Day 0 Event #35 Empowering consumers towards secure by design ICTs

Summary

This discussion focused on the Internet Standards Security and Safety Coalition (IS3C) and its efforts to promote a more secure and safer internet. The session began with an overview of IS3C’s work, including reports on IoT security by design, education and skills, and government procurement of secure ICT. Janice Richardson presented the concept of a “hub” for cybersecurity collaboration, emphasizing the need for education and diversity in the field.

Bastiaan Goslings discussed IS3C’s report on the deployment of DNSSEC and RPKI standards, highlighting the importance of these technologies for internet security. The panel on consumer protection featured representatives from Lithuania and Singapore, who shared their countries’ approaches to internet safety and regulation. They emphasized the need for international cooperation and a balance between regulation and industry incentives.

The discussion then turned to IS3C’s future plans, including a new project on IoT security and post-quantum cryptography in collaboration with AFNIC. This project aims to examine the societal impacts of IoT and the challenges posed by quantum computing to current security measures. The speakers stressed the importance of addressing these emerging technologies and their potential consequences.

Finally, the session concluded with an update on IS3C’s organizational development, including plans to become an Internet Society special interest group and potentially establish itself as a non-profit foundation. These changes aim to expand IS3C’s reach and funding opportunities while maintaining its role as a dynamic coalition within the IGF structure.

Keypoints

Major discussion points:

– The Internet Standards Security and Safety Coalition (IS3C) is working on initiatives to improve internet security and safety, including IoT security, education/skills, and government procurement practices

– IS3C is planning to create a “hub” to bring together experts and stakeholders to collaborate on cybersecurity solutions

– International cooperation is crucial for addressing cross-border cyber threats and creating harmonized security standards

– Consumer protection and empowerment is an important focus, including through security labeling schemes and regulations

– IS3C is launching a new project on the societal impacts of IoT and post-quantum cryptography

Overall purpose:

The discussion aimed to provide an overview of IS3C’s work and future plans to improve internet security and safety through various initiatives, research, and stakeholder collaboration.

Tone:

The tone was informative and optimistic throughout, with speakers enthusiastically describing ongoing and planned efforts to address cybersecurity challenges. There was a sense of urgency about the need for action, but also confidence that progress is being made through collaboration and new initiatives.

Speakers

– WOUT DE NATRIS: Moderator, Coordinator of the Internet Governance Forum dynamic coalition on Internet Standards Security and Safety (IS3C)

– JANICE RICHARDSON: CEO of Insight, IS3C Working Group 2 Chair on Education and Skills

– BASTIAAN GOSLINGS: Works for .nl registry IDN, former member of IS3C Working Group 8

– STEVEN TAN: Assistant Director of the Cyber Security Agency of Singapore, leads the Safer Internet Mobile and IoT security team

– KRISTINA MIKOLIŪNIENĖ: Council member at RRT (Lithuanian Communication Regulatory Authority)

– NICOLAS FIUMARELLI: Chair of IS3C Working Group 1 on IoT security by design

– ELIF KIESOW CORTEZ: Member of IS3C Working Group 9 on emerging technologies

– JOÃO MORENO FALCÃO: Member of IS3C working group on IoT

Additional speakers:

– Mark Carvell: IS3C senior policy advisor and rapporteur for the session

– David Huberman: Chair of IS3C Working Group 8 (mentioned but not present)

The Internet Governance Forum session on the Internet Standards Security and Safety Coalition (IS3C) provided a comprehensive overview of ongoing efforts to enhance internet security and safety. The discussion, moderated by Wout de Natris, brought together experts from various backgrounds to explore key initiatives, challenges, and future plans in the realm of cybersecurity.

Internet Security Standards and Best Practices

A central theme of the discussion was the critical need for widespread deployment of existing security standards. Bastiaan Goslings, formerly of IS3C Working Group 8, highlighted the importance of DNSSEC and RPKI for securing internet infrastructure. However, he noted that implementation challenges persist due to perceptions of cost and complexity. This sentiment was echoed by Steven Tan from Singapore’s Cyber Security Agency, who emphasised the importance of balancing regulation and incentives for industry adoption.

Kristina Mikoliūnienė from Lithuania’s Communication Regulatory Authority advocated for a holistic approach to internet security regulation. This perspective aligns with the overall consensus that a comprehensive strategy is necessary to address the multifaceted challenges of cybersecurity.

Consumer Protection and Empowerment

The discussion highlighted the challenges and opportunities in consumer protection and empowerment. Steven Tan stressed the importance of building digital trust and secure systems, arguing that developers and service providers must prioritize security. The speakers discussed the potential role of certifications and security labels in empowering consumers to make informed decisions about online products and services.

Both Tan and Mikoliūnienė agreed on the importance of raising awareness and educating consumers about cybersecurity risks and best practices. They emphasized the need for collaborative efforts between governments, industry, and civil society to address these challenges effectively.

International Cooperation on Cybersecurity

The speakers unanimously agreed on the crucial need for international cooperation in addressing cybersecurity challenges. Steven Tan highlighted the importance of shared threat intelligence and common security standards, as well as partnerships between countries and industry. Kristina Mikoliūnienė emphasised the value of learning from other countries’ experiences and the need for clear problem definition and active participation in international efforts.

This focus on collaboration was further reinforced by a video presentation on the concept of a “hub” for cybersecurity collaboration. This hub would bring together experts and stakeholders to work on solutions, addressing the need for better education and diversity in the field. The presentation outlined the potential benefits of such a hub, including improved knowledge sharing and more effective problem-solving.

Emerging Technologies and Future Challenges

The discussion also touched upon the challenges posed by emerging technologies. Nicolas Fiumarelli reported on the analysis of IoT security regulatory documents across various countries, highlighting the fragmentation of approaches. Elif Kiesow Cortez and João Moreno Falcão emphasised the need for research on the societal impacts of IoT and post-quantum cryptography, stressing the importance of understanding the social implications of current IoT security status.

IS3C Organisation and Future Plans

Wout de Natris outlined IS3C’s future plans, including becoming an Internet Society special interest group and potentially establishing itself as a non-profit foundation. These changes aim to expand IS3C’s reach and funding opportunities while maintaining its role as a dynamic coalition within the IGF structure.

De Natris also announced a new project on IoT security and post-quantum cryptography in collaboration with AFNIC, with a report to be delivered at IGF 2025. This initiative underscores IS3C’s commitment to addressing emerging technologies and their potential consequences.

Additionally, IS3C plans to create capacity-building programs and continue its work beyond 2025. The coalition’s previous work on procurement was also highlighted, demonstrating its ongoing commitment to improving cybersecurity practices across various sectors.

Key Takeaways and Action Items

The discussion yielded several key takeaways, including the need for more widespread deployment of existing security standards, the importance of consumer protection and empowerment, and the critical role of international cooperation in addressing global cybersecurity challenges.

Action items emerging from the session included IS3C’s plans to organise a first event on consumer protection in the new year, apply to become an Internet Society special interest group, and convene a meeting in January to discuss the creation of a cybersecurity hub.

Nicolas Fiumarelli announced an upcoming IS3C session on Thursday, encouraging participants to attend for further discussions on cybersecurity initiatives.

In his closing remarks, Wout de Natris provided an overview of IS3C’s history and achievements, highlighting the coalition’s growth and impact since its inception. He also mentioned a QR code available for accessing additional IS3C resources.

In conclusion, the session provided a comprehensive overview of IS3C’s work and future plans, emphasising the need for collaborative efforts to improve internet security and safety. The discussion highlighted the complex challenges facing the cybersecurity landscape and the importance of multi-stakeholder cooperation in addressing these issues.

WOUT DE NATRIS: Thank you and welcome to this ICC workshop on empowering consumers towards secure by design ICTs. But I have to admit that this flag does not cover the all the topics we are about to share with you. Things change over time. My name is Walter Nazis and I’m the coordinator of the Internet Governance Forum dynamic coalition on the Internet standards security and safety, or ISVC and I am your moderator today. ISVC has an overarching theme to make online activity and interaction more secure and safer by achieving more widespread and rapid deployment of existing security related Internet standards and ICT best practices. We cover through reports and IoT security by design tertiary secure cybersecurity education and skills and government procurement. We have also published two tools, and the first by presenting a list of covering the most important Internet standards aimed at operability plus how to secure websites. And the second we present to you today in a, in a few moments. You can find our work on our website, www.is three coalition.org, or on the website. In this session we will present our upcoming work and our plan to create a hub. I’m the first to see a video on this topic, so stick around. ISVC has ended the first phase of some of our priorities. It’s time to move forward by putting theory into practice. ISVC strives to create capacity-building programs so that our guidelines, recommendations and tools will be implemented around the globe in the coming years, leading to more harmonized and not isolated security actions. But that is the future. Let’s turn to now. Today we will first learn about the hub by Janice Richardson. Next, Basiaan Gosselinks will present on ISVC’s latest tools, our outcome for 2024. And this is followed by a panel on consumer protection. And we end with our plans for 2025 and beyond. But first, the hub. Janice, I think that you’re online and I would like to present the word to you. Janice is the CEO of Insight, based in Luxembourg, and is the ISVC Working Group 2 Chair on Education and Skills. Janice, the floor is yours.

JANICE RICHARDSON: Thank you and good afternoon, everyone. I’m sure you’re all aware that we’ve gone through a tectonic shift in the security landscape over the last couple of years. The speed, the ferocity of cyber attacks are coming faster and faster, and no one is really prepared for this. The rise of generative AI also has made it much easier to cyber attack many of the applications that we use daily. Organizations have increasingly moved their business to the cloud. And once again, this is a point of fragility. Also, identity-based attacks are growing considerably through social engineering. This raises a question, what can we do because the traditional way of cyber attacks is no longer valid? We need to educate, educate at all levels. We learned a couple of years ago when we did a study that in fact, young people are coming out of tertiary education, they’re really not prepared to kickstart their career in industry. Industry is decrying this lack, decrying the gap and asking for better tertiary education. But I’d like to go back even further, because cybersecurity depends on every single one of us. We are all the weak link in the chain. And therefore, I think we all need to be much more aware of what cybersecurity means for us. And this goes right back to the first classes of elementary school. Over the last couple of weeks, I’ve done a quick scan of what’s available to help young people know how to use computers, technology safely and securely. And what I realized is that we’re really not getting to the heart of cybersecurity. We teach about hard passwords, but we’re not teaching the fundamentals. And this is actually what we learned from the study that we did and that we published at the IGF two years ago. Industry considers we need to get back to basics. Young people need to understand the architecture of the internet, the architecture of the cloud, if they’re really going to help find innovative solutions. Having education and training, I’ve already mentioned that, but every single person must be aware of how we can very easily be victim of social engineering. Even people like ourselves. consider ourselves experts in the field. We need to improve collaboration. In tertiary education, professors are lecturing with their own resources, and yet industry has some fabulous resources available. If only they would share these resources, if they would improve the collaboration, there is a real gap. Industry doesn’t know what’s being taught, but just knows that not the right things are being taught, and education is struggling to find the answers. We also need to boost diversity. I don’t know how many people are in this room right now, but usually I’m one of the few women talking about cyber security. If we don’t have women, if we don’t have different races, if we don’t have a broad overview of the population working in cyber security, we really cannot fully understand where the breaches are, and how to improve them. And of course, we need to upgrade recruitment procedures. These in-service trainings are really not working for anyone. Young people are there making the coffee when they should be there, really understanding how cyber security needs to work, and how they can be part of a team. This has led us to push for a hub. What is a hub? Well, it’s a place where people from all walks of life, interested and involved in the cyber security system, would meet, would exchange ideas. It’s a place where there would be room for the general public, room for youth, room for everyone to discuss and find the best ways ahead. Cyber security is not going to lessen. Every day we’re learning about new AI tools. tools. This morning I was listening to intuitive AI, which adds further burdens to the system. So my call for action here is join us. Join us to create a hub. Create a hub where we can all work together and start finding solutions and making the public aware that they also are the weakest link in the chain. And when I talk about young people, I’d like to say that they very often have a lot of solutions. If only we know how to work with them, how to guide them, but not put ideas into their mouth. We’ve worked with young people, thanks to Buchanan Coal and Tony Grillo. Pixel Blue was the company. We’ve actually worked with young people in Canada. They have created a video. And I really think that this brings together the ideas of why we need a hub, how to make that hub, and maybe a glimpse of the future. So I’m calling on you. Join us. We’ll be running meetings in January. Join us to help the hub become a reality. Back to you, Selby, to play the video.

VIDEO: So it is the dawn of the internet. The world is suddenly connected like never before. The free flow of information reveals a global community brimming with innovation. Welcome to the world wide web. But there are those who seek to subvert the web. web, to poison its promise for ill-gotten profit. It is the dawn of the Internet. The world is suddenly connected like never before. The free flow of information reveals a glimmer of hope. We are still trying to find out how to get the movie on screen. Okay, are there any questions for me while you’re getting the movie on screen? I’m very

WOUT DE NATRIS: Is there a question in the room? I don’t see any fingers. So, let’s watch this video. Shelby is trying to figure it out for the guys at the technique section.

VIDEO: So Shelby is getting back and here is our video on the hub. It is the dawn of the internet. The world is suddenly connected like never before. The free flow of information reveals a global community brimming with innovation. Welcome to the world wide web. Seek to subvert the web. To poison its promise for ill-gotten profit. Necessary and existing security measures are not built in by design. Cybercrime becomes big business, exploiting the cracks in our defenses, taking advantage of our trust. taxing our resources, leaving countless victims. Our leadership struggles to develop a coordinated response. Our defense is disorganized and outdated. We’re left to fend for ourselves. To protect our global connection, experts around the world come together to form the vanguard of cybersecurity. The Hub. Populated with the smartest people on the planet, using the most effective solutions available. With adequate funding and collaboration, the Hub grows. Schools are empowered to provide state-of-the-art training. A new generation of cyber warriors enters the battlefield. Citizens of the web have open access to protection, ensuring the security of every link in the system. Put an end to cybercrime, once and for all. Support the Internet Standards Security and Safety Coalition. Let’s build the Hub.

WOUT DE NATRIS: Yes, I think that’s This is made by a good friend of mine called Tony Grillo. And he works with a university in Canada where the department is called Pixel Blue. And their students made this as a graduation assignment. And then it was finished by the head of the department to get some finishing touches together. But I think it’s a very powerful video, as Jenna said. Are there any questions on the idea of the Hub, or what it could do, or what it could do for you? Janice, as a final question from my side. How do you envision the next step for early in 2025? What are your plans?

JANICE RICHARDSON: First, I think that. All of those interested need to sign up. We will inform you when we’ll be conducting a meeting in January to see concretely how we can put this together. So first step, call for action. Sign up please to the IS3C. Keep an eye on the date that we will announce and then come with your ideas on how we can put this together and the road ahead.

WOUT DE NATRIS: Great Janice, thank you very much and we’ll be looking forward to the dates that will be announced on the IS3C website and beyond very soon. Thank you very much. The next is that Basia Gosseling is in the room. Basia works for the .nl registry as IDN nowadays but when we started this project we were on working group aid in Ireland. We are one of the two sponsors of this project. The result is some guidelines that we produce on arguments and Basia will lead us through his presentation to show what this work is and how it came about and what the recommendations are. Basia. Thank you, oh you can understand me?

BASTIAAN GOSLINGS: Thank you Wout for the introduction and I think that’s being announced I think you know that emphasizes you know the urgency of security standards having to be deployed and I’m proud you know that I can be here to share an overview of an endeavor, an IS3C endeavor that was recently finalized and in this particular case on deployment of standards DNSSEC and RPKI. So I have 10 minutes to go through this and you know I also want to give you the opportunity to reflect on it and give statements or questions. This is going to be, I’m not going to be able to go into details, the report is publicly available on the ISO 3303 website. But I think you know, it’s good to take the opportunity here to give you an overview of what we’ve been doing. So in a nutshell, the problem statement, probably you’re all aware, but the domain name system and as well as a global system for internet routing are both fundamentally important when it comes to the functioning of the internet overall. Everything else depends on it. The functioning of naming, numbering, and then you know, the combination of that and the way that internet routing works. If there’s an issue there, then any content or any communication that relies on it, you know, is affected. So that leads to the conclusion that if there are standards available that can improve those fundamental technologies, the security of them and increase trust in online services provided and online presence of entities and individuals, then that would at least give you an indication, right? This is something that you need to implement or if you purchase services from someone else, but that particular vendor has taken this into account. These technologies have been available for quite a long time in internet terms, but deployment, it’s different across operators, it’s different across regions, and we’ve seen growth, but it’s still lacking. So in order to have a real impact, this deployment needs to be increased, but what’s the reason for that? So this was something, you know, that fed into this effort about also mentioned the fact that the RIPE NCC and I can support it this kindly. And there’s a lot of technical documentation available, many reports over the years looking at these techniques. And when I worked for the RIPE NCC, and also with regard to RPKI to improve the security of routing, all the knowledge is there. And there has been quite some engagement effort, right, to increase deployment, but we thought, hey, maybe there’s a different narrative. necessary, and that’s what the working group aimed at. So again, you know, the deployment of these standards is fundamental. I think it’s really important to emphasize that, you know, that routing and the way the DNS works, everything else depends on it. So whether it’s for organizations, whether it’s for public entities, public services, for business as well as individuals, to main trust, you know, in terms of internet content consumed, internet services used, internet presence. It’s fundamental that those technologies work properly and are secure. So then at least when it comes to these technologies, it sounds like a no-brainer, but at least consider looking at them. So either when it comes to your own network, your own devices that you have control over, which you can configure, you know, think about implementing them there. Or otherwise, if you purchase services, whether it’s from a transit provider or a cloud operator or other infrastructure services, then make it part of your procurement process to include these types of criteria. Because again, everything else depends on a secure internet routing and a secure DNS. So why is deployment lacking? And I will not go into the numbers and details. There’s more in the report, so please go ahead. The URLs, the links are included later on. But there are a number of points that were raised by the working group of experts that were involved in this. On the one hand, you know, there’s the perception of cost and resource constraints, right? Like it takes additional knowledge, additional software, maybe additional hardware, control of this to manage all of this. People consider this to be quite technically complex. Not only the fact, you know, that you need to have the knowledge to actually use these type of standards. But also, if anything goes wrong, because these technologies, the underlying technologies are so fundamental, there’s a risk, you know, if anything goes wrong with implementation, that the provision of online services might be affected. And also, the working group considered, you know, that for quite a few entities, they’re just involved in their business, have their commercial reasons to do so or other reasons to do so. And they’re not even really aware of the risk, you know, this is very much under the hood of these type of technologies and how this works. So people are not really aware of it. And then they come to the lack of awareness, and maybe a lack of education, also, even when it comes, you know, to the engineers and the ICT people that are employed. And the last but not least, and then we can get more, you know, towards the target group that the report is aiming at. It’s not part of priorities, right? Even an ICT strategy, and everything that comes along with it, quite a few organizations don’t have that. So it’s not part of those strategic considerations and priorities. So as I mentioned, you know, although the technical reports are there, many analysis have taken place before, but the working group felt there was a reason for a new narrative and a number of elements fed into that. On one hand, you know, national cybersecurity resilience, the risks or the availabilities of online services, they’re so huge, if all of this breaks, if your internet doesn’t work, if you cannot communicate with your public authorities, because everything is done online, then you do have a serious problem. And we see in many countries, especially, I’m from the Netherlands, and so looking more at that part of the world, the western part of the European Union, specifically, more and more our sector, the internet sector is being regulated. And I think to some extent, rightly so, because of the risks and the, because of the risks involved. So there’s more and more regulatory pressure. So if you include these type of standards, as a base, best practice in the way you know that you approach your ICT strategy, then I think you’re already a step ahead. And then, of course, for commercial organizations, ICT and digital presence and online services, it’s part of your core business. It doesn’t really matter which business you’re in. It’s so important. So you have to consider at least these type of standards. And then maybe from a moral perspective, it’s not only about you as an individual. It’s not only about you as an organization. It’s about us as a society, as a whole. The internet as a global phenomenon as a whole, I think. So again, go back to the report. All the details are there. But to take some of the main takeaways from the conclusion, it’s about safeguarding an organization’s reputation. It’s protecting critical services, vital information related to infrastructure. The integrity and authenticity of online services can be improved by technologies like RPKI and you implementing DNSSEC. And I mentioned it a couple of times, I think, you know, this has to be part of your core business. Everything is online nowadays. It doesn’t really matter which line of business you’re in. So then we’d argue, please, decision makers, take this on board and include it in your strategic plans in order to promote trust in online services and also your own online presence. These are the experts that contributed to the document. Our gratitude goes out to them. A special shout out to our chair, David Huberman from ICANN. He put a lot of time and effort into this and herding cats, you know, this group of people. Unfortunately, he cannot be here, but I do want to mention him specifically. And we’re really grateful for all the time and effort he put into this together with the other experts. And of course, Wout, as a secretariat. And I mentioned, you know, this could not have been possible without the financial support of both ICANN and the RIPE NCC. Those are the websites of the I3C itself. And then, you know, the working groups and working group eight is there and you can find the report. This ends my summary. If there is anyone who has remarks, comments, questions, I’m happy to make an effort to answer them. Thank you.

WOUT DE NATRIS: Thank you, Basiaan. And thank you everybody who worked on this project because we really had really excellent comments from all people from all over the world who worked to get this together. You can find the document by scanning the QR code. And what I can add is that I’ve heard from both organizations that they’re really, really happy with this outcome. And the RIPE NCC will actually share it as of today now that it’s officially released with all their members, but also their colleagues at RIRs, the internet registries around the world. So if that is the sort of impact that our work has, then it means that we’re changing perhaps a little bit how people who have to convince their bosses can actually do so. So let’s hope that that will happen in the coming year. Working group eight will be closed this Wednesday officially because then we have our internal meeting, but also for me, David, also Basiaan, thank you very much for getting this together. And it is very much appreciated by ISVC memberships. Thank you. And a small applause for the work is certainly in place. Is there a question? It worked when we were at home. Soli, can you take a look whether this is the right code because it’s not working they say, but it worked when I tested it. Yeah. It’s a different… We’re going to try and change it so that the right code will come on, sorry for that. The next up is, okay, I can’t hear myself anymore for some reason. Oh yes, that’s it. As soon as you put it into something then the sound disappears. The next topic is on consumers, and what we have is that we tried to get a working group together in 2022 with consumer organizations, but then the finance did not work and then the specialist stepped away so it never really got off the ground. We talked to people at the ICF in Kyoto last year and that sort of started to revive it, and we hope to start some work on this topic of consumer protection in the next year. In the panel today, we have two consumer protection organizations. And we have Stephen Tong, and he is Assistant Director of the Cyber Security Agency of Singapore, and he currently leads the Safer Internet Mobile and IoT security team under the Cyber Security Engineering Center. And his work focuses on assessing cyber risk in the internet, mobile, and IoT domains, and develop initiatives to secure Singapore’s digital landscape. They’re both online, so hopefully we can see them on the screen soon. Welcome, Christina and Stephen. I think the first you have two minutes to introduce your organization, and what exactly is that, but it doesn’t make me start so Christine, you go first. Thank you.

KRISTINA MIKOLIŪNIENĖ: Yeah, hello, everybody in the room. Me, I’m Kristina Mikulina, I’m council member at RRT, it’s Lithuanian Communication Regulatory Authority. And we are a small country in the Eastern part of Europe. Going forward to our institution, RRT is a, started at the beginning as a pure technical organization. It was National Radio Frequency Agency many years ago and evolved to the big hub of regulation, starting from electronic communications and post railway sectors, and going forward to the big bunch of digital services as electronic signature, as electronic stamp or safer internet or hotline in general. So me, I am over 20 years, and this organization and beginning, I have worked in electronic communication field, with more with technical and economical aspects, then also with consumer disputes, going forward to postal and railway issues. And currently as a council member, I see strategic decision-making across all these sectors, and I’m working deeply with digital services, including safer internet and measures to combat child sexual abuse material online, or filtering measures and mechanism to protect minors. So shortly about me and my organization. Thank you.

WOUT DE NATRIS: Thank you, Christine and Steven.

STEVEN TAN: Hi there. Right. I think, firstly, thanks a lot for the introduction. Yeah, maybe a quick one. I think as we all know, right, online transactions used to be very pretty straightforward. You click a button and then you make a purchase, right? But as digital services evolve and becomes more interconnected, things got a little bit more complex. And while this… connectivity brings convenience, it also introduces a range of cyber risks that we can’t ignore, right? Scammers and cyber criminals are constantly finding clever ways to exploit vulnerabilities. We have all heard about data breaches, identity theft, and online scams. It has become something none of us can ignore anymore, right? This makes digital trust more important than ever. It’s about making people feel safe when they’re online, whether they are shopping, banking, or just browsing the internet. But digital trust isn’t just about users being careful, it’s about building secure systems that people can rely on without having to think twice, right? So, in the Cyber Security Agency of Singapore, it’s a national agency dedicated to protecting Singapore’s cyberspace. At CSA, we are all about co-creating a safer cyberspace, we work closely with the industry partners, raise public awareness, and of course, promote secure technology adoption. But at the heart of it, we also think that developers and service providers have a primary responsibility, right? They need to build security into their products right from the start, ensuring that there’s privacy, there’s data protection, and also secure development process are non-negotiable. And importantly, on the flip side, we also realize that consumers also need to play a role. They should better demand for security from the products and services they use. This is where, you know, certifications, security labels, and standards come into play. And that’s also one of the core businesses that we have in CSA, by providing transparency and giving companies a competitive edge when they prioritize security, right? So, essentially, that’s what CSA does, right?

WOUT DE NATRIS: Thank you, Stephen. I think you answered my first question already quite good, that how does your organization currently contribute to a more secure and safer internet for your country? And I think you gave some excellent examples. Now, is that in Lithuania, Christina, how does your organization currently contribute to a more secure and safer internet for all the people living in Lithuania?

KRISTINA MIKOLIŪNIENĖ: You know, RRT, so as a national regulatory authority, we also help and promoting internet as such. So we do market analysis to enhance competition in the market. We do any proposals for giving the frequencies or numbering to resources to the market participants. But at the same time, we see how the internet in general impacts end users, consumers, and that we have to see and help them to not be lost in the internet space in general. So first of all, thank you for helping, for making internet safer. So it’s really very helpful to know to each other the possibilities in the market. But internet knows no borders. So if one press looks for some information online, it goes, the information can go from any countries abroad. So it’s really important for us to act together, I think. And in Lithuania, we have the holistic approach. We, being a hub of regulation, we can impact the market participants, beginning from the operators for market participants. So in the level of interconnection, then we can go forward to different problems occurring with numbering resources, that numbering resources wouldn’t be used for fraud or any forbidden actions in general. And also we see that bullying or scam or child sexual abuse material, they are also online. And we, as a hotline, we do some, not some, but many. actions or not only also active clearing the internet against the children’s prohibited information. We also have some requirements for fixed and mobile networks. We also have, as I said, numbering resources. We acting as independent auditor for trust services or electronic identification services that these services will not be not so secure in the especially where the state is giving the security level high security level for consumers. We also pre-trial authority for consumer dispute resolution. It means that you as a consumer and user you can go to us if some operators acts not according the requirements that you are somehow not you feel not so safe or secure according your agreement. And also we have very special attitude to minors. We have a special law already from 2011 and implemented in the level of state the hotline. We also have international cooperation. We are part of InHope Arachnid projects. We are also have an agreement with Interpol to make internet safer. So we are also trust flagger in different platforms as Google, YouTube, TikTok or Discord. We also trying to raise the awareness in any of these different layers. So the holistic approach and being a regulatory hub helps us to be everywhere or to try to be everywhere on time. Because in internet, every second matters. Because if you push a button, the same time, the same second, it makes an impact to consumer or any internet user or not always the very positive impact. And of course, I think that priority is very important. Knowing that internet is so huge and interact in all different layers, it’s very important to set the right priorities. For example, in the world, in the whole world, there are over 200 countries, but hotlines implemented on the state level are only 10. And only five of them are in European countries. And we are one of them. So actually, I’m proud to be part of that system, which makes internet safer for anybody, especially for minors, who do not have a possibility to be safer, because they cannot protect themselves. Thank you.

WOUT DE NATRIS: Thank you, Christina. I think that I heard from your answer three topics that we can move on to. One is that we have heard from Stephen, where there’s a responsibility in terms of themselves, but we also heard about the industry and the role that industry plays. And the next, that there is a complete international component that makes it extremely hard to actually do something as an organization from one specific country. To look at the industry itself, to start with, because they are often the organization that could put forward a solution towards more security. like we heard from Rossi on internet standards and the deployment. But there are some, is this something that you took care that the ICT industry could have? Is it something that you ever thought about the deployment where security of the internet is concerned and for example, with the deployment of security on the internet standards that would make the end user far more safer than currently it is? Is that something that you’ve discussed among yourself? And let me start with you first, Stephen.

STEVEN TAN: Right. I think firstly, the short answer would be absolutely. Right. Why so? I think firstly, the clear duty to care rules can push ICT providers to adopt stronger security measures. When regulatory framework set minimum security expectations providers out there, developers out there have no choice but to comply, right? This help makes security a standard practice and not just a competitive edge, right? So in Singapore, we have rolled out initiatives like the internet hygiene portal which sets a strong example by encouraging businesses to adopt secure practices by default and then publicly recognizing those that excel in security through internet hygiene rating. Similarly in Singapore, we have also launched out a safe app standard as well as a cybersecurity labeling scheme for IoT products as well. This shows how setting clear expectations can actually offer developers and providers some public facing recognition and then drive compliance and even giving businesses a business niche or market advantage, right? This balance of regulation and industry recognition is important. It helps to motivate companies to go beyond the bare minimum, right? And we do understand that at. Many a times, regulation isn’t just everything, right? It works best when you pay with incentives like certifications, security labels, or even industry recognition itself, right? This creates clear differentiation and give businesses that competitive edge, encouraging they themselves to not only meet but exceed minimum security requirements. And what we really intend to do is that we hope this actually motivates continuous improvements. And of course, innovation in cybersecurity practices for the various enterprises and business out there, right? So when we are looking at the duty to care, we thought it’s important that some rules will be useful, but it should be a good mix between regulations as well as incentives, right? To actually help to match in the industry to move on forward.

WOUT DE NATRIS: Yes, and creating a level playing field as I also understand from your words. I think that is a very encouraging answer that you gave that it’s not just about regulation and the hard side of the law, but that the softer side of the law is just as important. How is that in Lithuania, Kristina?

KRISTINA MIKOLIŪNIENĖ: As I mentioned before, yes, we have rules. We have in each level of internet interaction, in a field of interaction, we have some particular part, some amount of rules, but I totally agree with Stephen that is not, rules are not everything. Rules are only the, too many rules brings the market participants to the insecurity feelings. And they do not want to invest, especially in the levels, in the areas where investments are not so profitable. So actually as a representer of regulator, I would suggest to be on the good. the balance between regulation and between motivation. Maybe some, if you want to have some requirements for market participants, you have to give the regulatory qualities or something like that. Not to, and not convince very strictly in every point where you need to have more security, internet security. Because, you know, at the end of the day, everything costs money. And if you will require, only require, that all the investments will be paid by their consumers. And are consumer ready for it? Are consumer ready to pay for every security implementation on the market? I am not so sure. So I think that right balance is the best idea.

WOUT DE NATRIS: We’re also talking about the international component. In what way could citizens of your countries profit from international cooperation that would ensure a secure and more secure and safer internet? Steven.

STEVEN TAN: I think when it comes down to international cooperation, right? We must firstly understand that global cooperation would potentially, or, you know, be seen as, you know, shared threat intelligence, common security standards. And of course, faster responses to incidents, you know, but at times we do understand that that’s not what is really happening. But if we were to actually do it carefully, intricately, this is what we actually foresee. Governments play a crucial role by sharing cyber threat information, coordinating responses, and even collaborating on joint research initiatives, right? This transparency would help to build collective resilience and ensure that no country is left vulnerable due to isolated cyber security efforts, right? So in CSA, some of the things that we have done is that we have built strong partnerships with key industries. players like Akamai, Google, Microsoft, even non-profit organizations like APNIC and even in the Internet Society. These collaborations coupled with government-led information sharing efforts would enhance our cybersecurity capabilities through joint intel sharing, training, and even research initiatives. Such collaborations would also allow us to enhance our cybersecurity capabilities. For example, by working together on securing IoT devices, we will be able to align on common security baselines, ensuring that consumers worldwide have access to safer products. These partnerships will also help address cross-border cyber threats more effectively, making it harder for attackers, even scammers, to exploit gaps between different regions. In the long run, having international cooperation would mean better protection, enhanced trust, and more resilient digital services for everyone. We have identified and even noted that cross-border cyber threats are tough to tackle alone. International partnerships between countries, even between the government and the industry, will create a united front, making it harder for attackers to exploit gaps between different regions. At the end of it, I really hope that through international cooperation, this will actually help to enhance the protection, and at some point in time, we will actually gain back the digital trust for everybody.

WOUT DE NATRIS: Some very important comments on making the world more secure and safer. Christina, what’s your thought about the international cooperation and if that could make citizens more secure and safer?

KRISTINA MIKOLIŪNIENĖ: Yeah, so internet, as I mentioned before, internet has no borders, so it’s very important to be part of a big family. So we, almost every… Everybody knows that sometimes synergy gives not 1 plus 1 equal 2, but 1 plus 1 equal 3 or even 4. So I think this is the result of international cooperation, and this is the reason why we are part of ARAKNIT or INHO projects, which are going global to make our children and in general consumers safer on the Internet. And you know, we have even the proverb in Lithuania that the fool learns from their own mistakes, but the wise person learns from other mistakes. So I think it’s a very good sign to learn from other mistakes and not repeat the same mistakes in every country because of separately views or attitudes to the same issues. And it’s, I think, so, you know, every time we do the market analysis, we search for experience in other countries and collecting the experience from other countries. We do the obligations, which suits for Lithuania, for small country in Eastern European part, but still valid all around the globe. And I think the Internet being such an international thing must be treated also internationally, because if we agree on values, we share, we do the best in terms of all of us. So I think we have to cooperate. and work together in order to have the best results, and then everybody will win from it.

WOUT DE NATRIS: Thank you, Kristina. I think that you’re totally right, that in the end the challenges for everybody in every country, every organisation on the internet are about the same, because the threats come from the same sources, most likely. As ISRC, we hope that we can start working on this to create some sort of a blueprint on this topic, or whatever we would like to call it, so that the same sort of information goes out to the alliance organisations. It would be a good step, I think, a first step to try and get this international cooperation going. What would be your advice, Stephen?

STEVEN TAN: Right, when it comes down to a good step to actually start getting international cooperation, I think it can start and can begin by forming multilateral working groups, such as those that we are seeing currently in IS3C, but it would be always a good mix if you could actually involve the government, industry leaders, and standard-setting bodies at times, and last but not least, consumer groups as well, to actually come in together to collaborate on global frameworks for the internet and application security, ensuring that solutions would work across borders while reducing fragmentation in cybersecurity practices. The last thing we really want to do is that, you know, when we call each country coming up with different cybersecurity practices, and in the end, we get the various fragmentation and balkanisation, you know, this is something that we are trying to avoid, and this is something that I believe, right, as part of IS3C itself, it’s something we really want everybody to have a common internet working together. Another essential step, I think, would be is to establish regional forums and international workshops where experts can discuss pressing cybersecurity challenges like securing digital supply chains, mitigating cross-border cybercrime. Such events would help create actionable roadmaps and foster partnership that will drive long-term improvements. I also feel that as government, right, we will always need to take the lead in sharing Cybertrack intelligence to trusted global networks. Transparent communication and real-time data sharing would enable faster and more coordinated responses to emerging threats, strengthening collective defenses against global cyber attacks. And last but not least, I think it’s important that we could advance capacity building initiatives. I think just now when Janice was actually bringing up about the hub, right, I didn’t previously heard about it before. I mean, through this platform, I actually heard about it. I’m very excited itself, whether we could actually pull in various experts on all around the place, right, to work together. You know, hopefully we could share best practices and support on technology transfers. And perhaps, you know, even for nations-wise, right, we could help to uplift each other cybersecurity capabilities and sharing that no country or no region is actually left behind in a fight for a safer internet.

WOUT DE NATRIS: I could never put that better myself. Thank you, Stephen. Stephen, what are your thoughts about the international cooperation and what would be the first good step started? Well, this is a question for me? This question for you, Christina.

KRISTINA MIKOLIŪNIENĖ: Yeah, sorry, because it’s very difficult to hear you. Yeah, so from my point of view, it’s very important to clear the problem, first of all. because the internet has so many different layers and in every layer there are some different problems. So first of all, I think it’s necessary to find a quite narrow description of the problem you would like to solve. And then it’s important to find the active people because active people, the right people that are of a critical importance. The third thing I think is to have a necessary tool for it as internet.nl and similar. So really to convince your partners that you have something which is really suitable for them. Going forward, the voluntary participation as we do in ARAHNET or INTERPOL programs are very important also. And as a good example, because example motivates I think it’s a IE convention started to sign in Vilnius this year and on 5th of September, which is that there was the point where every country in the world agrees. And now the creator of that convention they started to find the people who are agreeing on that convention. And now they are trying to find the signing parties. So I think it’s like some similar like lobbying activities. Yes, when you have a problem, you have the people around you, you can convince regulators to implement some obligations necessary, some part of obligations. You have convinced. maybe some market participants to be more active and more social responsible in the internet. Maybe there are some end users where awareness, raising awareness could help to act more safe in more safe way on internet. So I think all the related parties must be implemented in that work, because as I said before, you are encompassing the whole world. So thank you for doing this.

WOUT DE NATRIS: Thank you, Cristina. I think that we’ve heard from the panel that we have quite some challenges, but also a lot of opportunities. And I suggest that we, when the new year starts, let’s see if we can organize a first event to get this going. So I will be in contact with you in the new year. For now, thank you very much for participating and for your very clear and concise answers, because we have heard very good answers in this panel. So thank you, Steven. And thank you, Cristina. The next topic is- Thank you for inviting me. Thanks for inviting me. You’re very welcome. I’m very happy to say that ISRC has received a new assignment. We’re gonna start a new work next year. And I have the chairs of Working Group One and the project leader of Working Group One with me and online of working with mine on emerging technologies. Working Group One has produced a report last year on IoT security by design, led by Nicholas. And we’re gonna start a new project on that topic combined with emerging technologies. I’ll first give the floor for five minutes to Nicholas to say what exactly was the current affairs and where we’re going to. Then I ask Elif to tell about the quantum cryptography, QPC, she’ll tell you, and then Joao about the IoT components in that. So Nicholas first, you have five minutes, please. Thank you.

NICOLAS FIUMARELLI: Thank you so much, Valt. Good afternoon, everyone. I am Nicolas Fiumarelli, the chair of the working group one on IoT security by design. Well, it’s a pleasure to be here and discussing on how we can empower the consumers on different topics we have raised. In 2022, we conducted a comprehensive analysis of IoT security regulatory documents and different policies around 18 different countries and regions. We identified 442 different best practices around four key areas that are data privacy, secure updating, user empowerment, and operational resilience. 442 best practices. So we also found that many nations, particularly in the global south, lack about enforceable IoT security policies, even where the frameworks exist, because there are several of them. They are often like voluntary or fragmented ones. And the global adoption of the security by design, ICTs, is hindered by these inconsistent standards, right? So one of the most promising solutions in implementing cybersecurity are labeling schemes. Labeling schemes are seen in Singapore and Finland. Labeling empowers consumer by providing clear information about products, security features. So this drives manufacturers to prioritize on the security. But these systems require robust independent testing mechanisms and so on. So global standardization and ensure effectiveness is difficult. So on the other hand, consumer empowerment must be complemented by strong regulatory frameworks. For example, we have the new ones about the UK’s product security and so on, NIST standards on the 8.425, on the 2024, and the EU Cyber Resilience Act, different ones, right? But on our research report, we recommend establishing these clear frameworks, promoting more interoperable global standards, and so on. Well, the Working Group 1 remains committed to advancing IoT security through education, research, and different advocacy mechanisms, as we recommend in our research. But looking into the future, we will continue with this research. We will continue with different approach now, because we identified that there are other factors that are important. And so my colleague Joao will tell us more about the 2025 action plan for our working group and beyond. And well, I invite you all as well to join our efforts, whether implementing these recommendations we have at the report, also contributing to engaging on our ongoing research and repository of the best practices. I mentioned we have 442. So looking for more examples from the global world, and also to advocate for this stronger policy right in your own regions. So together we can ensure that the IoT devices and in the more extended way, ICT, not only connect us, but also protect us, right? So I’m giving the word to Joao to explain more about the next year plans.

WOUT DE NATRIS: Thank you, Nicolas. I think that the message here is that I think it was 22 or 22 constituencies in the world that were studied. In 22 constituencies, we had 442 different best practices or advices or whatever you want to call them. And that’s unworkable for industry. I think I’m going to let Elif go first, and then Joao. As two years ago already, we sort of launched the idea to start a working group on emerging technologies. And we talked to a lot of organizations. And finally, once we met in Kyoto, decided to work with us. And that project is going to start pretty soon. The contract is signed. And Elif, please explain from your side from exactly what it is that we’re going to study and report on. Then Joao will explain how that interconnects with IoT. So Elif, the floor is yours.

ELIF KIESOW CORTEZ: Thank you very much, Wout. We are, of course, very happy to announce this new project. of IS3C with AFNIC from France. And this project will be delivered as a collaboration between Working Group 1 and Working Group 9. Our research will have two different areas to focus, one dedicated to the societal impacts of IoT and the second one on the post-quantum cryptography. We will be also providing a brief combined analysis of these domains. And our project will have a multidimensional analysis looking at societal, legal, economic and environmental impacts. And we will be also including policy recommendations both at the state level and at the organization level. So we have a big task for us for this project. And in the next IGF in 2025, we will be also facilitating stakeholder engagement on these issues through a common workshop that will encourage dialogue on societal implications as well as the future directions. The project will be finalized with a combined report both on IoT security and on PQC. I’m also exploring cross-cutting teams like digital transformation and future proofing against emerging threats. That was also the focus of our Working Group 9. We will be also making sure to refer to international cooperation and economic competitiveness aspects within the broader context of global cybersecurity efforts. And we think that these are extremely relevant and important topics today. So we are also happy to hear from you if you would like to collaborate with us in the future in any of these domains. And I think I can give the floor to Joao.

WOUT DE NATRIS: Thank you, Eylif.

JOAO: Hello everybody. So I’m here to represent the working group that will develop the part regarding to IoT. So when we were discussing about this project and sketching it, what we see is that people understand that there is a security problem with IoT. And what we wanted to know about after realizing it is, well, okay, if someone gets hacked, if this current security status of IoT is kept, what are the security implications of it? And what are the social implications? Because we are developing a world based on the security levels that we see, and we want to see further and think of what would happen and what we need to change to make the society safer in regarding to IoT. So we want to see this societal phase of the work of making IoT safer.

WOUT DE NATRIS: Thank you, Joao. And I think that shows how the two topics also intersect with each other, because when the quantum computer is there, then all IoT devices will have an instant security problem that’s even bigger than it is today. So that is where we are going to try to come up with not immediate solutions, but at least with an indication of where we are at this point in time and what the consequences will be. And from there, hopefully build that into some sort of a capacity building program, which has been discussed with Avnik already about how to move forward after the IGF in 2025. What it shows is that IS3C is building and we’re delivering. As you see at this moment, all the reports we promised to deliver are there and you find it on our website. Is it possible already, Selby, to show the QR code? The gentleman in the back, can we show the correct QR code, please? Thank you. To wrap this session up, because we’re about to end, but if there are any questions first, and are there any online questions? That is something that I cannot see from the stage. Are there any questions? No, we don’t have any. So I’ll wrap the session up and let you go to the next two sessions. To talk about IS3C, again, the Internet Standards and Safety Coalition, the dynamic coalition within the IGF structure, we’re now in existence for four IGF cycles. We started at the virtual IGF in 2020 with our inaugural meeting. And we can look back at being a dynamic coalition that started by making promises. We painted a picture of where we wanted to be in about two years’ time. And we decided on three topics to start with. The first was IoT security by design. The second was education and skills. And the third is procurement. And that’s the only one you haven’t heard about, but that was also a report we published that showed that most governments in the world do not procure their ICT secure by design. They have no policy for it. In 2021, we were able to present solid plans on these three topics. And with them came the first funding in 2022 and the first research and then our first reports. From there we grew and more topics came aboard. The fact we have seen a new one presented just now, but it’s also proven to be a struggle to find funding to attract attention, to be recognized within the IGF system, and this all has still not been solved satisfactorily, but this has led to ideas on how to organize ourselves in a different way, and that is what we’re seriously studying at this moment. We’re looking at two options simultaneously. The leadership team, and that is Mark Carvell, who’s sitting next to me, who’s the rapporteur of this session, who is our senior policy advisor, and our working group chairs. We have decided to try and come to apply, or to apply to become an Internet Society special interest group, because this will allow ICC to reach out beyond the IGF, but also to bring funding of projects closer. This does not mean that we will not remain a dynamic coalition, because we will, only that we are spreading our wings, and this is also logical. If we manage to set the next step, and that is what we strive to do, to move from theory to practice, to come up with a recommendation, to turn them into capacity building programs or workshops or whatever we call them, we move ourselves out of the IGF system, because that is not what the IGF is for. The IGF doesn’t do capacity building programs or workshops, and we do strive to do that so that there will be some form of harmonization around the world on specific topics, so that organizations start thinking the same about, for example, procurement and the Internet standards that you can procure on. So ICC will, and is striving to become more mature, but it also means it has to organize itself differently. So what we’re also studying, and that’s the second topic, do we establish ourselves as a not-for-profit foundation? And that is something that people are investigating at this moment, and we get the first report on our closed EC session on Wednesday. The benefits would be, of course, that we were allowed to have members who can pay a membership fee or allowed to accept donations, and from there be funded in a more structural way, hopefully, so that our plans will go through. Well, these are our plans. I don’t know if everybody has experience with these sort of topics, then please talk to us after this session. On Tuesday at 1230, we’ll be showing the video again at the Dynamic Coalition booth, so you’re invited to join the session, and if you’re interested to join the hub, let us know, and then we will send you the invite on the first meeting that I will be organizing with Janice Richardson in January. For now, I want to thank you, the presenters also, the people online, Elif, Steven, Janice, and Christina, Mark, for reporting, for the people in the back for the technique, thank you very much. It describes somewhere in the world, probably. Thank you very much. And for now, thank you for joining, and I hope you had a good session, which you learned some new topics, and if you’re interested in IC3C, please join us and just talk to us during the week. And Nico has a final comment. Nico.

NICOLAS FIUMARELLI: Just to invite everyone also to our session on Thursday from 11.15 to 12.15 will be our main session, our joint session with the Dynamic Coalition on the IoT with our Dynamic Coalition, so you are all invited also to that session.

WOUT DE NATRIS: Thank you for reminding me, Nico. Thank you very much. Thank you, and have a very good IGF, and we’ll see you soon, probably.

Agreement Points

Importance of implementing security standards

WOUT DE NATRIS

BASTIAAN GOSLINGS

STEVEN TAN

Need for widespread deployment of existing security standards

Importance of DNSSEC and RPKI for securing internet infrastructure

Need for developers and service providers to prioritize security

Multiple speakers emphasized the critical need for implementing existing security standards to enhance internet security and maintain trust in online services.

International cooperation in cybersecurity

STEVEN TAN

KRISTINA MIKOLIŪNIENĖ

Need for shared threat intelligence and common security standards

Value of learning from other countries’ experiences

Both speakers stressed the importance of international cooperation in addressing cybersecurity challenges, sharing knowledge, and developing common standards.

Consumer education and empowerment

STEVEN TAN

KRISTINA MIKOLIŪNIENĖ

Role of certifications and security labels in empowering consumers

Importance of raising awareness and educating consumers

Both speakers highlighted the need to educate and empower consumers about internet safety and security through various means such as certifications, security labels, and awareness programs.

Similar Viewpoints

Both speakers recognized the challenges in implementing security standards and emphasized the need for a balanced approach that combines regulation with incentives to encourage adoption by the industry.

BASTIAAN GOSLINGS

STEVEN TAN

Challenges in implementing security standards due to cost and complexity perceptions

Importance of balancing regulation and incentives for industry adoption

These speakers all emphasized the importance of understanding the broader implications of IoT security, including its societal impacts and the need for comprehensive research and analysis.

NICOLAS FIUMARELLI

ELIF KIESOW CORTEZ

JOÃO MORENO FALCÃO

Analysis of IoT security regulatory documents across countries

Need for research on societal impacts of IoT and post-quantum cryptography

Importance of understanding social implications of current IoT security status

Unexpected Consensus

Holistic approach to internet security

KRISTINA MIKOLIŪNIENĖ

STEVEN TAN

Need for holistic approach to internet security regulation

Importance of building digital trust and secure systems

Despite coming from different backgrounds (regulatory authority and cybersecurity agency), both speakers emphasized the need for a comprehensive approach to internet security that goes beyond technical measures to include trust-building and broader regulatory frameworks.

Overall Assessment

Summary

The main areas of agreement included the importance of implementing security standards, the need for international cooperation in cybersecurity, and the significance of consumer education and empowerment. There was also consensus on the challenges of implementing security standards and the need for a balanced approach combining regulation and incentives.

Consensus level

The level of consensus among the speakers was relatively high, particularly on the fundamental issues of cybersecurity and the need for international cooperation. This consensus suggests a shared understanding of the critical challenges in internet security and the potential for collaborative efforts to address these issues. However, there were some variations in emphasis and approach, reflecting the diverse backgrounds and perspectives of the speakers.

Different Viewpoints

Approach to regulation and incentives

STEVEN TAN

KRISTINA MIKOLIŪNIENĖ

Importance of balancing regulation and incentives for industry adoption

Need for holistic approach to internet security regulation

While both speakers emphasize the importance of regulation, STEVEN TAN advocates for a balance between regulation and incentives, whereas MIKOLIŪNIENĖ focuses more on a comprehensive regulatory approach without explicitly mentioning incentives.

Unexpected Differences

Overall Assessment

summary

The main areas of disagreement were subtle and primarily focused on the approach to regulation and the specific aspects of international cooperation to prioritize.

difference_level

The level of disagreement among the speakers was relatively low. Most speakers generally agreed on the importance of cybersecurity, international cooperation, and the need for improved standards and practices. The differences were mainly in the nuances of approach rather than fundamental disagreements. This low level of disagreement suggests a general consensus on the importance of the issues discussed, which could facilitate more unified action in addressing cybersecurity challenges.

Partial Agreements

Both speakers agree on the importance of international cooperation, but STEVEN TAN emphasizes shared threat intelligence and common standards, while KRISTINA MIKOLIŪNIENĖ focuses more on learning from others’ experiences and avoiding mistakes.

STEVEN TAN

KRISTINA MIKOLIŪNIENĖ

Need for shared threat intelligence and common security standards

Value of learning from other countries’ experiences

Similar Viewpoints

Both speakers recognized the challenges in implementing security standards and emphasized the need for a balanced approach that combines regulation with incentives to encourage adoption by the industry.

BASTIAAN GOSLINGS

STEVEN TAN

Challenges in implementing security standards due to cost and complexity perceptions

Importance of balancing regulation and incentives for industry adoption

These speakers all emphasized the importance of understanding the broader implications of IoT security, including its societal impacts and the need for comprehensive research and analysis.

NICOLAS FIUMARELLI

ELIF KIESOW CORTEZ

JOÃO MORENO FALCÃO

Analysis of IoT security regulatory documents across countries

Need for research on societal impacts of IoT and post-quantum cryptography

Importance of understanding social implications of current IoT security status

Key Takeaways

There is a need for more widespread deployment of existing internet security standards and best practices.

Consumer protection and empowerment are crucial for building digital trust and securing the internet.

International cooperation is essential for addressing global cybersecurity challenges.

Emerging technologies like IoT and quantum computing pose new security risks that need to be studied and addressed.

The Internet Standards Security and Safety Coalition (IS3C) is working to move from theory to practice in implementing cybersecurity recommendations.

Resolutions and Action Items

IS3C to start a new project on IoT security and post-quantum cryptography, with a report to be delivered at IGF 2025

IS3C to organize a first event on consumer protection in the new year

IS3C to apply to become an Internet Society special interest group

IS3C considering establishing itself as a not-for-profit foundation

IS3C to organize a meeting in January to discuss the creation of a cybersecurity hub

Unresolved Issues

How to effectively implement security standards across different countries and regions

How to balance regulation and incentives for industry adoption of security measures

How to address the fragmentation of IoT security best practices across different jurisdictions

How to prepare for the security implications of quantum computing on existing infrastructure

Suggested Compromises

Balancing regulatory requirements with industry incentives to promote security adoption

Combining mandatory security standards with voluntary labeling schemes to empower consumers

Collaborating internationally while respecting national sovereignty in cybersecurity matters

We learned a couple of years ago when we did a study that in fact, young people are coming out of tertiary education, they’re really not prepared to kickstart their career in industry. Industry is decrying this lack, decrying the gap and asking for better tertiary education.

speaker

Janice Richardson

reason

This comment highlights a critical gap between education and industry needs in cybersecurity, challenging assumptions about the effectiveness of current educational approaches.

impact

It shifted the discussion towards the importance of education reform and industry collaboration in cybersecurity, leading to ideas about creating a hub for knowledge exchange.

These in-service trainings are really not working for anyone. Young people are there making the coffee when they should be there, really understanding how cyber security needs to work, and how they can be part of a team.

speaker

Janice Richardson

reason

This insight critiques current training practices and suggests a need for more meaningful engagement of young professionals in cybersecurity roles.

impact

It deepened the conversation about practical skills development and led to discussions about reforming recruitment and training procedures in the industry.

On one hand, you know, there’s the perception of cost and resource constraints, right? Like it takes additional knowledge, additional software, maybe additional hardware, control of this to manage all of this. People consider this to be quite technically complex.

speaker

Bastiaan Goslings

reason

This comment provides insight into the barriers to implementing security standards, highlighting both technical and resource challenges.

impact

It shifted the discussion towards addressing practical obstacles in implementing security measures and led to considerations of how to overcome these barriers.

In Singapore, we have rolled out initiatives like the internet hygiene portal which sets a strong example by encouraging businesses to adopt secure practices by default and then publicly recognizing those that excel in security through internet hygiene rating.

speaker

Steven Tan

reason

This comment introduces a concrete example of how government initiatives can incentivize better security practices in the private sector.

impact

It sparked discussion about the role of government in promoting cybersecurity and led to considerations of similar initiatives in other countries.

I think it’s important that we could advance capacity building initiatives. I think just now when Janice was actually bringing up about the hub, right, I didn’t previously heard about it before. I mean, through this platform, I actually heard about it. I’m very excited itself, whether we could actually pull in various experts on all around the place, right, to work together.

speaker

Steven Tan

reason

This comment demonstrates how the discussion itself led to new connections and enthusiasm for collaborative initiatives.

impact

It reinforced the value of the discussion forum and led to increased interest in the proposed hub concept.

Overall Assessment

These key comments shaped the discussion by highlighting critical gaps in cybersecurity education and implementation, introducing concrete examples of successful initiatives, and fostering enthusiasm for collaborative approaches. They shifted the conversation from theoretical concerns to practical solutions and emphasized the need for multi-stakeholder cooperation in addressing cybersecurity challenges. The discussion evolved from identifying problems to exploring potential solutions and international cooperation opportunities.

How to create and implement a hub for cybersecurity collaboration?

speaker

Janice Richardson

explanation

A hub would bring together people from various backgrounds to discuss and find solutions for cybersecurity challenges, addressing the need for better education and collaboration in the field.

How to increase deployment of DNSSEC and RPKI security standards?

speaker

Bastiaan Goslings

explanation

Despite being available for a long time, these standards lack widespread adoption. Increasing their deployment is crucial for improving the security of internet routing and domain name systems.

How to balance regulation and incentives in promoting cybersecurity practices?

speaker

Steven Tan

explanation

Finding the right mix of regulatory requirements and incentives is important to encourage businesses to adopt and exceed minimum security standards without stifling innovation.

How to establish effective international cooperation on cybersecurity?

speaker

Steven Tan and Kristina Mikoliūnienė

explanation

Given the borderless nature of the internet, international cooperation is crucial for addressing cross-border cyber threats and creating unified security standards.

What are the societal implications of current IoT security levels?

speaker

João Moreno Falcão

explanation

Understanding the broader societal impacts of IoT security vulnerabilities is crucial for developing appropriate security measures and policies.

How will post-quantum cryptography affect IoT security?

speaker

Elif Kiesow Cortez

explanation

The advent of quantum computing will create new security challenges for IoT devices, requiring proactive research and planning.

How can IS3C organize itself to better achieve its goals?

speaker

Wout de Natris

explanation

IS3C is exploring options like becoming an Internet Society special interest group or establishing itself as a non-profit foundation to expand its reach and funding opportunities.