that adoption of techniques like DNSSEC and RPKI is moved forward. And I’m really happy, you know, with I’m Dutch. So maybe I’m prejudiced, but I’m really happy and even proud, you know, what the Dutch public authorities and government is doing here. So all kudos to the Dutch forum for standardization. I just wondered, Annemiek, maybe you can share more there. In terms of what the Dutch are doing, right, and the policies that are underlying this and the reasons why you guys set the list there for comply or comply with or explain or even mandating, you know, the usage of certain tools. Is there information with regard, you know, to the underlying policies available in English? And do you have any experiences, you know, talking with other governments, other similar agencies like yours? You know, is this being taken up, this idea? How do other people respond to this?
Annemiek ( Dutch government):
You mean other governments in Europe or France? Because Denmark is also using internet.nl for their own policy. And fortunately, also Australia and Brazil using the internet.nl in their policy. So that might be, they have a different attitude to it, but yes, and you ask what kind of policies behind the comply or explain this.
Audience:
I think, you know, I’m aware that as far as I know, at least internet.nl, the underlying software is open source, right? Yes, correct. People can of course adapt their own front end in their own language, right? To use a similar service, so that’s all great. But I really mean more in terms of the underlying policies, in terms of techniques, tools, standards, that in this case Dutch public authorities need to comply with. Because you think it’s important for certain reasons, right? You need to be reachable over IPv6, or your website needs to be reachable over IPv6. When you purchase certain online services, cloud or whatever, it needs to have RPKI implemented, stuff like that, right? Like the reason why you think that’s necessary to actually demand that in terms of procuring services or having public authorities comply with these type of standards. You go very fast, also for me I guess, but also for the audience.
Annemiek ( Dutch government):
Well, the Dutch government promotes also use IPv6. And the policy, yeah, I don’t know actually what you mean by the policy behind it. Because what we do is we stimulate the adoption of those standards in order to give practical experience in the field to show that it works. So we have a carrot, let me say it like that, and people have to chunk to it in order to use it. Because in the field, the society has advantage of it. But I do not understand the policy behind it.
Audience:
Well, maybe it’s so obvious that you don’t have a policy behind it, right? You just think it’s a good thing to do. Other countries, for instance, are not doing it. So I wondered, is there anything that you can share or help to convince them that, hey, in terms of procuring services, it would also be good to set certain requirements with standards you would have to comply with?
Annemiek ( Dutch government):
Yeah, well, if tenders are executed, then they follow in Holland a special tender website. And there are CPV codes included in order to support procurement departments to request for open standards. And in addition, we explain what the standards are, because most of the people in procurement are not technical. So we suggest talk to your architecture or to other colleagues in your company and get to know what technically involvement is for the execution, because the procurement department doesn’t know anything about IST in order to follow these courses. It might be also an interesting adoption way. So, a suggestion.
Wout de Natris:
David Bassian, you decided to sponsor this working group as well, besides leading it. What makes it so different for you to actually try and come up with a different narrative? That’s a really good question.
David Huberman:
You touched on it a lot a few moments ago when you talked about the technical education and how we’ve worked really hard as an organization to build capacity on the importance of DNSSEC and then how to actually do it. A lot of my colleagues go around the world and speak with groups of engineers who operate networks and will actually do DNSSEC signing online, real, on their computers that’s in the live environment and teach them all the skills they need to continue maintaining it. But that’s not enough, because it reaches a small group of operators, and while it helps them, it’s so much more challenging to get that message out to the much larger world for all the domain owners. and for all the operators of recursive resolvers who have to do the DNSSEC validation. So we’re really looking at this initiative as a way of, as we’ve said a few times today, change the narrative, find a new way of saying it, and test it against decision makers, and say, how does this strike you? Does this persuade you? And based on their feedback, then we can iterate again and refine it even further. And so that’s our interest in why we want to fund this and why we’re really engaged and motivated here.
Audience:
Yeah, thank you. As a regional internet registry, we’re a non-profit organization. I think it’s part of our mission to increase the trust and the reliability of the internet. And not only talking about topics like fragmentation and other things that are potentially detrimental and could have a serious effect, but even the internet as is, right? It was referred to that DNS and the routing part, they’re not directly visible. Maybe it’s the DNS and names people are familiar with, but the routing part for most people, that’s not something they are aware of, need to be aware of. But these are fundamental to everything else that depends on it, that runs on top of it. So the security there, it’s almost unfortunate, right, that the incidents that happen, and quite a few happen, that they’re not visible in terms of actual impact that people experience and that acts as a wake-up call. So at the end of the day, if we want to remain, keep people’s trust in the entire system, right, and that it also is going to increase, then something has to be done. I think it’s really, really great what, for instance, the Dutch government is doing, right? Lead by example, but there might even come a point, especially if you see in the European Union, the amount of legislation affecting the infrastructure and the ecosystem is enormous. if at some point the perception will really be there that this is a market failure and people are not getting their act together, then it will be regulated. And we have all the tools available, everything available to do it ourselves, right? Technically, the standards have been there for a long time. All the tools used for instance to, on the one hand, do the authorization part with us, you have to actually sign your IP addresses and associate them with an autonomous system number, right? Who is actually allowed to origin certain prefects. That is a very easy portal to use. On the other hand, the validating part, the software that you actually use to check the announcements you receive to see whether they’re valid or not, that’s actually at a very mature state. So everything is there. So why is it not being picked up? I think in terms of the originating part, like people signing resources, I think we’re like 40% globally and then it really differs per region or per country, which is good, but we need to step up here. And people think it’s either really, really technical, complex to implement. And I understand if you have a huge network with enormous amount of routers and others that you depend on and customers you have. I’m not saying it’s trivial, but for an average network engineer who takes her or his job seriously, it’s not that much of a challenge. People think it’s really expensive to implement. Well, certainly with a project, there are costs involved, but if it’s about the underlying, what your services, how people experience your online services, more and more services are provided online, how people actually experience those, this is fundamental, right? That people need to know that if I aim to contact someone or try to reach certain content that I’m actually reaching the place I wanna be at. It seems a given, but looking again, as was mentioned, the protocols are ancient and this needs to be improved. So I think we have work there to do to actually gain the stories, right? And to actually. convince people, hey, this is not so hard. And there are so many material available. Like Anmik just said, we provide courses to people. We do it, everything is available free online. But if you really want like a face-to-face training with a trainer, et cetera, normally there are costs involved, but we can organize stuff. We’ve been really effective, especially in the Middle Eastern region to get people in a room. So both the regulators, the operators, and just go through the whole thing and actually have people sign resources. Especially if you have only maybe one incumbent or like two operators in a country, if people start signing their resources, there’s an enormous uptake in adoption. And we do the same at Peering Forum, other meetings we organize. We have like ROA signing parties. We get people in a room, right, and actually demonstrate how relatively trivial it is, especially for network engineers, to sign their resources and to look at the validation part. So we’re actually doing a lot there. And I really hope, you know, in terms of audience and storyline narrative that we can also have an impact combined with all the other stuff that we’re doing here at the IGF.
Wout de Natris:
Yeah, thank you. But Basiaan David, the internet works. Everything works. It’s playing devil’s advocate here. Everything works. It’s on the whole day. There’s no failure. So why should I ever do something? Why should I invest in security? It works, right?
Audience:
Well, maybe that’s something else that we need to be more focused on. I mentioned the fact that the real impact of incidents is not sufficiently visible. But for individual networks, I think the same goes for the Dutch government. What triggered the whole thing was IP address space of the Dutch Ministry of Foreign Affairs being hijacked. And that was a wake-up call. Not a good one, obviously. But if those type of stories, right, we can demonstrate to people that not wait for something to break and then, oh, I’m going to spend a lot of money and get stressful and I need to repair it. No, no, you can actually, you know, implement this in quite a reasonably simple fashion and be prepared, you know. And again, your customer’s going to benefit. You yourself are going to benefit in the long run. But yeah, maybe we also need a bit more effort in terms of maybe the shaming part, or the incidents that really had an impact and also have people share those stories and what that led them then to implement this. I don’t know if that answers your question or not.
Wout de Natris:
Yes, thank you. And I think when you mentioned the Middle East, that perhaps an explanation is in place that the RIPE NCC as a regional internet registry is literally doing Iceland and Greenland even up to Vladivostok and a lot of the Middle East. They all provide the IP addresses for that region like APNIC is doing here in Asia. Sorry?
David Huberman:
Of course. So just to build just a little bit on what Bastian was talking about, there’s been a sea change in the United States. This summer, I had, I’m gonna be honest with you, a fairly surreal experience when I went into a government building for our communications ministry, our Federal Communications Commission. These are the folks who regulate broadcast signals and they also regulate mobile wireless signals. So quite powerful. All the wireless providers, lots of the wireline providers, the cable companies, which a lot of the internet in the United States to all of our homes is. And it was kind of surreal because the United States government is now taking the position that routing is a matter of national security. And all of these people from like the FBI and the Department of Justice and all these law enforcement bureaucrats were getting up and talking about how we absolutely must secure the routing infrastructure of the United States of America against attacks, against misconfigurations, against hijacks. And not only were they talking about it in general terms, talking about the principles of security, they were mentioning, these are elected people who are talking. They were saying things like RPKI and ROA. They were saying things like URPF. They were using acronyms that I didn’t think a government bureaucrat knew how to spell. And I was like, where am I? What’s going on here? But I loved it. It was great because it showed that a country, a large country, was taking seriously the need to adopt RPKI, the need to adopt validation of ROAs at a national level. And they were going to use the power of the government to force the regulated parties to do this. And to answer your question, it’s because, for them, it’s national security. Because it’s not just the mariners and their boats who are connected. It’s the military. It’s all of the government, federal, state, local. It’s our schools.
Wout de Natris:
Everything is online now. Thank you. I think that is a good example of changing the narrative. And that’s perhaps also what Basia was saying. If people do not voluntarily, organizations not voluntarily do it, the government will step in at some point. But will they literally regulate and write laws? Or will it still be a good discussion saying, guys, you really have to do this? But if then, even five years from now, nothing has happened, then probably it will become legislation. And is it something that that industry wants to avoid? Sometimes, if I’m looking at it from a negative point of view, I get the idea that they want to be regulated. Because then, there finally is a level playing field. And that is what’s missing, also missing here with the deployment of these standards. That if I deploy, it costs me money. Meaning that I have to have a higher price, while the competition does not do it. And in other words, they may have more customers because of it. So that is one of the reasons that deployment on a voluntary basis may be hard. But if you don’t want to regulate, then procurement, I can’t say that enough. may actually change that. But the question then is why are most governments not procuring secure by design? And it’s a question I simply don’t have the answer to. But the fact is that it doesn’t happen as a standard. What I would like to ask from the people present here and get your views anyway, then I’m gonna hand the mic over to, starting with you, but then you can pass it through. What do you actually take out yourself out of this session and how could you change the discussion perhaps in your country? Where could you ask these sort of questions? Because then you get perhaps a little bit inspiration in your own country to change this discussion. So I’m gonna ask Annemiek to pass the, and ask your, yes, of course, if you would like to speak first, okay, of course. Please introduce yourself first.
Audience:
Actually, Samira, so I have been living in Japan for about now two, three years. Just the remark that made, I mean, why would a country been hijacked? I mean, that’s what I would like, for example, a targeted countries like US, maybe they have like many enemies, I guess. So maybe, I’m not saying that they have, I mean, I’m just assuming. For example, Israel, maybe, I’m not sure. But when it comes to internet, I mean, we are going to the very core of the procurement, the routing and switching and all this standardization. And so we, at the beginning also we said, yeah, internet is similar for everyone. It’s working well also, he said. But how we are going to regulate these regulations when it comes to the countries where they don’t feel the need? For example, a normal country, which is, of course, like, for example, we’ll say Norway, very peaceful. They don’t feel the need, I guess. So it, I think it is not that pretty much, I think what it must be done is to regulate, but how well we will regulate when it comes to countries’ individual legislation, how well we can force them to use these standards if they don’t feel the need. I mean, one way where we can creep in is by the educating them, right? So I feel that we need to think like in a way that people are trapped. For example, if you say that you’re posting on something in social media, okay? So this can cause your life, it can be a threat to your life. Of course, they will listen to that, right? So it’s similar. So I would think that it is, it’s a need of the legislature, because U.S. is, U.S. knows that they have, like, they have hijackers, they have people who wants to creep into their network.
David Huberman:
So I think. Yeah, I mean, it’s a good point. The thing is, it’s not just about geopolitics. A lot of this is about people who want to exploit vulnerabilities to make money. And some are to create chaos. Again, not for geopolitical reasons. So one of the things that we have to do is ensure that everybody in the world, in all countries, big and small, peaceful and not peaceful, understand that vulnerabilities create opportunities. And there will always be people who want to fill that opportunity for their own purposes.
Wout de Natris:
Yes, thank you. I think that that is a very good example of what we try to. as IS3C. We cannot do that ourselves, but we can hand over knowledge and tools to actually do that. But then it’s up to countries to deploy. So my question to you was to share with what you got out of this session, and what could you do in your country to plant a little seed of knowledge on this topic. So start up front, and then go around. And please introduce yourself.
Audience:
Hello. Okay. I’m Ryan. I’m from Indonesia. It’s a bit hard, I think, for my country, because when the session run, I just take three, I sampling two e-commerce in my country, and one of the legislation of websites through the internet.nl. All of them not sign it on the NSF. But the e-commerce is sign it on the RPIC. I think the e-commerce realize about the security breach to them, the threat to them. Actually, in my country, as today, I just meet our vice minister for the communication information. He just give a speech in the main hall, and I doesn’t have any access to that high level. I hope with Netherland, we have a long history, right? Can you please suggest something to our country to try to implement this? Because many of the decision makers doesn’t even aware about this thing. The procurement, everything, the tender is always about money, not about the security, not about the people. It’s always about the money. So if the vice minister is still here, you can introduce us? I hope I can, but even I think he doesn’t know me. I understand. Don’t worry. But I hope my country will be getting better, because next year we will have our presidential election, and there’s a lot of issue with IT security, all of the fake information from the AI generative things, and many of people is, like, I cannot say, but many of them is doing anything to get to the position. So I hope everyone can help my country. Well, thank you. That’s a quite clear goal. Thank you for sharing. Hi. I’m Masayuki Nakamura from Japan, and I’m a very beginner of this area, but about the DNSSEC, the rate of DNSSEC is low, either in Japan, but the one issue is the open standards written in English, so we have to translate to Japanese, and we have to make more easier to read to the decision-maker, so that’s our problem, and I am the government officer, so my colleagues are trying hard of it, and I’m not in the position, but if I have a chance to get the ratio of this, so that matter, I will try to make the thing better. Thank you. Thank you very much for also eye-opening, I guess it’s not that just targeting countries also, but just making solutions for the vulnerability, I think it’s a wonderful point. So I guess the key is through the education, so I would like to… Also, put myself forth and research more into these areas. I have, of course, my area is ERP systems, so I would think much more into learning these things, that there was a lot of input here. So I guess that education will drive into the countries who are not aware of it, as we all know that the internet is working, but underneath there can be catastrophic events. Of course, when we just keep things open, so when we can close the door, why would we just close it and lock it, right? So that’s what I got from this session. Thank you very much. Hello. Thank you, everyone. I’m Santosh Siddhal from Nepal. I’m Executive Director of Digital Rights Nepal. I joined the session in between, but I liked it very much, and it has opened a lot of question. In Nepal, we recently, in early August, Nepal adopted the National Cybersecurity Policy. Before that, we have Electronic Transaction Act, but now the government wants to bring a new cybersecurity law, and for that, they have adopted the National Cybersecurity Policy. One of the problematic aspect of the National Cybersecurity Policy, two of the, actually two of the problematic area is in the consultation phase, in the draft phase, there was no mention about the National Internet Gateway. Now the government is talking about installing a National Internet Gateway without defining it, and this is targeted for, they are saying that for the resilient and the secure internet. And another problematic area is they are also talking about the government intranet. And the third, which is also related with the procurement part, is earlier it was not there in the draft rule, but now they are proposing that the laws relating to procurement of the cybersecurity or the ICT consultancy and the equipment. will be defined by the government, and that could be out of the bound of the public procurement policy. So I think procurement here comes very, this is a serious issue where the government wants to kind of put it behind the curtain, the procurement process, what kind of consultancies, what kind of ICT equipment are being procured. And the problem is in the least developed countries like Nepal and others, the stakeholders are not very much aware about the repercussion or the possible impact on other areas because of such kind of laws and policies. Especially civil society organization and media, they are also not aware about it, and it is evident from the kind of reports the civil society or the media, the public discourse we are having at the point at Nepal. So I think it is very important that we take these issues into the public discourse, and civil society organization has a kind of very important role to make a stakeholder have a kind of informed discourse about the policy proposed, possible repercussion, and at the same time its impact on the utility of internet, and at the same time the other human rights that internet enables. So I think this is very important session, and I have gained a lot of insights which could be used for the public advocacy. Thank you. Okay, thank you so much for this very, very useful session and very informative for me, and I’m from the telecom carrier in Japan, NTT Communications, and we are ISP, and so we need to implement the many, many security, DNSSEC or RPKI, but it need a cost and scale. So very difficult to improve as soon as possible. But I would like to inform my company and tell this discussion and try to improve such kind of new technologies. Thank you. Hi, I’m Ichiro Mizukoshi from Japan. I’m just jumping in the middle of a session, so I’m not sure about the whole discussion. But in my humble opinion, to secure the IOST services, maybe the subscription service will help it. Because selling out the product, after the sale of the product, the repairing vulnerability for the manufacturer, it’s hard for a long period. It’s too heavy. But if it is a subscription services, they get their money to get services, so they can have a chance to repair it. That’s my opinion. So I’m Daisuke Kotani from Kyoto University. I’m a researcher, but partly I’m involved in the procurement of the university IT infrastructure. So from that perspective, the problem is the budget cost and the skill set of the engineers. So currently, unfortunately, if we request outside company to support RPKI or DNSSEC, but if such a company doesn’t have enough engineers to support so. So we cannot implement in our campus in South Korea. So education to the engineers, I think, is an important issue. Thank you. I literally thought I could skip it. Well, as I explained, in two weeks’ time, I’m going to be up in Ottawa talking to a group of sort of high-level decision makers in the federal government. Certainly, I think this conversation is going to help us design. We haven’t actually designed a workshop yet. That was a task that is up to me and one of my co-authors once I’m back from Kyoto. And so this does give us a really good set of ideas to do it. So thank you. Finally.
Annemiek ( Dutch government):
Finally. Thank you very much for all your stories and input. I would like to invite you to check your website or your email address to internet.nl. And if you score 100%, we give you a position on the Hall of Fame. And we always give a t-shirt, which is a very collector’s item in Holland. You can also sleep in it. Jukka-chan. And then you get a t-shirt. That’s the way how we do it in Holland, in the Netherlands. Tempting organizations to use those open standards and get in the Hall of Fame. But you can collect if you like to try. Afterwards, the session, you can check it. Thank you.
Wout de Natris:
Thank you. And thank you all for sharing your ideas with us. And we’re getting close to the end of this session. We have a few minutes left. But what I would like to say is that it seems like from also what you’ve said, there is literally a world to win. Because if you are able to convince the people you work with that this is an important topic and use the right arguments, then probably things will change. And that is what we’re going to strive for. What can you expect from IS3C? I think that the first thing I would like to do is to invite you to come to our session on Tuesday at 10.30 in Working Group J, the one next to it here. What we will do there is present three reports. The first is a global comparison on policy, national policy on Internet of Things security. And just to tip that, give a very little hint, is that there isn’t very much in regulatory way to find. It’s all voluntary. So that is one. The second that we will be presenting is on procurement, as we already understood from the session today, is that it’s also a global policy comparison showing what the level of procurement by governments is at this point in time. The third report is, I’m not sure if we’re going to be able to present it because the lady who is supposed to give the presentation cancelled at the last moment and the report is not available yet, I understood. We made that together with the United Nations, with UNDESA, and the launch was not, went not through, I understand, this August in somewhere in China. So it’s not online yet. We’ll try and say something about it. We’re also going to present a tool, the comply and explain list is having a global translation, as you could call it, is that a team of experts has come together and made a choice on three topics. One is on the categories of standards, the other is on the scope of the list, and the third one is the individual standards that go underneath this list. What is going to be announced is an open consultation, so anybody in the world who has an opinion on the scope or on the categories, on the standards, is allowed to share their comments in a Google Doc so that we can make a more and better informed decision on what is going to be in this list. Next we will have the presentation that David more or less gave to announce the working group on the narrative on DNSSEC and RPKI, and finally we’ll be announcing a working group on emerging technologies. So the idea is that in the coming year we will be doing a global policy comparison on artificial intelligence and later perhaps on quantum computing and on the metaverse. But what we also do is try to see our relevance to the sustainable development goals. So how is the work that we are actually developing at this point in time able to make the world better as a whole and not just on the topic of internet standards? And what was happening in the other room that is stopping at this point also, almost, is that we have a short synopsis of the cybersecurity hub and the plan that we have there. So in other words, we’ll be doing a lot of, presenting a lot of the work that we’ve been doing in the past year. So you’re invited to come there. If you’re interested in learning more of what we do, you can join through the IGF. If you go to the Dynamic Coalitions and look at the Internet Standards Security Safety Coalition, you can sign up for the e-mail list and you will not get a million e-mails every day. But when we have a working group that is starting or has its own meeting, you can get an invitation to join. And if you’re interested to work with us, that’s also an option that we look at for people who voluntarily are willing to chip in a little bit in this work. So we have our own website, that is the IS3, the number three coalition.org, and that’s where we publish all our reports. And on the 10th, all the new reports will be able to be downloaded from there. So I think that that is all I want to say. I’m looking at the panel. Mark, have you made any observations that you would like to share with us from listening? And I haven’t heard anybody online, so I think this.
Mark Carvell:
Thank you, Bart. I’ve been following on the Zoom link and online, though comments or reactions have come through the chat room in the Zoom link. But I think the key message from this session, I think, is very important, that procurement and supply chain management really do have major contributions to make in driving the adoption of critical security-related standards and routing protocols and so on. So that’s a very important message, and I really appreciate from me personally that there are comments here that this is – there’s a lot of valuable information that the coalition on IH3C is collating, and we need to build on that with more contributions and more experiences from other countries. I’m thinking in particular from my own country, the UK. When I was working for the UK government, the issue of procurement, really, of network services and equipment, never really came up as an internal policy issue. But every now and again, there were these massive security failures online, which did get a lot of media coverage. But then again, you never hear the consequences of those data breaches, whether they affect the police forces, as was recently the case in Northern Ireland, or financial services. You hear about these headline-grabbing incidents, but you never hear what the follow-on from them was in terms of ensuring that these things don’t happen again. But I think this coalition does provide a channel for distributing that kind of important information. Those are my reflections. Back to you.
Wout de Natris:
Thank you, Mark. David, any last words? No? Then, with that, I will let you go, and we’ll be well in time for the people who come next to prepare. Thank you very much for your contributions and your insights, because that’s something that we are going to take home. Thank you for all the technical work. Thank you, Mark, for the online moderation. And with that, I wish you a very good IGF, and hope to see you again soon. Bye-bye. Bye-bye. Thank you. Thank you. Thank you.
Speakers
Annemiek ( Dutch government)
Speech speed
124 words per minute
Speech length
922 words
Speech time
447 secs
Arguments
The Dutch government is using a comply or explain list for ICT services which includes about 40 open standards, including general and specific standards like internet safety.
Supporting facts:
- Maintainers can suggest which standards should be included in the list.
- The process is organized with experts from all over the Netherlands.
- Although mandated, there are no penalties for not utilizing the standards, instead they are suggested for use in services.
Topics: Comply or Explain List, ICT Services, Open Standards, Internet Safety
The government monitors the utilization of these standards, especially in procurement, and reports on their adoption rates.
Supporting facts:
- Monitoring reports are submitted to the Ministry of Internal Affairs and then to the Parliament.
- Tenders failing to use any listed standard need to explain why in their annual report.
- The internet.nl tool is used for monitoring.
Topics: Standard Monitoring, Procurement, Adoption Rates
The government encourages community collaboration in adopting these standards and is open to discussion with major suppliers.
Supporting facts:
- The internet.nl tool is used to engage in discussions with suppliers.
- Microsoft, one of the suppliers, has shown openness to discussions and plans to implement the open standard Dane in their email servers.
Topics: Community Collaboration, Supplier Communication
The Dutch government is developing dashboards including internet.nl for accessibility purposes
Supporting facts:
- The Dutch government is integrating internet.nl into the dashboard
Topics: Digital Accessibility, Internet.nl Dashboard, Public Procurement
The Dutch government promotes the use of IPv6
Supporting facts:
- The Dutch government believe the society can benefit from the adoption of these standards
Topics: IPv6, Government Policies
The Dutch government uses a special tender website for procurements, using CPV codes to support open standards
Supporting facts:
- Tenders in Holland follow a special tender website
- CPV codes are included in these tenders
Topics: Dutch Government, Procurement, Open Standards
Incentivizing organizations to use open standards
Supporting facts:
- The Netherlands employs a Hall of Fame and rewarding organizations with t-shirts for scoring 100% on internet.nl, thus implementing all open standards.
Topics: Open standards, Online security
Report
The Dutch government has implemented a comply or explain list for ICT services, which includes approximately 40 open standards, including specific standards such as internet safety. Maintainers suggest which standards should be included in the list. Although the use of these standards is mandatory, there are no penalties for non-compliance; instead, they are recommended for use in services.
To ensure the adoption of these standards, the government actively monitors their utilization, particularly in procurement. Monitoring reports are submitted to the Ministry of Internal Affairs and then to Parliament. Tenders that fail to use any listed standard need to explain why in their annual report.
The internet.nl tool is used for monitoring purposes. Furthermore, the government encourages community collaboration and engages with major suppliers. The internet.nl tool is used to facilitate discussions, and Microsoft, one of the suppliers, has shown openness to discussions and plans to implement the open standard Dane in their email servers.
Regarding accessibility, the Dutch government is developing dashboards that integrate internet.nl for accessibility purposes. This demonstrates the government’s commitment to digital accessibility and reducing inequalities. Additionally, the Dutch government advocates for the adoption of their developed dashboard system for digital accessibility, encouraging other countries to follow their lead.
The government also promotes the use of IPv6, recognizing the societal benefits it can bring. Rather than enforcing rules, the government emphasizes practical application and experience in the field. They adopt a stimulating approach to encourage the use of standards.
In procurement processes, the Dutch government uses a special tender website that supports open standards. This website includes CPV codes to support the procurement of goods and services adhering to these standards. Raising awareness and understanding among procurement departments about the technical aspects of standards is considered crucial.
The procurement department needs to communicate with the architecture or other employees to understand the technical details, as most procurement departments lack technical knowledge. The government also advocates for online security through the implementation of open standards. They employ the internet.nl tool to verify the application of open standards in organizations.
To incentivize organizations to use open standards, the Dutch government operates a Hall of Fame. Organizations that score 100% on internet.nl, fully implementing all open standards, are rewarded with t-shirts. In conclusion, the Dutch government has taken significant steps to promote the adoption of open standards in various sectors.
Their comply or explain list, monitoring initiatives, community collaboration, and emphasis on practical application demonstrate their commitment to industry innovation and infrastructure. By developing dashboards for accessibility, encouraging other countries to follow their lead, and supporting online security, the Dutch government strives for a more inclusive and secure digital environment.
Audience
Speech speed
170 words per minute
Speech length
4144 words
Speech time
1466 secs
Arguments
The Canadian government lacks a consistent standard in procurement
Supporting facts:
- Not only is there no standard in procurement, there isn’t a single set of standards that the same government department uses
- Each province in Canada has their own legislation that governs privacy, digital communications.
Topics: Digital Adoption, Government Procurement, Digital Standards
There’s no one empowered to raise digital issues in the Canadian government
Supporting facts:
- There really isn’t anyone who is actually empowered to raise such issues
Topics: Government Oversight, Digital Transformation
There’s a potential for legislative change in Canada
Supporting facts:
- Canadian senator, Colin Deacon, has been spearheading a lot of legislative framework
Topics: Government Legislation, Digital Policy
Public procurement for accessible digital goods and services is a topic being adopted by several countries for the inclusion of persons with disabilities
Supporting facts:
- Standards exist in the US and EU for accessibility procurement, which have been adopted in countries like Australia, India and Kenya
- In the EU, there’s an Accessibility Act that requires any supplier to a European country to build accessibility into digital products
- Despite the existence of a monitoring system for web accessibility in government procurement in Australia, it was ceased due to lack of funding
Topics: public procurement, web accessibility, digital goods and services, Accessibility Act, directive
The Dutch are developing dashboards like internet.nl for accessibility purposes.
Supporting facts:
- internet.nl is integrated into the dashboard.
Topics: Internet Accessibility, Dutch Government Initiatives
RIPE NCC and ICANN are working in a new working group to improve adoption of techniques like DNSSEC and RPKI
Topics: DNSSEC, RPKI, Cybersecurity
Internet.nl is used by various governments like Denmark, Australia, and Brazil for their policy.
Supporting facts:
- Denmark, Australia, and Brazil are using internet.nl in their policy.
Topics: Internet.nl, Government Policy, Open Source
Internet.nl underlying software is open source and can be adapted in any language.
Supporting facts:
- As far as the audience knows, Internet.nl, the underlying software is open source.
Topics: Internet.nl, Open Source Software
The Dutch government promotes the use of IPv6 and fosters its adoption by setting standards
Supporting facts:
- The Dutch government uses a ‘carrot’ approach to stimulate adoption
- Their goal is to provide practical experience and show that IPv6 works
Topics: Technology, Internet Protocol, Government Regulation
Upgrading DNSSEC and network education are important values for an organization.
Supporting facts:
- David Huberman’s team travels around the world to provide real-time training with DNSSEC.
- The aim of the initiative is to change the narrative and present the importance of DNSSEC to decision makers.
Topics: DNSSEC, Technical Education, Network Security
Internet security is fundamental to ensure trust and reliability.
Supporting facts:
- The invisibility of DNS and routing incidents doesn’t cause a visible impact for users, removing the urgency for a wake-up call.
- Government regulations might step in if market failure is perceived in maintaining internet security.
Topics: Internet Security, Trust, Reliability
Existing solutions for internet security are ready and sufficient, but adoption is slow.
Supporting facts:
- Tools and standards for authorization and validation of IP addresses with an autonomous system number are mature and easy to use.
- Around 40% of resources are signed globally, but the percentage varies by region or country.
Topics: Internet Security, DNSSEC Operations, RIR
Internet security is important because despite the reliability and efficiency, failing to secure networks can lead to catastrophic effects.
Supporting facts:
- The hijack of the IP address space of the Dutch Ministry of Foreign Affairs triggered a wake-up call.
- Proactive implementation can help prevent such issues.
Topics: Internet Security, Network Protection
Some countries may not feel the need to implement security regulations if they don’t perceive themselves as targets
Supporting facts:
- Countries like Norway who are generally peaceful may not feel the need to implement these security regulations
Topics: Internet regulation, Security, International perception
Education could be the entry point for introducing these security standards
Supporting facts:
- Highlighting potential threat to individual’s life could make people more receptive to these security standards
Topics: Internet security, Education
Countries need to implement security measures like DNSSEC and RPKI on their e-commerce platforms
Supporting facts:
- All sampled e-commerce sites from Indonesia did not sign in on the NSF
- The e-commerce sites did sign in on the RPIC, indicating they realize the security threats
Topics: Cybersecurity, E-commerce
Many decision makers are unaware of these security issues; emphasis is put on money over security
Supporting facts:
- Speaker has no access to high-level decision makers like the vice minister. The decision-making process seems to prioritize financial aspects over security
Topics: Cybersecurity, Government policy
Open security standards are written in English, posing a barrier for non-English speakers
Supporting facts:
- For example, in Japan, these standards need to be translated for decision-makers
Topics: Language barrier, Open security standards
Countries such as Nepal are adopting National Cybersecurity Policies without sufficient stakeholder inclusion
Supporting facts:
- Nepal adopted a National Cybersecurity Policy in early August, but there are concerns about the lack of transparency, especially in relation to procurement of cybersecurity or ICT consultancy and equipment
Topics: Stakeholder inclusion, Cybersecurity policy
Education and involvement of civil society organizations are crucial for cybersecurity
Supporting facts:
- Civil society organizations have an important role to play in ensuring informed discourse on the policy proposal
Topics: Education, Civil society involvement, Cybersecurity
Implementation of new security technologies requires cost and scale, often a challenge for telecom carriers
Supporting facts:
- NTT Communications, a telecom carrier in Japan, finds it difficult to implement technologies like DNSSEC or RPKI due to costs and scaling requirement
Topics: Telecommunications, Cybersecurity
Subscription services could help address cybersecurity issues by providing a steady source of funding for updates and repairs
Supporting facts:
- Subscription services provide a continuing income for service providers, allowing for ongoing security improvements
Topics: Subscription services, Cybersecurity
A lack of skilled engineers can impede the implementation of cybersecurity measures
Supporting facts:
- Kyoto University, for example, cannot implement certain security measures because outside companies lack the necessary skilled engineers
Topics: Engineering, Cybersecurity
Report
The analysis of the provided data reveals several key points regarding the government’s adoption of digital standards and the implementation of cybersecurity measures in Canada and the Netherlands, as well as the importance of accessibility in public procurement. One of the main findings is that the Canadian government lacks a consistent standard in procurement, leading to negative sentiment among the audience.
The absence of a single set of standards used by the same government department is a significant drawback. Additionally, each province in Canada has its own legislation governing privacy and digital communications, further contributing to inconsistency in the procurement process.
On the other hand, there is a potential for legislative change in Canada, as Senator Colin Deacon has been spearheading various legislative frameworks. This development is viewed positively by the audience, as it could lead to improved standards and practices in digital adoption within the government.
In terms of accessibility, it is noteworthy that public procurement for accessible digital goods and services is being adopted by several countries, with a focus on the inclusion of persons with disabilities. Standards for accessibility procurement exist in the US and EU and have been adopted by countries like Australia, India, and Kenya.
However, it is highlighted that despite the existence of a monitoring system for web accessibility in government procurement in Australia, lack of funding led to its discontinuation. Turning to the Netherlands, the Dutch government is actively developing dashboards such as internet.nl for accessibility purposes.
This initiative is positively received, as it demonstrates their commitment to improving accessibility for digital products and services. In terms of cybersecurity, efforts are being made by the RIPE NCC and ICANN to improve the adoption of techniques like DNSSEC (Domain Name System Security Extensions) and RPKI (Resource Public Key Infrastructure).
The audience appreciates the efforts made by Dutch public authorities and the government in terms of standardization and cybersecurity. Education and stakeholder involvement are highlighted as crucial factors in ensuring cybersecurity. Both civil society organizations and personal training have proven to be effective in fostering informed discourse and persuading operators to adopt security measures.
Additionally, the analysis highlights the importance of proactive implementation of internet security measures to prevent potential digital mishaps that could be costly in terms of time, money, and stress. The analysis also notes the challenges faced by telecom carriers in implementing new security technologies due to cost and scaling requirements.
However, it suggests that subscription services could provide a steady source of funding for ongoing security improvements. The lack of skilled engineers is identified as another challenge in the implementation of cybersecurity measures, as highlighted by the example of Kyoto University being unable to implement certain security measures due to a shortage of skilled personnel.
Overall, the analysis underscores the importance of consistent standards in procurement, legislative change, accessibility, and cybersecurity in the digital governance efforts of Canada and the Netherlands. It also recognizes the positive steps taken by various stakeholders, such as Senator Colin Deacon and the Dutch government, in driving these initiatives forward.
David Huberman
Speech speed
165 words per minute
Speech length
2145 words
Speech time
778 secs
Arguments
BGP and DNS are very old protocols that were not built with security in mind
Supporting facts:
- BGP, the version used now, was standardized in 1995, and DNS is even older, from November 1983.
- Over the last 20 years, the Internet Engineering Task Force has been working on bolting security on these protocols.
Topics: Internet Security, BGP, DNS
Enhancements like RPKI and DNSSEC can significantly enhance the security of the entire Internet
Supporting facts:
- RPKI allows providers to authenticate the origins of routing information, providing benefits against malicious hijacks of routes, accidental misconfigurations, and IP spoofing.
- DNSSEC can assure the integrity of DNS queries, ensuring that the data received by users is the one intended by the website’s administrators.
Topics: Internet Security, RPKI, DNSSEC
There is a need to increase the adoption of DNSSEC and RPKI to improve the security of the global Internet
Supporting facts:
- The adoption of DNSSEC is at about 25% of all domain names.
- RPKI enjoys fuller deployment, especially in ISPs around the world, but there is a need to increase its deployment to all networks in the global routing system.
Topics: Internet Security, RPKI, DNSSEC
Internet standards are globally interoperable, unlike many everyday objects, such as plug outlets or currencies
Supporting facts:
- In different countries, the shape and the voltages of the plugs as well as the currencies are different, but the Internet works the same way no matter where you are
Topics: Internet, Standards, Interoperability
Dutch government’s initiative in integrating internet standards with public policy is highly commendable
Supporting facts:
- The Dutch government’s internet.nl website is a practical tool to help organizations understand where they sit in the world of internet standards
Topics: Government, Public Policy, Internet standards, Netherlands
Stakeholder involvement, including governments and civil societies, is vital in the development of Internet standards
Supporting facts:
- Internet’s global scale in 2023 requires the inputs from various sectors in developing the standards
- David Huberman encourages governments, parliamentarians, public policy, civil society, to become involved in Internet standards development
Topics: Stakeholder involvement, Internet standards, Governments, Civil Societies
Sponsoring and leading the working group for DNSSEC
Supporting facts:
- A lot of his colleagues travel globally to educate groups of engineers on operating networks and DNSSEC signing
- This method only reaches a small group operators
Topics: DNSSEC, Internet Security, Technical Education
The United States government now considers routing a matter of national security
Supporting facts:
- David Huberman had a meeting with officials of the Federal Communications Commission and other people from the FBI and Department of Justice discussing about securing the routing infrastructure
Topics: routing, United States government, national security
Regardless of a country’s geopolitics, vulnerabilities create opportunities that people will use for their own purposes
Supporting facts:
- People exploit vulnerabilities to create chaos or make money
- The need to ensure understanding of these risks worldwide
Topics: internet vulnerabilities, country legislation, geopolitics
Report
The analysis addresses various topics related to internet standards, security, and vulnerabilities. It starts by highlighting that the Border Gateway Protocol (BGP) and Domain Name System (DNS) are outdated protocols that were not originally designed with security in mind. However, efforts have been made over the past two decades by the Internet Engineering Task Force to enhance the security of these protocols.
The analysis emphasises that enhancements such as Resource Public Key Infrastructure (RPKI) and Domain Name System Security Extensions (DNSSEC) have proven effective in improving internet security. RPKI enables providers to authenticate the origins of routing information, protecting against malicious route hijacking, misconfigurations, and IP spoofing.
DNSSEC ensures the integrity of DNS queries, ensuring users receive the intended data from website administrators. While RPKI and DNSSEC have shown promise, there is a need to increase their adoption. Currently, DNSSEC is only used by approximately 25% of all domain names, while RPKI has greater deployment, particularly among Internet Service Providers (ISPs).
However, broader deployment of RPKI throughout the global routing system is necessary to enhance overall internet security. The analysis also underscores the importance of stakeholder involvement in internet standards development. Governments and civil societies should actively participate in shaping these standards to meet the demands of a global scale in 2023.
The Dutch government’s integration of internet standards with public policy, as demonstrated by their internet.nl website, is commendable. Furthermore, the analysis highlights the significance of understanding internet vulnerabilities. Regardless of a country’s geopolitical situation, vulnerabilities present opportunities for exploitation for personal gain or the creation of chaos.
Therefore, it is crucial for every country, regardless of size or peacefulness, to comprehend these vulnerabilities and implement regulations to minimize risks and secure their networks. Overall, the analysis concludes that enhancing internet security and promoting the adoption of standards are essential for protecting users and ensuring the stability of the global internet ecosystem.
Recognition by the United States government of routing as a matter of national security signifies their commitment to adopting RPKI and verifying Route Origin Authorizations (ROAs). By implementing measures to understand and address internet vulnerabilities, the digital landscape can be better safeguarded, ensuring the safety and stability of the global internet ecosystem.
Mark Carvell
Speech speed
135 words per minute
Speech length
281 words
Speech time
125 secs
Arguments
Procurement and supply chain management have major contributions in driving the adoption of critical security-related standards.
Topics: Procurement, Supply Chain Management, Security Standards
Consequences of security failures should be reported and remedying measures should be widely distributed through channels like IS3C.
Supporting facts:
- Incidents of massive security failures in UK, like data breaches affecting police forces and financial services are reported, but there are no follow-ups on remedying measures taken.
Topics: Security Breaches, IS3C
Report
Procurement and supply chain management play a crucial role in driving the adoption of essential security-related standards. These standards are vital for safeguarding businesses, organizations, and individuals against security breaches and ensuring the integrity and confidentiality of sensitive information. By implementing these standards in the procurement and supply chain processes, secure practices are maintained throughout the entire supply chain, from sourcing raw materials to delivering the final product.
The IS3C (Information Sharing and Analysis and Operations Centers) is instrumental in gathering valuable information on procurement and supply chain management. This knowledge base provides insights and best practices that can be used to enhance security standards. However, it is recommended to incorporate experiences from other countries to widen the scope and applicability of this resource, ultimately creating a more comprehensive and globally relevant framework.
Unfortunately, incidents of security failures in the UK, such as data breaches affecting police forces and financial services, are reported without appropriate follow-up remedial measures. These security failures can have severe consequences, including compromised data, financial losses, and potential risks to national security.
To address this issue, it is imperative to establish a consistent reporting mechanism that accurately documents the consequences of security failures. Furthermore, remedial measures should be widely distributed through channels like the IS3C, enabling organizations to learn from past mistakes and take proactive measures to prevent similar breaches.
In conclusion, procurement and supply chain management are integral to adopting critical security-related standards. The IS3C’s efforts to collate valuable information are commendable, but it is necessary to expand this resource by incorporating experiences from other countries. Additionally, addressing the lack of follow-up remedial measures in response to security failures is crucial.
By implementing proper reporting and distribution mechanisms through channels like the IS3C, security practices can be enhanced, and future breaches can be mitigated.
Wout de Natris
Speech speed
164 words per minute
Speech length
3845 words
Speech time
1409 secs
Arguments
There is a need for greater focus on prevention in cybersecurity, primarily through secure by design procurement and the use of internet standards.
Supporting facts:
- The internet runs on internet standards, created by the technical community, but these were not initially designed with security in mind.
- Most procurement documents found do not mention security, and if they do, they don’t specifically refer to cybersecurity or internet standards.
- Governments can help improve cybersecurity by demanding these internet standards when they procure software or services.
Topics: Cybersecurity, Internet Standards, Procurement, Prevention
The intention is to change the narrative in the cybersecurity conversation through the newly started DNSSEC and RPKI Deployment working group.
Supporting facts:
- The workgroup represents a shift toward prevention and Secure by Design concepts rather than solely mitigation.
- The aim is to translate ideas into tangible actions and to deliver results that the UN Secretary General is pushing for.
Topics: DNSSEC, RPKI Deployment, Cybersecurity, Internet Standards
Wout de Natris wants to know the audience’s stance on the IS3C concept and its future plans
Supporting facts:
- Wout de Natris is part of the discussion panel, he wants to learn from the audience, he has a keen interest on the procurement schemes in other countries, he along with David, wants to change the narrative of how people in leadership think about cybersecurity
Topics: IS3C, cybersecurity, public policy, internet standards
The Internet is fundamentally reliant on DNS and routing, areas not typically visible or understood by the average user, and these parts have significant security implications.
Supporting facts:
- The DNS and routing parts of the internet are not directly visible or understood by most people, yet are fundamental to the function of the internet.
- There is a risk of losing people’s trust in the system if these security concerns are not addressed.
Topics: Internet, DNS, routing, security
The existing state of the internet and its infrastructure could be seen as a market failure prompting governmental or legislative intervention.
Supporting facts:
- The internet infrastructure is old and in need of improvement.
- There has been a significant amount of legislation affecting the infrastructure and the ecosystem in the European Union.
Topics: Internet, legislation, market failure, regulation
Tools and standards have been available for a long time to improve security, but adoption has been slow.
Supporting facts:
- Signing resources and validating announcements are steps that could be taken, but have not been widely adopted.
- Training and resources are available to help familiarize engineers with the processes needed to improve internet security.
Topics: Internet, security, adoption
The United States government now considers the protection of the routing infrastructure critical for national security
Supporting facts:
- The Government officials were discussing the principles of routing security and using technical terms like RPKI and ROA.
- There seems to be an intention to use government power to ensure regulated parties secure the routing infrastructure.
Topics: Cybersecurity, National Security, Government Regulation, Internet Routing, RPKI, ROA, URPF
If organizations do not voluntarily adopt internet security standards, government regulation may impose them
Supporting facts:
- The US government is considering forcing regulated parties to adopt secure routing procedures.
Topics: Government Regulation, Cybersecurity, Business Regulation
Government procurement could be a game-changer for the deployment of secure internet design standards.
Supporting facts:
- De Natris emphasizes that if regulation is avoided, procurement might be the answer for promoting security standards.
Topics: Government Procurement, Cybersecurity, Secure by design
IS3C aims to hand over knowledge and tools for cybersecurity
Supporting facts:
- IS3C cannot do it by themselves, they need cooperation from countries
- Implementation and deployment is the responsibility of the respective countries
Topics: Cybersecurity, Knowledge Transfer, Global Cooperation
There is a significant opportunity to improve Internet of Things security through the use of open standards
Supporting facts:
- IS3C intends to present a global comparison on national policy on Internet of Things security.
- The report reveals that current regulations on Internet of Things security are mainly voluntary.
- IS3C’s narrative on DNSSEC and RPKI
Topics: Internet of Things security, Open Standards, IS3C
IS3C’s work has a wider relevance beyond the scope of internet standards
Supporting facts:
- IS3C is trying to see their relevance to the sustainable development goals.
- IS3C aims to do a global comparison on emerging technologies like artificial intelligence and the metaverse and their relevance to SDGs
- The Comply and Explain list will have a global translation, indicating IS3C’s broad scope of work
Topics: IS3C, Sustainable Development Goals, Emerging Technologies, Artificial Intelligence, Metaverse, Quantum Computing
Report
In the realm of cybersecurity, there is a pressing need for a stronger focus on prevention. This can be achieved through secure-by-design procurement and the implementation of internet standards. Initially, internet standards were created by the technical community without prioritizing security, resulting in vulnerabilities.
Most procurement documents do not mention security, and when they do, they fail to specifically address cybersecurity or internet standards. Governments can help improve cybersecurity by demanding the incorporation of these standards when procuring software or services. By doing so, they can significantly enhance cybersecurity measures and reduce the risk of cyber attacks.
The DNSSEC and RPKI Deployment working group aims to bring about a transformation in the cybersecurity conversation. This initiative represents a shift towards prevention and secure-by-design concepts, moving away from solely focusing on mitigation efforts. The goal of the working group is to translate ideas into tangible actions, aligning with the objectives set by the UN Secretary-General.
Securing the public core of the internet is of paramount importance. This includes both the physical infrastructure and the standards guiding its operation. Currently, there is a lack of recognition and implementation of these standards, leaving the system vulnerable to cyber attacks.
While tools and standards to enhance security have been available for a significant amount of time, their adoption has been sluggish. This highlights the need for greater awareness and proactive efforts in implementing these measures. The existing state of the internet infrastructure can be seen as a market failure, necessitating governmental or legislative intervention.
The internet infrastructure is outdated and requires improvements. The European Union has already implemented significant legislation affecting both the infrastructure and the ecosystem. Wout de Natris, an active participant in the discussion, advocates for a change in the narrative surrounding cybersecurity.
He emphasizes the importance of persuading people in leadership positions to prioritize cybersecurity from the outset, rather than treating it as an afterthought. The protection of the routing infrastructure is now considered critical for national security by the United States government.
Government officials are actively discussing routing security principles and the use of technical terms such as RPKI (Resource Public Key Infrastructure) and ROA (Route Origin Authorization). There is an intention to leverage government power to enforce regulations and ensure the secure functioning of the routing infrastructure.
If organizations do not voluntarily adopt internet security standards, the government may impose regulations on them. This highlights the importance of voluntary adoption and proactive implementation of security measures within organizations. Government procurement is identified as a potential game-changer for the deployment of secure internet design standards.
De Natris suggests that if regulation is avoided, procurement can be a powerful tool for promoting security standards. IS3C aims to hand over knowledge and tools for cybersecurity, with the responsibility of implementation and deployment lying with respective countries.
Their work has broader implications beyond internet standards, as they also focus on emerging technologies such as artificial intelligence, quantum computing, and the metaverse. This broad scope aligns with the Sustainable Development Goals and the need for global cooperation. In the area of Internet of Things (IoT) security, there is an opportunity to enhance security through the adoption of open standards.
The existing policies on IoT security across the globe are predominantly voluntary, necessitating a global transformation in the regulatory framework. In conclusion, a shift towards prevention in cybersecurity and the prioritization of secure-by-design procurement are imperative. The implementation of internet standards and the proactive adoption of security measures are crucial to mitigate vulnerabilities.
Governmental involvement, through procurement and regulatory intervention, is necessary to promote and enforce these measures. The work of initiatives like the DNSSEC and RPKI Deployment group and IS3C contribute to transforming the narrative and addressing emerging challenges in cybersecurity.