Quantum-IoT-Infrastructure: Security for Cyberspace | IGF 2023 WS #421

11 Oct 2023 00:30h - 00:30h UTC

Event report

Speakers and Moderators

Speakers:
  • Olga Cavalli, Government, Latin American and Caribbean Group (GRULAC)
  • Carlos Martinez Cagnazzo, Technical Community, Latin American and Caribbean Group (GRULAC)
  • Maria Luque, Civil Society, Western European and Others Group (WEOG)
  • Wout de Natris, Private Sector, Western European and Others Group (WEOG)
Moderators:
  • Birarda Carina, Technical Community, Latin American and Caribbean Group (GRULAC)

Table of contents

Disclaimer: It should be noted that the reporting, analysis and chatbot answers are generated automatically by DiploGPT from the official UN transcripts and, in case of just-in-time reporting, the audiovisual recordings on UN Web TV. The accuracy and completeness of the resources and results can therefore not be guaranteed.

Full session report

Wout de Natris

The lack of cybersecurity measures in Internet of Things (IoT) devices is a pressing issue that demands attention. While the technical community has made efforts to address this concern, the majority of governments and industries have not yet prioritised security by design in IoT. This oversight has resulted in widespread vulnerability and the potential for malicious attacks.

Initially, cybersecurity was not a concern during the early days of the internet, as worldwide connectivity was limited. However, with the rapid expansion and integration of IoT devices into our daily lives, the need for robust security measures has become increasingly evident. Unfortunately, IoT devices are often designed without adequate security measures, making them susceptible to cyber threats and potentially compromising users’ personal data.

One argument put forth is that governments and large corporations should play a crucial role in setting the standard for security in IoT. An example of this proactive approach is seen in the Dutch government, which has taken the lead by imposing the deployment of 43 different security standards. This demonstrates the importance of demanding high levels of security in IoT devices.

Another concerning aspect is the lack of rigorous security testing before new technology, including ICT, enters the market. The fast pace of innovation and the urgency to bring products to market often result in inadequate security measures. It is argued that security should be a fundamental consideration and undergo formal testing before any form of ICT is released, minimising risks for users.

On a more positive note, international cooperation and information sharing are emphasised as pivotal factors in staying ahead in terms of cybersecurity. The power of the internet lies in its ability to facilitate global discussions, enabling the sharing of knowledge and experiences across borders. Governments and larger industries need to be made aware of their role and potential influence in addressing cybersecurity challenges, fostering collaboration and cooperation on a global scale.

In conclusion, the lack of cybersecurity measures in IoT devices poses a significant challenge that needs to be addressed urgently. Efforts from both the technical community and various stakeholders are required to push for security by design and the implementation of robust standards. Governments and large corporations hold the responsibility of leading the way, setting the standards for security in IoT. In addition, rigorous security testing should become a prerequisite before any form of ICT is introduced to the market. Furthermore, international cooperation and information sharing are critical for staying ahead in the ever-evolving landscape of cybersecurity. Only through collaboration can we tackle the challenges and vulnerabilities inherent in the interconnected world of IoT.

Moderator – Carina Birarda

This extended summary highlights the main points and arguments presented in the given information on cybersecurity. It also provides more details, evidence, and conclusions drawn from the analysis.

The first argument states that there has been a significant increase in cybersecurity incidents at the international level, which is viewed as a negative trend. This can be attributed to the global connectivity that has become a key factor behind this increase. Additionally, the emergence of sophisticated criminal activities, such as crime as a service, has further contributed to the rise in cybersecurity incidents. The supporting evidence for this argument is the fact that cyberattacks are often conducted by actors in multiple countries, indicating the global nature of the issue.

The second argument emphasizes the fundamental challenge of adopting internationally-recognised cybersecurity best practices. It is highlighted that only a few organisations currently practise these standards, and the lack of adoption is a global issue. The evidence supporting this argument includes the observation that just a small number of organisations implement these best practices, indicating a need for widespread adoption to enhance cybersecurity at both national and international levels.

The third argument stresses that cybersecurity is a global issue that necessitates international collaboration for effective mitigation. The fact that cyberattacks do not respect borders or jurisdictions is put forward as evidence for the need for international cooperation. Additionally, it is stated that information sharing at the international level is imperative for combating cybersecurity threats. This argument highlights the importance of collaboration between countries to establish a robust global cybersecurity framework.

The fourth argument suggests that understanding the threats facing IoT, web, and quantum technologies is essential for implementing proper cybersecurity practices. By gaining a comprehensive understanding of these threats, appropriate best practices can be selected and implemented. The evidence supporting this argument is the observation that proper implementation of cybersecurity practices can only be achieved by addressing the specific threats posed by emerging technologies.

In conclusion, the extended summary highlights the increasing number of cybersecurity incidents on an international scale as a negative trend. The adoption of internationally-recognised cybersecurity best practices is identified as a fundamental challenge, with only a small number of organisations currently practising these standards. It is established that cybersecurity is a global issue requiring international collaboration for effective mitigation. Understanding the specific threats posed by emerging technologies is emphasised as crucial for implementing proper cybersecurity practices. Overall, the analysis underscores the need for international cooperation and comprehensive measures to address the growing cybersecurity challenges.

Maria Luque

Quantum technologies, specifically quantum computing, present challenges and opportunities in terms of cybersecurity. The concern is that quantum computing has the potential to break current cryptographic systems and expose sensitive information. To combat this threat, researchers are developing technologies like Post-Quantum Cryptography (PQC) and Quantum Key Distribution (QKD). PQC, although not yet standardized, can be applied today as a software-based solution, while QKD requires substantial investment and the creation of new secure communication infrastructures.

It is argued that governments and the technology industry need to continuously and significantly invest in quantum technologies to ensure data security in the face of the quantum threat. QKD, in particular, requires high investment and the establishment of entirely new infrastructures for secure communication. On the other hand, tech companies have already started implementing PQC into their solutions, showing their recognition of the need to adapt to quantum technologies.

Organizations also need to assess and adapt their information security structures to prepare for the quantum threat. They should understand their information architectures, level of encryption, and capabilities necessary for transitioning to quantum security. The approach for organizations may vary depending on their size, with smaller ones potentially adopting PQC and larger ones engaging in quantum communication networks.

For small tech companies, the infrastructure provided by large tech companies like AWS, Microsoft Azure, and Google is crucial for addressing the challenges posed by quantum technologies. These platforms serve as a foundation for smaller companies to navigate the complexities of quantum computing.

Deploying PQC algorithms in the cloud is considered a potential solution for securing data for small companies in the next five to ten years. Despite not being favoured by some, it is argued that deploying PQC algorithms in the cloud offers optimal data security for small companies. However, there is debate regarding this approach, with some opposing the practice for maintaining data security.

Countries are encouraged to focus on their strengths and specialties when planning their national quantum strategies. For example, Spain has chosen to invest in areas where it excels, such as optics and mathematics, to drive its quantum technology development.

In conclusion, quantum technologies pose both challenges and opportunities in cybersecurity. Addressing the quantum threat requires significant investments in quantum technologies, assessments and adaptations of information security structures, and consideration of alternative solutions like deploying PQC algorithms in the cloud. Additionally, countries should strategically focus on their strengths and specialities to plan effective national quantum strategies. Ongoing research and discussions are needed in this rapidly evolving field.

Olga Cavalli

Latin America faces unique technological and internet infrastructure challenges due to economic and distribution inequalities. These challenges stem from the disparities in wealth and resources within the countries of the region. As a result, access to and the quality of technology and internet infrastructure vary greatly across Latin America.

To address these challenges, there is a need for increased participation in policy dialogues related to the internet in Latin America. Olga Cavalli, a university teacher at the University of Buenos Aires, has played a key role in creating a training program for professionals to learn about the rules of the Internet, understand its challenges, and participate more actively in policy dialogues. This initiative aims to empower Latin American countries to have a stronger voice in shaping internet policies that are suitable for their specific needs and circumstances.

Furthermore, the rapid adoption of Information and Communication Technology (ICT) and Internet of Things (IoT) devices in Latin America has raised concerns about increased vulnerabilities due to the lack of initial security designs. It is estimated that there will be between 22,000 million to 50,000 IoT devices in the region next year. The fast pace of adoption leaves little time for proper security measures to be implemented, which could lead to potential breaches and threats in the future.

Argentina has taken proactive steps in addressing cybersecurity concerns. The national administration has implemented binding resolutions that require the preparation of a security plan, the assignment of a focal point for contact, and information sharing in the event of a cyber incident. Additionally, a manual has been developed to guide the national administration on how to respond to such incidents. A new cybersecurity strategy has also been approved, showcasing Argentina’s commitment to ensuring security in the digital realm.

Developing countries and small to medium enterprises (SMEs) face significant challenges in keeping up with rapid technological changes. These challenges include restrictions on importing certain products and hardware, as well as a lack of human resources, as trained professionals often migrate to developed countries in search of better opportunities. The combination of limited resources and a lack of technical expertise hampers their ability to understand and afford new technologies, creating a widening technology gap.

Moreover, developing economies and small to medium enterprises are often consumers of technologies developed elsewhere, which raises concerns about the global technology gap. While major technology companies like AWS, Microsoft Azure, and Google are expected to provide solutions based on emerging technologies like Post-Quantum Cryptography (PQC) algorithms and cloud computing, developing economies and SMEs rely on these technologies without actively contributing to their development. This dependence on technologies developed elsewhere puts them at a disadvantage.

To address these challenges, capacity building and awareness are advocated as essential measures. By investing in the development of local technological capabilities and creating awareness about the importance of technology, Latin American countries can reduce their reliance on technologies developed by other countries. This would help narrow the global technology gap and allow them to actively contribute to technological advancements that suit their specific needs.

In conclusion, Latin America faces unique challenges in technological and internet infrastructure due to economic and distribution inequalities. Increasing participation in policy dialogues, addressing cybersecurity concerns, and bridging the technology gap are crucial steps towards creating a more inclusive and technologically advanced region. Additionally, capacity building and raising awareness about technology will empower Latin American countries to shape their own technological future.

Nicolas Fiumarelli

During the discussion, the speakers emphasised the necessity of implementing security technologies, such as RPKI, DNSSEC, IoT security standards, and quantum-resistant algorithms, through legislation. They pointed out that the rising number of Internet of Things (IoT) devices and the advancements in quantum computing pose significant security risks. These risks can be mitigated by the adoption of robust security measures.

The speakers also highlighted the existence of security standards developed by the Internet Engineering Task Force (IETF) specifically for IoT devices. These standards provide guidelines and best practices to ensure the security of IoT networks and data. However, one speaker questioned why these security technologies are not universally enforced in all Information and Communication Technology (ICT) systems through legal obligations.

It was acknowledged that the implementation of advanced security technologies comes with a high cost. This cost may pose a challenge to widespread adoption. Nonetheless, the importance of safeguarding critical infrastructure and personal information against cyber threats and data breaches justifies the investment in these technologies.

Overall, the sentiment during the discussion was neutral, indicating a balanced examination of the topic. The speakers’ arguments and evidence provided a comprehensive understanding of the urgency to implement security technologies, alongside the challenges associated with their implementation. The discussion aligned with SDG 9: Industry, Innovation and Infrastructure, as it emphasised the need for secure and resilient ICT systems to support sustainable development.

Through this analysis, it becomes evident that the adoption of security technologies through legislation should be encouraged and prioritised. This will help ensure the protection of IoT devices and networks, while also addressing the growing threat of quantum computing to traditional encryption methods. Additionally, the development and enforcement of security standards can play a crucial role in enhancing cybersecurity practices across various industries.

In conclusion, the discussion underscored the significance of deploying advanced security technologies and standards to safeguard ICT systems. Although challenges such as high implementation costs exist, the speakers highlighted the urgency to address these concerns and apply security measures throughout the industry. By doing so, they aimed to emphasise the need for a comprehensive approach to cybersecurity, simultaneously addressing both technological advancements and legal enforcement.

Carlos Martinez

The discussion centres around the vital role of DNSSEC (Domain Name System Security Extensions) and RPKI (Resource Public Key Infrastructure) in securing the fundamental structure of the internet. These security protocols are instrumental in safeguarding the integrity and authenticity of DNS responses and BGP (Border Gateway Protocol) announcements, respectively.

DNSSEC and RPKI operate by utilising digital signatures to verify the legitimacy of DNS responses and BGP announcements. This verification process ensures that the network delivers data packets to the correct destination, maintaining the proper functioning of the internet. The speakers unanimously recognise the crucial importance of DNSSEC and RPKI, highlighting their shared responsibility in both signing and validation processes.

On a related topic, there has been a debate concerning the potential weakening of cryptographic algorithms and the inclusion of backdoors to enable access. However, Carlos, one of the speakers, expresses a negative sentiment towards this notion. He asserts that such actions would be unwise, potentially compromising the security of cryptographic systems. This viewpoint aligns with SDG 16, which focuses on ensuring peace, justice, and strong institutions.

A positive aspect discussed is that both DNSSEC and RPKI have algorithm agility built into their design. This feature ensures that they can adapt to incipient post-quantum cryptographic scenarios. Consequently, when post-quantum cryptographic algorithms are standardized, they can be effectively incorporated into DNSSEC and RPKI, providing continued security measures against quantum threats.

The debate also encompasses the challenge of mandating technology, with the speakers highlighting instances where such endeavors have proven unsuccessful. They note the issues surrounding cost and benefit discrepancies, particularly in the context of the Internet of Things (IoT) and DNSSEC/RPKI implementation. Furthermore, while post-quantum algorithms have been proposed, they have not yet achieved a satisfactory level of performance.

In conclusion, the speakers collectively emphasize the importance of DNSSEC and RPKI in securing the core infrastructure of the internet. Their positive sentiment towards the efficacy of these protocols underscores their significance in maintaining a properly functioning internet. Nonetheless, there is a negative sentiment towards weakening cryptographic algorithms, highlighting the potential risks associated with such actions. The speakers also acknowledge the need for flexibility and tailored approaches when addressing different technologies, rather than enforcing a one-size-fits-all mandate. Ultimately, this discussion highlights the ongoing challenges and complexities associated with internet security and the need for continued research and adaptation to effectively counter emerging threats.

Session transcript

Moderator – Carina Birarda:
Okay. We are going to start it. Good morning, everyone. Good afternoon. Good night. I want to interpret my gratitude for sharing this workshop, Quantum IoT Infrastructure Security for Service Space. It’s an honor to moderate such a disengaged colleagues and friends. I am Karina Virarda from Argentina, a member of the Multiple Stakeholders Advisory Group of ICF, co-facilitator of the Best Practices Forum on Cybersecurity. I’m passionate about technology and all things related to digital protection. As we know, in recent years, we have seen a significant increase in cybersecurity incidents at the international level, which alarming statistics is showing and consistent wise. Global interconnectivity depends on technology and the sophistication of criminal as crime as a service are the key factor behind the trend. So maybe we have more work. The lack of adoption of internationality-recognized cybersecurity best practices is one of the fundamental challenges. Recognizing cybersecurity as a global issue is essential as cyber attacks do not respect borders or jurisdictions. Organizations such as the UN’s World Economic Forum, ICF Forum, promote internationally-recognized cybersecurity standards. Sorry. Such a need cybersecurity framework and ISO 27001 Information Security Guidance, which provide a solid framework for protecting digital assets. Collaboration and international cooperation are equally essential as a cyber attack often involves actors operating in multiple countries. Sharing information about threats and cybersecurity tactics is vital to on a step ahead in the fight against these attacks. In summary, the increase in international cybersecurity incidents is a challenge that requires a global response. The adoption of the cybersecurity best practices and international collaboration are the fundamental pillars to addressing this growing threat and protecting our digital assets and increasing interconnected world. In order to determine with the best practice can be implemented, it is essential to understand the threats we are facing. So we have two opening questions for all the panelists, which are as follows. Number one, what are the leading cybersecurity threats across the IoT critical internet infrastructure, web, and quantum technology, and what are existing best practices to counter this threat? Number two, how can diverse stakeholders, including the ICF community, the Best Practices Forum on cybersecurity, dynamic coalitions, and the other relevant groups collaborate and contribute actively to development and implementation of these best practices? And number three, in the context of the continuality involving cybersecurity landscape, what key considerations are essential to ensure a safer and more trustworthy internet for our users across these areas? I kindly request that each of you introduce yourself. And you have 10 minute limit for your presentation. And the number one, please, Wouter Natrisch. Your turn. Thank you.

Wout de Natris:
Thank you, Carina. My name is Wouter Natrisch, and I am a consultant based in the Netherlands. And as such, I am the coordinator of the dynamic coalition at the IGF called Internet Standards Security and Safety Coalition. And this coalition has one primary goal that is to make the internet more secure and safer for all users, so whether public, private, or individuals. We do that through different working groups. And these working groups focus on different topics on the topic of cybersecurity. So we have a topic called on internet of things, so security by design built into the internet of things. And I’m sure that Nicolas will tell more about that later. We published our first report yesterday morning here in Kyoto, which can be found online. We have a working group on procurement and supply chain management. And I think that’s what we’re going to focus on most in a moment. That we have a one on education and skills to make sure that tertiary education deliver what industry needs in this field and not codes programs from 20 years ago. We have one on data governance. We have one on the consumer protection. We have a working group on emerging technologies and one on deployment of two specific standards, but then focusing on not the technical side, but I’m sure that also what we’re discussing here is not about the technique. It’s about political, economical, social, and security choices that we have to make in a society. I think that what we try to aim to do, and I think that that answers one of the questions that I heard, is that when governments and larger industries start demanding security by design, when they procure their ICT services, devices, or products, that would mean that any company is not able to deliver these demands, will not get big assignments. And that would be a major driver for getting everything, including IoT, more secure by design. What I think is important to understand is that The internet works as it does and let’s face it, it works fantastically because anybody in the world can at this moment follow us, they can ask questions to us, they can use the chat to interact with us and it’s all because of the way the internet functions and the way it is scalable. But unfortunately when they built these rules, security was not an issue because people who were then connecting were working at either the U.S. government department of defense or they worked in some U.S. universities and everybody knew each other, so there was no need for security. And then the world came online on the same principle and then showed that it was inherently obscure. The technical community has made reparations, they made changes to the code that runs the internet and that code running the internet is the public core of the internet that people talk about. So when you talk about protecting the public core of the internet, you’re not just protecting undersea cables or land cables or server parks, you’re also protecting the software that makes it work. And that is the weird thing about this story that software that makes the internet and IoT more secure is not even recognized by any government in the world as such. So if you talk about standards, they talk about government bodies making standards or they talk about organizations like ISO making standards, but not about the internet standards. They are made by the technical community on a voluntary basis, but that is what makes the internet run and not ISO because that is an administrative ticking box. So if we get governments to understand that it’s the other standards they have to recognize formally as well, but also use them when they procure their services, their services, their products, their devices, the world will change. And what is the current situation? The current situation is that there’s not a living playing field for industry. When industry is not asked for a level of security built in, apparently they don’t do it. And what if I was a single company and I decided I am going to deploy all these standards? That costs me money, it costs me time, it costs me effort. I have to train people. And if the competition does not do it, it means my product becomes more expensive and most likely governments won’t buy it because they go for the cheapest option. So in other words, I would be out of business. So there’s no living playing field. There’s no demand from the big players. So there’s no interest to deploy. So all the IoT devices coming to the market are usually insecure by design. And from that moment on, are a threat factor for everybody in society. So if we don’t put this pressure on industry to deploy, nobody will most likely, except a few that are more idealistic. And this is shown in the research that we’ve done on IoT security by design. And I will not take anything away from what Niklas will be telling us, but we found that there’s no pressure to make IoT secure. There’s no pressure from the outside. We’ve seen it also in the procurement study we’ve done. We’ve analyzed the documents around the world on procurement. And if security is mentioned, it is not always cybersecurity. And if it’s cybersecurity, it’s seldom on internet standards. There’s one big example that does, that’s the Dutch government. They’re mandatorily have to deploy 43 different standards when procuring or explain why they cannot do that. And that is reported to the Dutch parliament once a year. So why is this relevant? I think this is extremely relevant because we’re discussing our future. IoT is already among us. AI is among us for far longer than most people realize. And who knows what is coming with a metaverse or quantum and who knows what is invented tomorrow, because we’re in a society that changes every two hours. And it looks like that time and time again, the same mistakes that we made. The product is invented and it comes into markets usually untested for security. So is that something that we should be discussing that when a new technology enters the market, that at least be tested formally in one way or another? Probably not legislated because you can’t legislate what you don’t know. You can at least demand a certain amount of testing. So ICT in whatever form is allowed to the markets from outside, usually it’s also almost irreparable. So when they find the flaws, it’s almost too difficult to repair them in some cases. So they remain a threat factor for sometimes decades. And with AI, perhaps with quantum or the metaverse and all else that is in store, we can demand at least security from the outset. Demand is before we start procuring it and certainly before we buy it. So large corporations and governments can set that example. And when they do, they become a standard and the security will become available for all of us. So if we make governments and larger industry aware of their role, their potential influence, and to provide them with the information they perhaps lack now, they will change the world for us. And that’s our ICT goal, to make the internet more secure and safer by the widespread deployment of security-related internet standards and ICT best practices. And if you’re interested to join, you can do that at is3coalition.org, and the three is the number three. Our reports are there, also the report Nicolas will be telling about. And I think that is about what I would like to contribute for now. So thank you very much for the opportunity.

Moderator – Carina Birarda:
Thank you very much. The second panelist is Carlos Martinez. He’s online. Carlos, I can see you online. Hello, how are you? I am very well, thank you.

Carlos Martinez:
can you guys hear me? Yes. Okay. I have like four or five slides that I would like to share. I hope that I can share my screen. Yes. Okay. Okay. So, I’ll be right to the point. Well, my name is Carlos Martinez. I work for LACNIC, the Regional Internet Registry for Latin America and the Caribbean. I’ve been working for LACNIC the best part of the last 15 years. I’m currently the head of technology or the CTO for LACNIC. One of the things that has initially caught my attention when I started working for LACNIC was the need for deploying two technologies that at the time were just not very well-known actually. These are DNSSEC and RPKI. I’m sort of grouping them because I believe that there’s a common theme between them, which is securing the infrastructure or securing the core of the internet. I would describe, I would say, a bit of a dire situation regarding the security on IoT, but that’s one part of things. When you have devices, the devices maybe secure themselves, but you still have to traverse the internet to get information from one point to another. I will try to go through this very quickly. When I speak about internet infrastructure, I’m not thinking about the physical layer in this case, not about fibers, cellular, or satellites, but I’m thinking particularly about what I used to call the three pillars of a properly functioning internet. The internet to work, as we know, it depends on three functions, basically. One is routing, the other is control and forwarding, basically the ability of the network to have one packet on ingress and deliver that packet destination to the proper destination, and a complementary function, which is domain name resolution, or DNS, okay? So the three things are necessary. There’s a subtle difference between routing and forwarding. Forwarding is the actual decision of a router when it has a packet and needs to analyze the packet and decide which interface it should be sent off, and routing, which is a control function where the router learns a table that it uses to decide how to forward packets. Both things are necessary, of course, are complementary. So this is a very high-level thread overview of these two or three functions, and each, you could probably identify more than this. Name resolution, for example, suffers from domain spoofing, where a server pretends to host a DNS zone that it shouldn’t, or it’s not authorized to hold, and this is widely used, for example, for phishing attacks. Cache poisoning is another very well-known thread to DNS, and where a specially crafted packet can poison, in a way, a server and allow an attacker to actually… they instruct a server to lie to its customers. This has been widely discussed in the industry and has in a way caused a bit of, I would say, loss of trust on the part of users, something that we’ve been in different industries and in different ways. Routing suffers from something in a way similar, if you will. Route hijacking is probably one of the most well-known effects on attacks on the routing system where an autonomous system publishes a network it shouldn’t, or it doesn’t have authorization to do so. Recently, we have witnessed some instances of internet instability due to hijacks or to a related situation called route leaks where there is a network within the internet that announces some prefixes, but it cannot fulfill the promise of actually carrying the traffic to the destination. It usually happens when a small network announces the whole routing table of the internet and it basically cannot transport all the traffic that every other network starts sending through it. So, as it was mentioned previously, security on some of these protocols was in a way an afterthought. These protocols were created when the internet was a much, I would say, naive place and some security had to be, I would say, backported into them. DNS, for DNS we have the DNS security extensions or DNSSEC, which introduced this. digital signatures within the DNS responses. And this allows a resolver to actually verify a response. This is, of course, not supposed to be a complete explanation of the NSA. This is just the general idea. And RPKI does a similar thing for routing. Again, there is some cryptography introduced into the BGP protocol and some additional decision points that are introduced in the BGP algorithm that allows a router based on some signatures, which I’m going to call ROAS because that’s the name they have, allows a router to make a decision on whether route is a correct one or not. So again, this is RPKI particularly has a lot of complexity that I’m not describing and I don’t have the time to get into, but there’s a lot of documentation in their internet. So a few considerations regarding, for example, the use of cryptography within these protocols. Some people have the misconception that every time you use cryptography is to ensure encryption or ensure secrecy in a way. Both RPKI and DNSSEC make heavy use of cryptography, but they not encrypt messages. They are not intended to provide privacy per se. Maybe privacy is a consequence of implementing these protocols, but they are not. Cryptography in DNS and RPKI is not used for providing secrecy. What is it used for? Cryptography here is used for authenticating and verifying signature chains that ensure either a correct DNS response or a correct BGP announcement. There is a slight difference between them. A PKI requires a well-defined PKI or a public key infrastructure with a trust anchor and CRLs, all the complexity that comes with a PKI. The RIRs have taken the role of operating the trust anchors of this RPKI. On the other hand, the NSSEC uses a simpler chain of trust because it can depend on some features that the DNS already has, for example, the tree-like structure. These technologies are basically useless unless the community, I would say, realizes that there is a shared responsibility here. In both RPKI and DNSSEC, there is a function, which is the signing, either of the DNS or the routes, and the validation. And both are necessary. Signing becomes useless if no one validates, and the other way around. If you’re validating but you have nothing to compare these signatures with, again, it’s useless. And there’s a shared responsibility here. And this is probably my, if you remember one thing of what I’ve been saying, please remember that the message of shared responsibility, in this case, it’s something that we need to get across the industry. Regarding quantum, the previous panelists mentioned that security was sort of an afterthought, and that’s completely true. And there’s a silver lining to it, which is that this afterthought was implemented in the form of an overlay. The core protocol remains unchanged. And there is, I would say, a layer of. cryptography applied over it. The cryptography here didn’t exist before. It was added afterwards. And it was added in a way that can be replaced. There’s a term that is technically used here, which is algorithm agility. And all this, both the NSAIC and RPKI have algorithm agility built-ins. So eventually, when a post-quantum cryptographic algorithm is designed or is standardized, it will be positively applied to both the NSAIC and RPKI. I don’t have it here in the slide, but I have another thing that I would like to mention, which is that I have a strong position on initiatives that point towards weakening of cryptographic algorithms. They’re having some discussions in governments and other fora regarding the necessity of weakening or providing backdoors to algorithms. And I think that would be a very poor decision to implement something like that. So that’s all I have for now. Thank you.

Moderator – Carina Birarda:
Thank you very much, Carlos, for your presentation. Very clear. I am thinking the same. I am support very strongly. And the third panelist is Maria Luque. She’s online. Maria, the floor is yours.

Maria Luque:
Good morning, everyone. Good morning from Madrid, actually. Very glad to be here with you today. It’s 2 AM in the morning in Madrid. And today, it seems that we are going to speak about software. It’s a key point of our discussion. So give me a second to find my presentation, see if I can share my screen. Okay. Can you see it? Yes. Perfectly. Okay. I take it as a yes. So, we’re starting today. I was saying that we were speaking about software, and software is at the core of my presentation about quantum security. First of all, I am Maria Llocke, and for the past three years, I have been working on quantum security. Software is at the core of my presentation about quantum security. First of all, I am Maria Llocke, and for the past 10 years, I have been advising national governments, local government agencies, and mostly in Spain and in the European Union on what to do with emerging technologies, for example, new technologies, space connectivity, or quantum technologies, and how to do it so that whatever we do with these technologies can benefit society in great ways. So I’ve also been working with quantum organizations, quantum startups, and national quantum strategies for the past three years, and I’m very glad to be here. So, the focus of today. Today, for me, we have a challenge, and the challenge is understanding how quantum technologies are going to disrupt not only cybersecurity, but our entire conception of how we process and how we store and how we communicate information. As you may have probably seen in the media, the protagonist is quantum computing. Now, its potential is immense to bring about new solutions to all challenges, computational or not. But once it is live, it will somehow imply that our current cryptographic systems are unsafe and won’t be able to safeguard our privacy. So let’s try to understand today in 10 minutes. how to look at the quantum threat and how to take advantage of quantum to actually be quantum safe. Now, we’re in the IGF, and the IGF’s motto this year is an internet for everyone. An internet for everyone is possible through universal access and privacy. And the fact that our communications can be kept secret is the base of our integrity as individuals and as nations, of course. And to keep the confidentiality of our online interactions, we trust what we call cryptographic algorithms, what Carlos was speaking about. And this trust is built on something we call computational harness assumptions. The fact that they will be able to withstand a cyber attack no matter what. But the truth is that a breakthrough in cryptanalysis can make the system vulnerable in one night. Now, we all know of a company who suffered a cyber attack in the past three or four months. And as my mates were saying, when it’s not a cyber attack on a company, it’s a cyber attack on a national health system or a security infrastructure. We do live in cyberspace. Thanks to 5G, among others, of course, we rely each time more on cyber physical systems, such as IoT, the critical infrastructure, and the web. And the more digital our infrastructure is, the more attack vectors we have to withstand. And each domain is vulnerable in its own very unique way. For example, as Carlos was saying before, critical infrastructures depend on scarce systems that are normally very outdated. IoT environments have very limited computing resources by design and very limited security schemes by design. as my mate, Buddha Nadir was saying. And also when we’re speaking about the internet and telecom networks, we are shifting subtly to our software defined networks, meaning that they will be more susceptible to cyber attacks. So we can say in a way that the cryptographic systems that protect our data infrastructure are shaky ground. Today, we can really say that they are a weak point to watch. And during the past decades, we’ve discovered quantum algorithms. Quantum algorithms with a crypto analytical potential that can break the cryptographic techniques that we use today to protect our data. We just need quantum processor that are big enough to run them. Quantum processors, meaning quantum computers. A new type of computing device, you’ve heard about it, that is capable of performing very specific calculations. Some of which are actually intractable by current classical computers. And quantum computer is truly a game changer. Uses the principles of superposition and entanglement, whatever they mean, to change the way we store and process information. And while large scale quantum computers are not a reality, they’re not available yet, of course. The fact is that creating a strong computer, quantum computer, can accelerate our process of solving the schemes we use in public key cryptographic algorithms to protect our data. I’m gonna give you an example. Thanks to a quantum algorithm like Shure, we could store RSA encryption. And this can break and destabilize us. And it’s not about data breaches. And it’s not only about financial loss. It’s about losing the integrity of digital documents, all of them, losing the sanctity of our personal data. data and losing control over the health and the financial systems that keep us together. And the truth is that we don’t have to wait for quantum computing to come because by harvesting now, decrypting later, which I assume you’ve heard a million times by now, someone can store encrypted information to decrypt it once quantum technology becomes more advanced. And this means that the impact of quantum computing truly started yesterday, as we can say. Now the paradox is that quantum can also give us the key back to our integrity. And in fact, quantum technologies and some classical techniques are the bet of the tech industry and governments when it comes to cybersecurity in the future to come. Now today, as you can say in the presentation, we’re going to focus, we don’t have time, we’re going to focus on the tools we are developing today to be quantum safe in the short term and in the midterm. The first one is post-quantum cryptography, Karloff was talking about it before, and the second one is quantum key distribution. Now let’s focus on the solution that we have more at hand. We were saying that encrypted communication that is intercepted today can be decrypted in the future by a quantum computer that is strong enough. Now post-quantum cryptography, what it offers to us is new classical algorithms that we believe to be secure against a quantum threat. There’s nothing quantum in these algorithms, but we have seen computational hardness that can withstand the brute force of a quantum computer that tries to decipher it. PQC is software. PQC is a short-term solution. We’re making an effort. to standardize them, guided by the NIST from the U.S. And also you probably heard of them, there’s Kyber for secure key exchange, and there is Lithium, Sphinx, and Falcon for digital signatures. And the interesting thing here, talking about best practices, is that the tech industry can enforce these algorithms into the solutions they offer to us today, even though they haven’t been standardized. And in fact, they do this, which is interesting, for example, for government agencies that use technologies in the cloud or store sensitive data on the cloud. Here we’re gonna see a couple of examples of major tech companies taking a hybrid approach via the cloud. For example, AWS has a cloud commercial environment, but it allows you to apply this algorithm Kyber within your security shell, and that’s nice. Google has started combining classical cryptography algorithms with potential quantum resistant algorithms for the FIDO2 standard, which is the standard that you use to authenticate yourself when you initiate your session on a website. And Cloudflare, for example, has done something that’s more or less the same, right? So PQC, what I want you to get from this is that it requires new software stacks. It can be started, it can be implemented starting now. And due to the comparatively low cost doing that, the private sector can take the lead, guided by standard, but it can take the lead. Now, we get to QKV, which is a crown jewel to me, is my favorite. QKV, quantum key distribution, can be the midterm solution to the quantum threat to cybersecurity. It is hardware-based, it is not software. base. Now QKD uses the principles of quantum mechanics to establish a shared secret random key between two parties that have a secure communication channel and alerts you of any eavesdropping attempts. Now for QKD, what I want you to imagine, because we love to talk about the quantum internet but we’re not close to that, what I’d like you to imagine for QKD is an entire infrastructure like those of the ISPs of the internet, tier 1, 2, 3 for telecom networks, by using quantum information processing techniques. That is a quantum network and if we are successful in implementing quantum networks we’re going to have unhackable networks for secure communications. Now I’m optimistic about the future of QKD but it’s definitely not a stable pallet and there are many challenges to solve before it’s deployed at scale. It’s a bumpy road for a start and it is very costly. QKD is a moonshot because we need to have entirely new infrastructures for secure communication. There is still these limitations, for example if you have a quantum network that is hyper big you will probably, I mean your quantum states of the photons can be degraded and the information maybe cannot make it, so we have to work on that. Also these quantum networks, they have to be integrated in classical telecom networks because that’s the interesting thing that we can go about and it requires compatibility, it requires us to work on interoperability and this is such a technical challenge. And also scalability and the potential for the service to work 99% of the time. Why? Because quantum networks are going to be designed for the first use case to be secure government communications. It’s going to be defense, it’s going to be intelligence and they need to work. But the thing is, despite the limitations, I want you to understand that Quantum networking is starting to work. We can see that in Madrid, in the Madrid quantum communications infrastructure, because it is able to send info over a radius of 40 square kilometers. We can also see that in New York with Connect and the NYU, because they have a quantum network that actually works. And also in China, you already seen the news, they’re very good at doing ground segment to space segment communication with quantum teleportation. So with QKD, we have PQC for the short term. With QKD, the investment needs to be very big and very continued, and only nations and federations can kickstart design and deployment of these technologies. For example, the European Commission has the Euro QCI program, and the strongest use case, as I was telling you, is secure government communications. Now, I have one minute for this. What I want you to get from this presentation is that, of course, there is a threat that may come with quantum computer in 10 to 15 to 20 to 25 years, but there are things and techniques that we can implement, standardize, and use together in a phased approach in this 20 years till quantum computing comes. The first one to me is going to be PQC, because it’s classical and we can do it now. The second one is going to be quantum networking. And the end game is going to be full deployment of quantum communication infrastructure networks, and also quantum computer, the quantum internet, sensors, computers, everything connected protecting your data. So, taking this into mind, how can we participate in- making this happen, we can do many things, right? But first of all, for me, is always thinking about yourselves and think about yourselves means that you have an organization, you need to think about how we can be quantum safe. And the way you can do this is understanding what you have in terms of information architecture, not that we were used to mix on premise and cloud services to house and communicate your data, understand which infosecurity scheme you’re following, your level of encryption, as Carlos was saying, is it robust, is it not? Have an inventory of your cryptographic algorithms and also see how much you can invest in your transition to quantum security. If you’re a small organization, you may get to BQC and that’s all for the next 10 years. If you are a stronger, bigger organization, maybe you can also try to understand how to engage in quantum communication networks. The industry is already busy working in interoperability and compatibility together with governments for PQC and also for quantum networking. The governments are already launching national strategies and engaging quantum solutions into their cybersecurity strategies. For example, the European Union is working on this right now. There is some box in PQC and QKD to have software stacks, to have hardware that actually works. And for the IEF community and I’m counting me in the IEF community, I would tell you that quantum is still a mystery to most of us in the policy community. So what I think we need is to engage, we need to learn, we need to study this, we need to understand this, we need to create spaces for discussion and engagement. I think it’s on us to introduce something else beyond policy thoughts on how to collaborate and then some that is. standardize these technologies. And also, let me finish with this. I think that quantum technologies bring both light and darkness to our lives, because our lives are digital. And that our privacy is our health, is our identity. And the digital rights of the people cannot be lost in translation in a global race towards being quantum safe and hackable that no one understands. So I hope we can work together on this. And thank you very much for listening.

Moderator – Carina Birarda:
Thank you very much, Maria, for your presentation. And we thank you for sharing your ideas. And we invite you to ask questions, to have an interactive session. And Olga is our next panelist. The microphone is yours.

Olga Cavalli:
Thank you both. Thank you. Thank you for inviting me. This is extremely interesting. And I have a question for the experts once we have the questions and answers as part of the session. Thank you for inviting me. I would like to bring to you a different perspective now, first from the capacity building concept and then from the public policy concept. First, let me tell you, my name is Olga Cavalli. I am a university teacher at University of Buenos Aires. I teach internet infrastructure and telecommunications infrastructure, which is where I have worked most of my first stage of my career. Then for 20 years, I’ve been working in public policy in Ministry of Foreign Affairs. I’m now in the Secretary of Innovation in Argentina. Presently, I am the National Director of Cybersecurity. So I want to bring you some ideas from these two perspectives. The school was created 15 years ago because we realized that the participation of Latin America in all these dialogue spaces where the policy related with the internet are defined was very scarce, was few and was perhaps not so much relevant prepared to participate in dialogues and comments and shaping the policies that are totally different from perspective from Latin America to other regions. Latin America has a different challenge from other regions. It’s extremely unequal in relation with economic distribution, infrastructure distribution. So our problems are not the same like other regions. So this is why we created this space, to train professionals at any age, and any background is welcome, whether technical, policymakers, journalists, lawyers, in order to learn all the rules that make the Internet work and how to participate and understand the problems and challenges that Latin America has. We have been doing that for 15 years, and for the first time this year we went out from big cities. We rotate among the Americas, and we had one totally focused on cybersecurity in the venue of the Organization of American States. That was very interesting. This year, for the first time, we went away from big cities and we went to a city inside one state in Brazil, the city of Campina Grande, with 400 fellows. So you can find information in our website, governanceinternet.org. And what I would like also to talk about is the extremely fast pace of the adoption of ICT technologies by human beings. There are different estimations. Maybe Nico will know more details about that. I had a report from Ericsson that next year we will have 22,000 million of IoT devices, and then I found another one from Cisco saying that the number will be 50,000. So the difference is interesting, but I think that the amount of devices is enormous compared to what we have been dealing with up to now, which is a reasonable number of devices per person. Considering that the population of the world is 88,000 million people, the pace of adoption of all these digital infrastructures, especially the new ones, is very, very fast. It’s much, much faster, five times faster than electricity and telephony. Much, much faster. Also, it was already mentioned by Wode and colleagues that most of these technologies were not designed with concept of security from scratch. They were designed in a different environment, in a different time, and with different ideas. So that’s, it’s extremely challenging. And I would like to consider now some public policy that we have been implementing in Argentina, although I am participating here as an academic, I have a public policy role. So I want to tell you what we have been doing in Argentina. Our role in the national government, we have a target, which is the national administration. So for that, there is a resolution that establishes minimum requirements of cybersecurity for them. What they have to do, they have to prepare a security plan. They have to share it with us. We have a database with all the security plans. And the most important thing is that they must design, assign a one focal point. That focal point is in contact with us in a permanent basis. We provide training for them every month and sometimes more frequently with news about technology and also we share with them all the vulnerabilities that the national assert that depend on our administration also can detect. We share with them all this information on a daily basis. If they have an incident, they have to share that with us and the national assert and our experts can help them. And this communication and this establishment of the security plans and the communication is mandatory for them. So there is a binding resolution. It’s not that voluntary or aspirational, but it’s mandatory for them. Also, we have developed a manual on what to do if they have an incident. So it describes the different stages that they have to go through. they have an incident. And I think that that would fit into the question about best practices and also the public policy that I mentioned to you. Also, we have published the new or approved the new cybersecurity strategy for Argentina. This is the second one that was produced after a public comment period during the month of January this year. And let me check if I’m forgetting something. That would be all that I want to share with you. I have a question for Maria, for Wout and for Nico. What I see now, it’s an increasing gap and challenging for developing countries, especially for small and medium enterprises in catching up with all these new changes in technology. And I see this gap really being very, very big, not only because of understanding technology, but also about buying it. It’s extremely expensive. And in some countries, we have some restrictions for import some products and some hardware. And also the lack of human resources that we all know that it’s a big challenge for all countries, not only for developing countries, but also for developed ones. But some human resources go away. Like my son is living in Europe because he was captured by a company that thought that he was very well prepared. So he was trained in Argentina in a public university and now he’s working in another country, which is good for him, but maybe not good for developing economies. Just an example of the challenge that we are facing. And looking at all these quantum technologies that are being developed, how do you see the small and medium enterprises or developing countries catching up with this changing, fast changing technologies that will be used and will be implemented very quickly? Thank you. I did two things. I spoke and then the question.

Moderator – Carina Birarda:
Thank you very much, Olga. We have only seven minutes for questions. If you want to answer the questions, this is okay. Yes, Olga? Yes, yes, go ahead. Let me see. Mohamed, do you have any questions in the chat? No, no, we don’t have any questions yet.

Nicolas Fiumarelli:
Yes, maybe I could accumulate one question, and we could, the panelists could respond as well. Because you all talked about different technologies. It’s known that the IOT number of devices is increasing. And in the case of the quantum computing, it’s already been developed. And also, ICT is not showing, deploying the best practices for security in every service. And as Olga said, it’s so expensive to have all of this. So, yes. So my question is, do you think that, also in the case of RPKI and DNSSEC, do you think that law enforcing these technologies is a good way to go? What are the threats or the risks, maybe commercial risks, in having this? Why are we not having this as a mandatory thing in the case of DNSSEC and RPKI for the networks? In the case of the IOT security standards made by the IETF, sometimes for these constraint devices, there are solutions already in standardizing the entities. And also for ICT, right? Why this is not like quantum resistant algorithms that we are seeing in the core Internet? Why these technologies are not applied for all the ICTs by a mandate, by a law enforced thing? Maybe if you want to have two minutes. per panelist to try to respond and also accumulate on the other questions we have had from Olga and the rest of the panelists. Thank you. Maybe starting with Carlos, then yes.

Carlos Martinez:
Those were a bunch of questions in a single one. I will try to make a couple of points. I personally don’t believe that mandating technology is a good idea and I’ve seen many examples where that has failed. That said, I think the situation for DNS second RPA is vastly different than the situation from IOT. IOT has a serious issue with cost, with cost per device. There’s a race to the bottom in cost per device because since you have so many million devices, it makes sense to have the cheapest device that you can actually manufacture. There’s a race to the bottom that this certainly doesn’t help in developing new technologies. DNS second RPA, I think there’s a difference there. I think one of the issues that the internet has faced over the year in deploying many new technologies, it happens for IPv6 as well, is that the thing that mainly affects in the internet are externalities. Those are things that you as part of the internet have to do at your own cost on behalf of another party to benefit another party. Sometimes that is commercially a hard sell. I think that’s what has been one of the barriers in deploying new technologies on the internet. I think there’s two different phenomena there that need to be addressed differently. You mentioned about why you’re not seeing post-quantum algorithms being applied. In my opinion, I mean, the post-quantum algorithms that have been proposed so far are less than satisfactory. They’re basically variations of elliptic curve algorithms with very, very long keys that are simply not practical. I mean, they exist, but they are not practical. They would create these huge signatures that are a threat in themselves. So sorry, I think I took more than two minutes. Sorry about that.

Nicolas Fiumarelli:
So now going to Maria, two minutes, please, and then Olga.

Maria Luque:
OK. OK, so thank you very much, Olga, for your question. I think it’s very interesting, and I would like to expand on this with you for an hour and a half. Regarding what you say about BIMES, basically, like small companies faced with the challenge of trying to keep up with these quantum technologies and all of the buzz that comes with it, and also with something very interesting, because in Spain, for example, we have the National Security Scheme, which was updated on October 2022 last year. And it doesn’t speak about quantum yet, but the standards that it enforced for information security are very high. It talks about, for example, multilevel security schemes, and it talks about path for hardware, et cetera. And I can see this strategy, for example, in Spain being updated with PQC requirements and best practices. And the thing here, although I don’t like it and I don’t think it’s positive, the thing here is that a small company, given that normally a small company, if it’s a tech company or a normal company, they rely on the infrastructure of big tech companies. And that infrastructure providers, to serve themselves, they don’t have problems. proprietary technology architecture scheme. So they rely on AWS, Microsoft Azure, they rely on Google. And these companies are going to be able to offer this solution that Carlos and I don’t like very much, which is PQC algorithms inserted in the cloud as an option for you to try to make your data safer in the place that it is. So this is going to be the option in the next five to 10 years for small companies, although I don’t like it, but I can see it as a way. And also regarding national quantum strategies for developing countries and for any country in general, I can tell you that the tendency is to be very, try to be very specialized and try to prioritize the one thing that you think you can invest in. For example, you can see that in the European Union, everybody’s very ambitious in the European Union, every country, but what we see is, for example, Spain says, hey, we have, we’re very good at optics. We’re very good at, we have very good mathematicians. So we’re going to go for developing quantum algorithms and we’re not going to invest so much on quantum computer because maybe we don’t have the resources, right? So different countries are trying to understand which role they can play in the quantum supply internationally. And it can be betting on talent workforce. It can be betting on developing algorithms or it can be betting on theoretical physicists. It really depends and it’s a challenge for every country and I would love to expand on it more with you. Thank you.

Olga Cavalli:
Thank you, Maria. I take your word of expanding this in among us. I may, I may get. touch with you. So it’s interesting what you said first about that the most important companies in the world will develop some technologies that others will start using, which is true and which is happening now perhaps with cloud computing and other technologies. My fear is that developing economies and small and medium enterprises will be just consumers of technologies developed elsewhere, mainly in the States and China, which are the main poles where all these technologies are being developed now. But that’s something that we can change with capacity building and awareness. And I’m always positive about technology. So I think that we have to go in that way. Thank you. Thank you for inviting me and for comments and Maria Carlos and both the left. Thank you.

Nicolas Fiumarelli:
Okay. Thank you so much. So we are ending the session here. Good insights about the law enforcement. Maybe it’s not the solution, but the capacity building and awareness are there. And we need to be in the loop, in the loop of what is happening regarding requirements on the national agencies and all these entire world of different technologies are approaching. So thank you so much to all the panelists and see you next year in hopefully with new news about these technologies. Thank you so much. Thank you very much. Thank you very much. Have a great day.

Carlos Martinez

Speech speed

143 words per minute

Speech length

1822 words

Speech time

763 secs


Arguments

Importance of DNSSEC and RPKI to secure the core of the internet

Supporting facts:

  • The DNS and routing, or the ability of the network to deliver a packet to the proper destination, are three necessary functions for a properly functioning internet.
  • DNSSEC and RPKI are security protocols that use digital signatures to verify DNS responses and BGP announcements respectively
  • Both DNSSEC and RPKI have a shared responsibility between signing and validation


Both DNSSEC and RPKI are prepared for a potential post-quantum scenario

Supporting facts:

  • Both DNSSEC and RPKI have algorithm agility built-in
  • When a post-quantum cryptographic algorithm is standardized, it can be applied to both DNSSEC and RPKI


Mandating technology is generally not a good idea

Supporting facts:

  • Mandating technology has failed in past instances
  • Issues with cost and benefit discrepancy in IOT and DNSSEC/RPA
  • Post-quantum algorithms proposed so far are less than satisfactory


Report

The discussion centres around the vital role of DNSSEC (Domain Name System Security Extensions) and RPKI (Resource Public Key Infrastructure) in securing the fundamental structure of the internet. These security protocols are instrumental in safeguarding the integrity and authenticity of DNS responses and BGP (Border Gateway Protocol) announcements, respectively.

DNSSEC and RPKI operate by utilising digital signatures to verify the legitimacy of DNS responses and BGP announcements. This verification process ensures that the network delivers data packets to the correct destination, maintaining the proper functioning of the internet. The speakers unanimously recognise the crucial importance of DNSSEC and RPKI, highlighting their shared responsibility in both signing and validation processes.

On a related topic, there has been a debate concerning the potential weakening of cryptographic algorithms and the inclusion of backdoors to enable access. However, Carlos, one of the speakers, expresses a negative sentiment towards this notion. He asserts that such actions would be unwise, potentially compromising the security of cryptographic systems.

This viewpoint aligns with SDG 16, which focuses on ensuring peace, justice, and strong institutions. A positive aspect discussed is that both DNSSEC and RPKI have algorithm agility built into their design. This feature ensures that they can adapt to incipient post-quantum cryptographic scenarios.

Consequently, when post-quantum cryptographic algorithms are standardized, they can be effectively incorporated into DNSSEC and RPKI, providing continued security measures against quantum threats. The debate also encompasses the challenge of mandating technology, with the speakers highlighting instances where such endeavors have proven unsuccessful.

They note the issues surrounding cost and benefit discrepancies, particularly in the context of the Internet of Things (IoT) and DNSSEC/RPKI implementation. Furthermore, while post-quantum algorithms have been proposed, they have not yet achieved a satisfactory level of performance.

In conclusion, the speakers collectively emphasize the importance of DNSSEC and RPKI in securing the core infrastructure of the internet. Their positive sentiment towards the efficacy of these protocols underscores their significance in maintaining a properly functioning internet. Nonetheless, there is a negative sentiment towards weakening cryptographic algorithms, highlighting the potential risks associated with such actions.

The speakers also acknowledge the need for flexibility and tailored approaches when addressing different technologies, rather than enforcing a one-size-fits-all mandate. Ultimately, this discussion highlights the ongoing challenges and complexities associated with internet security and the need for continued research and adaptation to effectively counter emerging threats.

Maria Luque

Speech speed

158 words per minute

Speech length

3182 words

Speech time

1205 secs


Arguments

Quantum technologies, especially quantum computing, pose both significant challenges and opportunities in terms of cybersecurity

Supporting facts:

  • Quantum computing has the potential to break our current cryptographic systems and expose confidential information
  • Technologies like Post-Quantum Cryptography (PQC) and Quantum Key Distribution (QKD) are being developed to combat this threat
  • PQC, while not yet standardized, can be applied today and is software-based, while QKD is hardware-based and might serve as a mid-term solution


Small tech companies rely mainly on the infrastructure of large tech companies when it comes to meeting the challenges of quantum technologies

Supporting facts:

  • Small companies generally use platforms like AWS, Microsoft Azure, Google, etc.


Despite being not favourable, PQC algorithms inserted in the cloud will be the optimal solution for small companies to secure their data in the next five to 10 years


Different countries should focus on their strengths and specialties when it comes to planning their national quantum strategies

Supporting facts:

  • Spain chooses to invest in areas they excel at such as optics and mathematics


Report

Quantum technologies, specifically quantum computing, present challenges and opportunities in terms of cybersecurity. The concern is that quantum computing has the potential to break current cryptographic systems and expose sensitive information. To combat this threat, researchers are developing technologies like Post-Quantum Cryptography (PQC) and Quantum Key Distribution (QKD).

PQC, although not yet standardized, can be applied today as a software-based solution, while QKD requires substantial investment and the creation of new secure communication infrastructures. It is argued that governments and the technology industry need to continuously and significantly invest in quantum technologies to ensure data security in the face of the quantum threat.

QKD, in particular, requires high investment and the establishment of entirely new infrastructures for secure communication. On the other hand, tech companies have already started implementing PQC into their solutions, showing their recognition of the need to adapt to quantum technologies.

Organizations also need to assess and adapt their information security structures to prepare for the quantum threat. They should understand their information architectures, level of encryption, and capabilities necessary for transitioning to quantum security. The approach for organizations may vary depending on their size, with smaller ones potentially adopting PQC and larger ones engaging in quantum communication networks.

For small tech companies, the infrastructure provided by large tech companies like AWS, Microsoft Azure, and Google is crucial for addressing the challenges posed by quantum technologies. These platforms serve as a foundation for smaller companies to navigate the complexities of quantum computing.

Deploying PQC algorithms in the cloud is considered a potential solution for securing data for small companies in the next five to ten years. Despite not being favoured by some, it is argued that deploying PQC algorithms in the cloud offers optimal data security for small companies.

However, there is debate regarding this approach, with some opposing the practice for maintaining data security. Countries are encouraged to focus on their strengths and specialties when planning their national quantum strategies. For example, Spain has chosen to invest in areas where it excels, such as optics and mathematics, to drive its quantum technology development.

In conclusion, quantum technologies pose both challenges and opportunities in cybersecurity. Addressing the quantum threat requires significant investments in quantum technologies, assessments and adaptations of information security structures, and consideration of alternative solutions like deploying PQC algorithms in the cloud.

Additionally, countries should strategically focus on their strengths and specialities to plan effective national quantum strategies. Ongoing research and discussions are needed in this rapidly evolving field.

Moderator – Carina Birarda

Speech speed

114 words per minute

Speech length

644 words

Speech time

340 secs


Arguments

There has been a significant increase in cybersecurity incidents at the international level.

Supporting facts:

  • Global interconnectivity is a key factor behind this trend.
  • Emergence of sophisticated criminal activities like crime as a service


Adoption of internationally-recognised cybersecurity best practices is a fundamental challenge

Supporting facts:

  • Just a few number of organizations practice these standards
  • The lack of adoption is a global issue


Cybersecurity is a global issue that necessitating international collaboration for combating it

Supporting facts:

  • Cyberattacks do not respect borders or jurisdictions.
  • Information sharing in international level is imperative.


It is essential to understand the threats we are facing for proper implementation of cybersecurity practices.

Supporting facts:

  • By understanding threats that IoT, web, quantum technologies are facing, best practises can be selected.


Report

This extended summary highlights the main points and arguments presented in the given information on cybersecurity. It also provides more details, evidence, and conclusions drawn from the analysis. The first argument states that there has been a significant increase in cybersecurity incidents at the international level, which is viewed as a negative trend.

This can be attributed to the global connectivity that has become a key factor behind this increase. Additionally, the emergence of sophisticated criminal activities, such as crime as a service, has further contributed to the rise in cybersecurity incidents. The supporting evidence for this argument is the fact that cyberattacks are often conducted by actors in multiple countries, indicating the global nature of the issue.

The second argument emphasizes the fundamental challenge of adopting internationally-recognised cybersecurity best practices. It is highlighted that only a few organisations currently practise these standards, and the lack of adoption is a global issue. The evidence supporting this argument includes the observation that just a small number of organisations implement these best practices, indicating a need for widespread adoption to enhance cybersecurity at both national and international levels.

The third argument stresses that cybersecurity is a global issue that necessitates international collaboration for effective mitigation. The fact that cyberattacks do not respect borders or jurisdictions is put forward as evidence for the need for international cooperation. Additionally, it is stated that information sharing at the international level is imperative for combating cybersecurity threats.

This argument highlights the importance of collaboration between countries to establish a robust global cybersecurity framework. The fourth argument suggests that understanding the threats facing IoT, web, and quantum technologies is essential for implementing proper cybersecurity practices. By gaining a comprehensive understanding of these threats, appropriate best practices can be selected and implemented.

The evidence supporting this argument is the observation that proper implementation of cybersecurity practices can only be achieved by addressing the specific threats posed by emerging technologies. In conclusion, the extended summary highlights the increasing number of cybersecurity incidents on an international scale as a negative trend.

The adoption of internationally-recognised cybersecurity best practices is identified as a fundamental challenge, with only a small number of organisations currently practising these standards. It is established that cybersecurity is a global issue requiring international collaboration for effective mitigation. Understanding the specific threats posed by emerging technologies is emphasised as crucial for implementing proper cybersecurity practices.

Overall, the analysis underscores the need for international cooperation and comprehensive measures to address the growing cybersecurity challenges.

Nicolas Fiumarelli

Speech speed

158 words per minute

Speech length

380 words

Speech time

145 secs


Arguments

Enforcing the adoption of technologies like RPKI, DNSSEC, IOT security standards, and quantum resistant algorithms via legislation

Supporting facts:

  • Increasing number of IoT devices
  • Development of quantum computing
  • Existence of security standards made by IETF for IoT devices
  • The cost of implementing advanced technologies is high


Report

During the discussion, the speakers emphasised the necessity of implementing security technologies, such as RPKI, DNSSEC, IoT security standards, and quantum-resistant algorithms, through legislation. They pointed out that the rising number of Internet of Things (IoT) devices and the advancements in quantum computing pose significant security risks.

These risks can be mitigated by the adoption of robust security measures. The speakers also highlighted the existence of security standards developed by the Internet Engineering Task Force (IETF) specifically for IoT devices. These standards provide guidelines and best practices to ensure the security of IoT networks and data.

However, one speaker questioned why these security technologies are not universally enforced in all Information and Communication Technology (ICT) systems through legal obligations. It was acknowledged that the implementation of advanced security technologies comes with a high cost. This cost may pose a challenge to widespread adoption.

Nonetheless, the importance of safeguarding critical infrastructure and personal information against cyber threats and data breaches justifies the investment in these technologies. Overall, the sentiment during the discussion was neutral, indicating a balanced examination of the topic. The speakers’ arguments and evidence provided a comprehensive understanding of the urgency to implement security technologies, alongside the challenges associated with their implementation.

The discussion aligned with SDG 9: Industry, Innovation and Infrastructure, as it emphasised the need for secure and resilient ICT systems to support sustainable development. Through this analysis, it becomes evident that the adoption of security technologies through legislation should be encouraged and prioritised.

This will help ensure the protection of IoT devices and networks, while also addressing the growing threat of quantum computing to traditional encryption methods. Additionally, the development and enforcement of security standards can play a crucial role in enhancing cybersecurity practices across various industries.

In conclusion, the discussion underscored the significance of deploying advanced security technologies and standards to safeguard ICT systems. Although challenges such as high implementation costs exist, the speakers highlighted the urgency to address these concerns and apply security measures throughout the industry.

By doing so, they aimed to emphasise the need for a comprehensive approach to cybersecurity, simultaneously addressing both technological advancements and legal enforcement.

Olga Cavalli

Speech speed

151 words per minute

Speech length

1399 words

Speech time

555 secs


Arguments

Latin America faces unique technological and internet infrastructure challenges due to economic and distribution inequalities

Supporting facts:

  • Olga Cavalli is a university teacher at University of Buenos Aires, teaching internet infrastructure and telecommunications infrastructure
  • She works in public policy in Ministry of Foreign Affairs
  • She’s currently the National Director of Cybersecurity


Latin America needs to increase its participation in policy dialogues related to internet, as it’s different from other regions

Supporting facts:

  • Cavalli helped in creation of a training program for professionals to learn the rules of the Internet, understand its challenges and to participate more in policy dialogues


The pace of ICT and IoT adoption is very fast, likely leading to increased vulnerabilities due to lack of initial security designs

Supporting facts:

  • There are estimates that there will be 22,000 million to 50,000 IoT devices next year


Argentina has implemented several cybersecurity policies for national administration

Supporting facts:

  • In Argentina, there’s a binding resolution that the national administration must prepare a security plan, assign a focal point for contact and share information in case of an incident
  • A manual has been developed for them on what to do in the event of an incident
  • New cybersecurity strategy has also been approved


Expresses concern over developing economies and small to medium enterprises being consumers of technologies developed elsewhere

Supporting facts:

  • The most significant technology companies, such as AWS, Microsoft Azure, Google, are expected to provide solutions based in technologies like PQC algorithms and cloud computing
  • Countries like Spain specializing on certain aspects of quantum technology development due to lack of resources


Report

Latin America faces unique technological and internet infrastructure challenges due to economic and distribution inequalities. These challenges stem from the disparities in wealth and resources within the countries of the region. As a result, access to and the quality of technology and internet infrastructure vary greatly across Latin America.

To address these challenges, there is a need for increased participation in policy dialogues related to the internet in Latin America. Olga Cavalli, a university teacher at the University of Buenos Aires, has played a key role in creating a training program for professionals to learn about the rules of the Internet, understand its challenges, and participate more actively in policy dialogues.

This initiative aims to empower Latin American countries to have a stronger voice in shaping internet policies that are suitable for their specific needs and circumstances. Furthermore, the rapid adoption of Information and Communication Technology (ICT) and Internet of Things (IoT) devices in Latin America has raised concerns about increased vulnerabilities due to the lack of initial security designs.

It is estimated that there will be between 22,000 million to 50,000 IoT devices in the region next year. The fast pace of adoption leaves little time for proper security measures to be implemented, which could lead to potential breaches and threats in the future.

Argentina has taken proactive steps in addressing cybersecurity concerns. The national administration has implemented binding resolutions that require the preparation of a security plan, the assignment of a focal point for contact, and information sharing in the event of a cyber incident.

Additionally, a manual has been developed to guide the national administration on how to respond to such incidents. A new cybersecurity strategy has also been approved, showcasing Argentina’s commitment to ensuring security in the digital realm. Developing countries and small to medium enterprises (SMEs) face significant challenges in keeping up with rapid technological changes.

These challenges include restrictions on importing certain products and hardware, as well as a lack of human resources, as trained professionals often migrate to developed countries in search of better opportunities. The combination of limited resources and a lack of technical expertise hampers their ability to understand and afford new technologies, creating a widening technology gap.

Moreover, developing economies and small to medium enterprises are often consumers of technologies developed elsewhere, which raises concerns about the global technology gap. While major technology companies like AWS, Microsoft Azure, and Google are expected to provide solutions based on emerging technologies like Post-Quantum Cryptography (PQC) algorithms and cloud computing, developing economies and SMEs rely on these technologies without actively contributing to their development.

This dependence on technologies developed elsewhere puts them at a disadvantage. To address these challenges, capacity building and awareness are advocated as essential measures. By investing in the development of local technological capabilities and creating awareness about the importance of technology, Latin American countries can reduce their reliance on technologies developed by other countries.

This would help narrow the global technology gap and allow them to actively contribute to technological advancements that suit their specific needs. In conclusion, Latin America faces unique challenges in technological and internet infrastructure due to economic and distribution inequalities.

Increasing participation in policy dialogues, addressing cybersecurity concerns, and bridging the technology gap are crucial steps towards creating a more inclusive and technologically advanced region. Additionally, capacity building and raising awareness about technology will empower Latin American countries to shape their own technological future.

Wout de Natris

Speech speed

158 words per minute

Speech length

1388 words

Speech time

528 secs


Arguments

Lack of deployment of cybersecurity measures in IoT is a major issue

Supporting facts:

  • Cybersecurity was not an issue in the early internet, but has become a problem with worldwide connectivity
  • The technical community has adjusted the code, but most governments and industries do not demand security by design
  • IoT devices are usually insecure by design


Security should be inherent in all forms of ICT and should undergo formal testing before entering the market

Supporting facts:

  • When new technology enters the market, it is usually untested for security
  • ICT cannot be legislatively controlled because of the rate of innovation


Report

The lack of cybersecurity measures in Internet of Things (IoT) devices is a pressing issue that demands attention. While the technical community has made efforts to address this concern, the majority of governments and industries have not yet prioritised security by design in IoT.

This oversight has resulted in widespread vulnerability and the potential for malicious attacks. Initially, cybersecurity was not a concern during the early days of the internet, as worldwide connectivity was limited. However, with the rapid expansion and integration of IoT devices into our daily lives, the need for robust security measures has become increasingly evident.

Unfortunately, IoT devices are often designed without adequate security measures, making them susceptible to cyber threats and potentially compromising users’ personal data. One argument put forth is that governments and large corporations should play a crucial role in setting the standard for security in IoT.

An example of this proactive approach is seen in the Dutch government, which has taken the lead by imposing the deployment of 43 different security standards. This demonstrates the importance of demanding high levels of security in IoT devices. Another concerning aspect is the lack of rigorous security testing before new technology, including ICT, enters the market.

The fast pace of innovation and the urgency to bring products to market often result in inadequate security measures. It is argued that security should be a fundamental consideration and undergo formal testing before any form of ICT is released, minimising risks for users.

On a more positive note, international cooperation and information sharing are emphasised as pivotal factors in staying ahead in terms of cybersecurity. The power of the internet lies in its ability to facilitate global discussions, enabling the sharing of knowledge and experiences across borders.

Governments and larger industries need to be made aware of their role and potential influence in addressing cybersecurity challenges, fostering collaboration and cooperation on a global scale. In conclusion, the lack of cybersecurity measures in IoT devices poses a significant challenge that needs to be addressed urgently.

Efforts from both the technical community and various stakeholders are required to push for security by design and the implementation of robust standards. Governments and large corporations hold the responsibility of leading the way, setting the standards for security in IoT.

In addition, rigorous security testing should become a prerequisite before any form of ICT is introduced to the market. Furthermore, international cooperation and information sharing are critical for staying ahead in the ever-evolving landscape of cybersecurity. Only through collaboration can we tackle the challenges and vulnerabilities inherent in the interconnected world of IoT.