Open Forum #28 How to procure Internet, websites and IoT secure and sustainable

Summary

This discussion focused on the use of internet.nl, an open-source tool for measuring and improving internet security standards, and its adoption in various countries. The tool allows organizations to test their websites and email systems for compliance with modern security standards. Representatives from the Netherlands, Brazil, Singapore, and Japan shared their experiences and plans for implementing similar tools.

Key points included the importance of transparency in security ratings, the role of government in promoting adoption, and the potential for these tools to drive improvements in cybersecurity practices. The Dutch approach of using procurement processes to encourage better security practices was highlighted. Participants also discussed the challenges of implementing such tools in developing countries and the need for proactive measures to ensure no country is left behind in adopting internet security standards.

The discussion then shifted to sustainability in digital systems, introducing the concept of the “twin transition” – balancing digitalization with sustainability. The Dutch Coalition for Sustainable Digitalization was presented as an example of a public-private partnership addressing this issue. The importance of sustainable IT procurement was emphasized, with a focus on energy efficiency, emission reduction, and circular economy principles.

Overall, the session underscored the interconnected nature of internet security, sustainability, and procurement practices. It highlighted the potential for tools like internet.nl to drive improvements in these areas and the importance of international collaboration in addressing these challenges.

Keypoints

Major discussion points:

– Internet.nl tool for measuring adoption of internet security standards

– International efforts to implement similar tools (Brazil, Singapore, Japan)

– Using procurement processes to drive sustainability in IT

– Combining digitalization and sustainability efforts

– Building critical mass to influence big tech companies on security standards

Overall purpose:

The discussion aimed to share information about the Internet.nl tool for measuring internet security standards adoption, highlight international efforts to implement similar tools, and explore how procurement can be used to drive both security and sustainability improvements in IT.

Tone:

The tone was informative and collaborative throughout. Speakers shared their experiences and insights in a constructive manner, with an emphasis on learning from each other and working together to improve internet security and sustainability globally. There was a sense of optimism about the potential for these tools and approaches to make a positive impact.

Speakers

– Wout de Natris: Coordinator of the Internet Standard Security and Safety Coalition

– Wouter Kobes: Standardization Advisor at the Netherlands Standardization Forum

– Annemieke Toersen: Senior Policy Advisor at the Netherlands Standardisation Forum

– Gilberto Zorello: Project coordinator at NIC.br (Brazil)

– Steven Tan: Assistant director at the Cyber Security Agency of Singapore

– Daishi Kondo: Associate professor at Osaka Metropolitan University

– Hannah Boute: Program coordinator for the Dutch Coalition for Sustainable Digitalization

– Rachel Kuijlenburg: Coordinator sustainability for Logius, Ministry of the Interior (Netherlands)

– Coen Wesselman: Rapporteur for the session

Additional speakers:

– Flavio Kenji Yanai: System developer at NIC.br (Brazil)

– Peter Zanga Jackson, Jr.: From the regulatory body in Liberia

– Shawna Hoffman: With Guardrail Technologies

– Munzel Mutairi: CEO of Nataj Al Fikr

Internet Security Standards and Sustainable Digitalisation: A Global Perspective

This comprehensive discussion focused on the implementation and promotion of internet security standards through tools like internet.nl, as well as the integration of sustainability principles in digital systems. Representatives from various countries shared their experiences and plans, highlighting the importance of international collaboration in addressing these challenges.

Internet Security Standards and Assessment Tools

The discussion began with an introduction to internet.nl, an open-source tool developed in the Netherlands for measuring and improving internet security standards adoption. Wouter Kobes, Standardization Advisor at the Netherlands Standardization Forum, emphasised that the tool provides a quick assessment of an organisation’s ICT environment security. Wout de Natris, Coordinator of the Internet Standard Security and Safety Coalition, added that it allows organisations to test themselves and improve their security posture. Importantly, it also enables governments to test organizations and pressure them to enhance their security practices.

Several countries have implemented or expressed interest in similar tools:

1. Brazil: Gilberto Zorello, Project coordinator at NIC.br, reported that Brazil has implemented Top.br, with increasing adoption rates.

2. Singapore: Steven Tan, Assistant director at the Cyber Security Agency of Singapore, shared that they have developed the Internet Hygiene Portal (IHP). Since its launch in 2022, IHP has conducted over 200,000 scans with users from across 40 countries, with more than 45% of domains showing improvements from their initial scan to their most recent evaluation. Singapore also introduced the Internet Hygiene Rating Initiative.

3. Japan: Daishi Kondo, Associate professor at Osaka Metropolitan University, expressed interest in implementing a Japanese version of the tool.

Government Strategies for Promoting Internet Standards

Speakers highlighted various government strategies to promote internet standards adoption:

1. The Netherlands: Annemieke Toersen, Senior Policy Advisor at the Netherlands Standardisation Forum, outlined a three-fold strategy involving mandates, monitoring, and community building. She noted that the Dutch government mandates specific open standards through a “comply or explain” list.

2. Singapore: Steven Tan explained that Singapore uses a transparent rating system to shift industry behaviour towards better security practices.

3. Brazil: Gilberto Zorello shared that Brazil promotes their tool through industry meetings and events.

A key point of agreement was the importance of engaging with major technology companies to improve standards support. Annemieke Toersen emphasised that by collaborating with other countries, they create a critical mass that enables more effective negotiations with suppliers.

International Collaboration and Challenges

The formation of an international community to share experiences with internet.nl-like tools was highlighted as a positive development. This collaboration was seen as crucial for creating a unified approach to improving internet security globally. The community plans to meet twice a year online, with the first meeting scheduled for spring 2025.

However, the discussion also revealed challenges faced by developing countries in adopting these standards. Peter Zanga Jackson, Jr., from the regulatory body in Liberia, raised concerns about the disparity in internet development between countries and sought guidance on how regulators in developing nations could implement tools like internet.nl with limited resources.

Sustainable Digitalisation

The latter part of the discussion shifted focus to sustainability in digital systems, introducing the concept of the “twin transition” – balancing digitalisation with sustainability.

Hannah Boute, Program coordinator for the Dutch Coalition for Sustainable Digitalization, presented their organisation as an example of a public-private partnership addressing this issue. She briefly mentioned the Corporate Sustainable Reporting Directive in the EU as a relevant development in this area.

Rachel Kuijlenburg, Coordinator sustainability for Logius at the Ministry of the Interior (Netherlands), emphasised the importance of sustainable IT procurement. She highlighted a framework for minimising energy needs and emissions in IT, noting that 80% of IT’s environmental footprint comes from hardware production. Kuijlenburg presented a sustainability framework based on the “refuse, reduce, reuse” strategy, although it was noted that her slide was in Dutch. She also discussed the SARD legislation in Europe related to procurement practices.

Key points in sustainable digitalisation included:

1. Focus on sustainable procurement of IT

2. Development of frameworks to minimise energy needs and emissions

3. Importance of contract management in sustainable IT procurement

Conclusions and Future Directions

The discussion underscored the interconnected nature of internet security, sustainability, and procurement practices. It highlighted the potential for tools like internet.nl to drive improvements in these areas and the importance of international collaboration in addressing these challenges.

Key takeaways included:

1. The effectiveness of tools like internet.nl in assessing and improving internet security standards adoption

2. The value of government strategies involving mandates, monitoring, and community building

3. The potential of international collaboration to influence big tech companies

4. The growing focus on sustainable digitalisation, particularly in IT procurement

Unresolved issues and areas for further exploration included:

1. Effective implementation of internet security tools in developing countries with limited resources

2. Development of specific metrics or targets for sustainable IT procurement

3. Balancing security and sustainability requirements in IT procurement

The discussion concluded with a call for continued international cooperation and the development of workshops and capacity-building initiatives to implement internet security recommendations globally. As a light-hearted note, it was mentioned that internet.nl t-shirts were available at the end of the session.

Wout de Natris: which is a tool that tells you how secure your ICT environment is within seconds. Two, Internet.nl is an international community, launched in 2020. And your environment… There is no sound at the moment, so… I hear you, and I hear myself as well. Continue? There was a sound issue. Sorry for that. Three, ICT and sustainability is becoming an ever more serious topic, and it is discussed in the final part of the session. In the panel discussion, you will learn how the Dutch government uses procurement and how it negotiated with big tech to deploy… … Also, you will hear from other organizations that work with the Internet.nl tool, or in the future. I think the mic… Electricity wasn’t really working anymore, so I got a new microphone. So, the big tech to deploy important Internet standards. Also, you will hear from other organizations that work with the Internet.nl tool, or strive to do so and learn from their experiences. There will be ample time to ask questions after the two panels, but first, a short survey. Please show your hands. Who in the room is familiar with Internet.nl? I see a few hands. Who has used Internet.nl? And are you interested to deploy it in your country? Yes, but you have. Okay, thank you very much, but without further ado, let me… introduce the first speaker. Wouter Corbis from the Standardization Advisor at the Netherlands Standardization Forum is going to take you through the internet.nl tool and how it works.

Wouter Kobes: So Wouter, the floor is yours. Thank you very much Wout. Yes, so we will talk about measuring adoption of standards to improve security and for that we use the internet.nl tool. And on the next slide we first have a motto. Why are we using internet standards? Well, to keep our internet open, free and secure. However, those standards do not implement themselves. You have to implement them actively. And to support this adoption of standards we developed the internet.nl tool which can be used to measure your adoption of these important standards. And for demonstration purposes we measured the IGF donors and partners for this event using our dashboard. And the dashboard is a measuring tool which you can automatically measure multiple domain names on the adoption of email and website standards. As you can see here, this is just a snippet of our results from last week. The adoption of standards for IGF donors is not optimal yet. However, some scores are over 50% which is actually pretty good considering international standard adoption. This dashboard can be used for scheduled scanning and also for trend monitoring over time and is regularly updated using the latest standards and measurements. And on the next slide you can see a more detailed scanned result when you use our internet.nl website to scan individual domain names. Quite ironically, the IGF website of this year did not perform too well. And the nice thing is that we do not only present a score to each domain name but we also explain why this score is given and give guidance to how to improve your score. For instance, in this case, to enable some settings to protect your HTTP as connection better. On the next slide, you can see who is behind internet.nl, which is a private public collaboration of organizations in the Netherlands and outside. And we also are striving to more international use of internet.nl. And on the next slide, you can see some of our international users. We are used at the moment in Brazil, in Portugal, in Denmark, and well, hopefully after this session, you get inspired to use internet.nl in your country as well. And to use internet.nl is actually quite easy because on this next slide, I will explain to you that internet.nl is an open source software program. It’s available on GitHub if you really want to reuse it yourself. However, if you’re not in the capacity to host your own internet.nl instance, you can also use our dashboard or API functionality. For that, I ask you to send us an email at question at internet.nl, in which we will give you access to our tooling. And as already introduced by Wout, we are also launching a new international initiative where you can actually participate in using internet.nl internationally. So if you’re interested in joining that user community, please send an email to international at internet.nl. And then I thank you for your attention.

Wout de Natris: Martin, and actually, if you mail to that email address, internet.nl, or sorry, [email protected], then it’s me that will respond to you because I am recently appointed as its coordinator. That if you want to test it yourself, just. now you can because you can just type in internet.nl and for example type in the URL of your bank or your organisation and you will immediately see within about 30 seconds what the security of your organisation is. That is what the tool tells you and the sort of message you can actually take. Thank you again Wouter for the presentation. We’re going into the panel discussion which we have four participants in and the first participant is Annemieke Toersen of the platform Internet Standards and Standardisation Forum and she was a Senior Policy Advisor at the Netherlands Standardisation Forum. So Annemieke please.

Annemieke Toersen: Thank you very much Wouter for your brief introduction and thank you Wouter for showing us the advantages of internet.nl. And thank you for joining our session. Lately also more people came into the room. Thank you very much indeed. My name is Annemieke, Annemieke Toersen from Netherlands Standardisation Forum and this is a think tank and aims for more interoperability of the Dutch government and open standards are key to this goal. Think about interoperability for trustworthy data exchange or security which influence of course the trust positively. Interoperability as government is obliged and to inform the society as a whole and neutrality. No dependency on vendors is very important in this case. The forum is actively promotes and advises the Dutch government about the usage of standards and you have to consider that it’s about 25 people from various backgrounds. So you think about government, business and science. And when it comes to internet standards the Dutch government has a threefold strategies shown in the next sheet and I briefly go through it. It’s a bit, it’s another sheet. It’s backwards. Yes that’s the one. Thank you very much. First, we mandate specific open standards. We can do so by including standards on the comply or explain list. This is done after careful research, in which we also consult technical experts. Standards on this list should be required when governments are investing in new IT systems or services. As we survey under some bigger ICT organizations within the Dutch government, we have seen quite some progress using open standards. However, it also became clear that some organizations have not yet moved yet on. In addition to a comply or explain, the standardization forum can also make agreements with ultimate implementation dates, and we have already done so far for several modern internet standards like HTTPS and DNSSEC and as well as RPKI. Firstly we mandate, by law, specific open standards, for instance with the open standards HTTPS and HSTS. Second, we go for monitoring to promote the adoption of standards, reviewing tenders and procurement documents. And for modern internet standards, we happily use internet.nl, as just mentioned, to frequently measure over about two and a half thousand government domains, so that’s pretty much. Finally number three, we invest in community building. We try to bridge the gap between technical experts and governmental officials, therefore we are really happy with the internet standard platforms and are actively participating. This cooperation enables us to be more effective, helpful to governments with their technical questions and also with their questions regarding how to request modern internet standards for their vendors. If you watch for community building and international collaboration for digital standards, we engage several efforts, for instance, the Platform Internet Standard and the Secure Mail Coalition. And our international initiatives include MESHEU, collaboration with European countries. Wouter mentioned already countries like Denmark and Czech and Portugal. But Internet.nl as well, you encode reused and partners like Australia and you further on hear Flavio from Brazil and Denmark to greater critical mass. What we do, we actively reach out to vendors and hosting providers like Cisco, Microsoft, Open Exchange, Google and Akamai. And this approach inspired Denmark to adopt similar practices, resulting in successes such as Microsoft’s announcement of full support for the Dane email security standards on Exchange Online last October. We are pretty proud for that. This achievement is partly due to ongoing correspondence and discussions between the Dutch government and Microsoft since 2019. And by lobbying other countries, we create a critical mass that enables more effective negotiations with suppliers. Our experience with Microsoft demonstrates the importance of formalizing agreements through concrete correspondence, which is very important, of course. This strategy can be applied to other areas, such as sustainability. Further on, we hear about them and suppliers are more inclined to modify their services when multiple governments or countries support an issue. The key is to build a critical mass and the next sheet will show you that the most important is sorry, this was the next sheet. You can show the next sheet, please. Building a critical mass is very important to find other partners and formalize agreements through concrete correspondence is a very key thing in having this succession. Thank you very much.

Wout de Natris: Thank you, Annemieke. And as you can see, is that everybody thinks that big tech, everything is in concrete. It is not until you start. discussing with them and perhaps they change their ways and make us all more secure because that apparently is what is going to happen. Now we’re going to move outside of the Netherlands and listen to what other countries have been doing so far with Internet.nl but giving it of course their own name. The first to speak is Gilberto Zorrello and he will talk about Top.br from Brazil where he’s the project coordinator at NIC.br and in the room is his colleague Flavio Kenji Yanai who is a system developer and if you have any questions about Brazil you can ask Flavio after the session. But first Gilberto,

Gilberto Zorello: the floor is yours. Hi, good afternoon for all. It’s a pleasure to be in this meeting. The implementation of Internet.nl in Brazil we call Top.nic.br. In Brazil the tool was deployed using a middle-up-down approach unlike the Netherlands. However, we hope that the key players in Brazil market will also adopt the best practices in the usage. We promote the tool in meetings that we have here in Brazil, in events of NIC.br and the Association of Internet Service Providers. We have some numbers of our utilization here in Brazil. For website tests, the unique domain that’s until now, is about 4,000 websites. The Hall of Fame is about 600 and adoption of IPv6 is about 20% only. DNSSEC signed 20% and HTTPS about 6%. We have a work with government here in Brazil. They tested many websites of government and they are working internally with the internal organs of the government to improve the implementation of the best practice here in Brazil. We mailed tests about 21,000 tests, unique domains tested. The Hall of Fame is about 80. IPv6 only 30%. DNSSEC signed 11%. The mark, the KSPF, 16%. And StartCLS, just 1%. The connection test is about 300,000 tests, more tests in this case. The UNIC-IS tested about 7,000. It’s an important number because we have here in Brazil 9,000 ASs. Then we can check that 7,000 was tested up to now. The DNS Recursive validating DNSSEC is about 210,000, 71%, and user for IPv6 is 60, 70%. It is important to say that the adoption of IPv6 in Brazil is increasing in the last year. In Brazil, the tool was, as I said, using a middle up-down approach. I don’t know if you… The other important thing is we just implemented a version of 1.7. In the next year, we will implement the 1.8 version of Internet. I don’t know if Flavio can complete some information. Flavio is okay, he says. Thank you, Gilberto, for showing us how things have changed. Were you finished? Yes, I’m finished.

Wout de Natris: Okay, that’s what I thought, but I just wanted to check to be certain. Thank you very much. It’s encouraging to see that numbers are going up because of the work that you’re doing, and I want to congratulate on that. The next person who is going to speak is going to come in from Singapore, and that is Stephen Tan. He works as an assistant director at the Cyber Security Agency of Singapore and is responsible for internet security and mobile security. Stephen, you’re working with the Internet.nl tool, or something very similar to it, for some years. Can you tell us the experience that you have in Singapore?

Steven Tan: Right. Hi, everyone. I’m Stephen. So, similar to Internet.nl, Singapore has developed our own internet hygiene portal, which is meant to improve the country’s cybersecurity landscape, right? The IHP encourages service providers to adopt key internet security best practices through a very transparent rating system. So on top of the tool itself, we have come up with a rating system to actually understand whether they, sorry, can I just double check because I’m seeing that I’m being muted here. We can hear Stephen, but you dropped away for a few seconds, but we can hear you. Okay, sure, right. So basically we came up with a transparent rating system known as our internet hygiene rating. The approach has actually helped to shift industry behavior and perspective by promoting proactive security enhancements, right? So since its launch in 2022, IHP has conducted more than 200,000 scans with users from across 40 countries, right? And importantly, more than 45% of domains have also shown improvements from their first initial scan to their most recent evaluation, right? That has actually helped to provide us with data points that IHP has reflected meaningful progress in cybersecurity readiness itself as well. So now what we have done is that similar to what internet.nl has done, we have also included an API which will be available early next year, right? That will enable seamless integration for businesses that’s looking to automate their security assessments. Several of the industry players and ICT providers have also signed up with us, showing keen interest and commitment to enhance their cybersecurity postures, right? So to date, IHP has also helped to shift the cybersecurity landscape in Singapore. We have seen ICT service providers that’s within our APAC regions like Orion and Exabytes. Basically these companies, right, they have stepped up and joined the Internet Hygiene Rating Initiative. What it means is that they have configured their websites and… email services to meet, by default, strong internet security best practices, which also means that any of the clients out there or businesses that actually goes to these providers would, by default, have a high rating of internet security best practices. So what has been even more encouraging is that even smaller ICT firms in Singapore has come on board. They are now being featured in our internet hygiene rating under this section known as the ICT website and email management providers category. I’ll provide the link later on. So it shows that more of these businesses are starting to recognize the importance of following recognized internet security best practices. By far, the responses from vendors has been great. I think similar to what internet.nl team has shared earlier on, even tech giants like Microsoft, Amazon, and Akamai has also shown willingness to collaborate with us, recognizing the tools potential to actually drive collective cybersecurity improvements. So besides this, I think Bart and I, we have been sharing notes between our engagement with Microsoft so that we know we could actually help to nudge the different tech giants into doing action to really make the internet a safer place. So to date, the involvement between us and the tech giants have also significantly signaled an industry shift towards greater cooperation and shared responsibility in maintaining a secure internet environment. So by adopting the IHP’s recommended best practices, they have also strengthened trust in their platforms while contributing to a safer digital ecosystem. Such collaboration proves that we could actually set security norms through voluntary industry engagement where transparency and fair recognition are in place. So moving forward, besides the internet hygiene portal, we are seeing similar tools like internet.nl and of course, NIC.br as a strong starting point for establishing broader security norms. And while, of course, we understand that formal regulations may come later, the primary focus of such tools itself is to really encourage voluntary adoption through industry recognition, public visibility, and of course, healthy competition. So I think kudos to the various teams here that have actually, you know, create such wonderful tools for your countries, and of course, to your region, and in fact, internationally. Thanks.

Wout de Natris: Thank you, Stephen. And I think what the three presentations show is that on the one hand, with this tool, organizations can test themselves, but also what you hear Anamika and Stephen say, that they test organizations and let them know what their current status is. And we heard from both that organizations that are tested and not tested so well have the inclination to move upwards and to better themselves and enter this Hall of Fame, but also that the big corporations are more or less exposed as being less secure. And that also means that some pressure on them starts existing to better themselves. And I think that that is one of the major factors that this tool can be so successful. We’ve heard from three organizations that have deployed. We will now hear from an organization that is looking into deployment. So I’m inviting the next speaker, Daishi Kondo. He’s an associate professor at Osaka Metropolitan University, and one of the research interests is internet security, including email security. So Daishi, can you tell us what you’re doing in Japan to make Internet.nl happen and what the challenges are that you’re running into? Thank you. Okay.

Daishi Kondo: Thank you very much. I’m Daishi Kondo from Osaka Metropolitan University. And actually, I have to say that to the best of my knowledge, the Japanese government doesn’t provide a tool similar to the internet.nl. And so I want to ask, I want to answer two questions. The first question should be like, what makes the internet.nl principle interesting for Japan? But for me, so this is just like imagination because we don’t have a similar tool. So the important point is like security visualization. So the internet.nl has like a squaring system and most people don’t know the detail of the security measures, such as SPF, DKIM and DMARC. Although it’s not necessary for people to know the detail. However, the people can understand the security level of the systems through the squaring system. So this principle allows the people to easily prepare the specification sheets for introducing the systems. For example, so we want to achieve at least like 80% of the activity level or like this. So also the, we have internet.nl have a whole of frames and the internet.nl compliant patch. So these features can create a peer pressure among the competitors within the same industry. So this should also like very interesting for me. The second question is what do you expect to achieve in Japan by using the internet.nl? So my answer is that, so the internet.nl using internet.nl can encourage the people to take better care of the systems. So currently the Japanese, in Japan, we don’t have a like standard. So the one potential use case is to create the specification sheet, therefore introducing system using a Japanese version of internet. .nl which can also be used to check the security measures implemented by the system provider. So I hope at some point we can implement Japanese internet.nl in Japan. Thank you very much.

Wout de Natris: And I wish you good luck with the implementation of internet.nl in Japan. I understand that there’s an online question. No? Then we go to the room to see if there are any questions on your side. So who would like to ask a question? Yes, please, sir. Do you have a microphone for a question in the room? Do you have a microphone? And please introduce yourself and your affiliation first, please, sir.

Audience: Firstly, my name is Peter Zanga Jackson, Jr. I’m from Liberia, from the regulatory body. My question is, our countries are far behind in terms of internet development. And now we are talking about internet. I’m hearing nl for my country will be internet.LRO. We as regulators for a developing country like mine, what can we do? What is required of the regulators to ensure that we too have internet.LRO, which is .Liberia. What can we do?

Wout de Natris: Well, I’m going to give the question to Walter, because he is working in that field. So he’s going to ask a question, answer the question. Thank you. And a very good question, indeed. Yes, thank you very much for this question.

Wouter Kobes: Like I mentioned, it is possible to reuse the code of it’s an open source project and well as a regulator I think it might be an interesting tool to also to reuse because you can of course measure standard adoption. Yeah well the question how to launch it it’s basically if you look from a technical perspective it’s simply following the installation instructions or to make use of our own tool through the dashboard or API features. Of course if you want to use this for regulatory purposes you will have to do some own work in making it land in your country, making operators, hosting providers, ISPs to actually use this tool to measure and improve their own standard adoption. But I would say the starting point for adopting adoption is making it possible to measure your adoption and therefore this source code could contribute to that. I hope that answers

Wout de Natris: your question. And I think it’s available for free so it’s not like it’s a business model it’s there for you to use if you want to start using it.

Audience: Yeah well yeah my fear is will we not be breaching because I’ll be using internet.nl we are not be creating problem by interfering into the setup of Netherlands. I won’t be interfering. Will that not create a problem for Liberia if we should start using internet.nl in Liberia? How can we handle this?

Wout de Natris: I would say that if you decide to start using it then you deploy it in your own country and from that moment you name it like Brazil for example they call it top and in Singapore they name it something else so you give it your own name it’s no longer internet.nl it’s the name that you choose. And from that moment on, it’s yours. So it’s available for free and the instructions, just exchange cards with Walter and then it will be okay. And then you can join the community that we will be setting up very soon. The first invitation will go out probably in January, early February. So please join if you would like to. Is there another question in the room? Time for one more. And is there a question? Yes. And something online, Doreen? No? Then the floor is yours. Please introduce yourself first in your field. No? Or not? Oh, okay. Yes. The lady here. Okay. Thank you.

Audience: So first off, thank you for this initiative. Please introduce yourself. Thank you so much. Shawna Hoffman with Guardrail Technologies. One of the questions that I have, I actually just looked up my website and realized we have some work to do ourselves. I come from the United States. So what advancements have you been making with the U.S. or is this something that we need to start in our country?

Wouter Kobes: I’m not quite aware actually if we have any initiative in the U.S. right now. But I think as Wouter is saying, this is partly the reason why we are having this session right now is to make this tool more known globally. And I think perhaps we can talk after this session how we could reach the U.S. as well. Because I think it’s in the end in the best interest of the internet and everyone here at the IGF to have this tool widely used and widely known. Not necessarily under the name internet.nl, but rather as a tool in your country that is known and used by as many providers as possible. So let’s talk after this session about this. Thank you.

Wout de Natris: You have a question, sir, then please introduce yourself. yourself first and your affiliation? Sure, yeah, it’s my pleasure.

Audience: My name is can you hear me? Okay, engineer Munzel Mutairi, I’m CEO of Nataj Al Fikr. My question is regarding being proactive in terms of building the capacity of countries, especially with limited resources, technical limited resources. Usually we talk, but is there like any proactive initiative where there is measuring of their, you know, infrastructure and trying to develop the infrastructure so it’s standardized as much as possible with other countries? I’m not sure if I got your question fully. Okay, for example, the gentleman from Liberia is asking and that’s a reactive to what’s happening. How about being proactive by, you know, that’s maybe by UN or international organization in the field. So to make sure that no country is left behind. So that’s my question.

Wouter Kobes: Yeah, I think that’s a very good point. Well, the power of the tool is that it is not bound to a country to test domain names. So you can actually test, like I presented, you can test the IGF website, you can test websites from all over the world, already. So the challenge is not in the technology, the challenge is in making it be adopted in those countries where the reach might be more difficult. And well, I consider this session one of our proactive measures to make this adoption more known. But if you have any ideas on that, then perhaps we can discuss it also after this session, how to make sure no one is left behind, as was introduced this morning as well. Thank you.

Wout de Natris: Yes, thank you. And I think what I can add, if you would like to be proactive on this, you can use internet.nl to test websites in your country, and it will work. Except if you really want to measure your country and make it better known, it would be better then next as a next step to deploy the system yourself. But to show your countrymen, you can just use internet.nl and for example, test the bank or the government, whatever in your own country, and you will get the results also. So that’s perhaps a more proactive way to start. And thank you for your question.

Steven Tan: Maybe I can answer to that question as well. I think firstly, right, like what the Netherlands Standardization Forum is actually doing, similar to what, you know, in Singapore, CSA, what we are trying to preach here is that when we identify the various best practices here, or these various modern standards itself, right, what we are trying to do is that we are coming up with a list to set a series of standards that all countries, and hopefully at an international level, can deploy. So while we, and we do believe that, you know, no country should be left behind when it comes down to secure internet adoption. By creating all these best practices available, like on internet.nl, or NIC.br, or the internet hygiene portal on the CSA government’s website, right, what we are trying to do is that every country should embrace this, and that, you know, this is where we have gone through the pain and various efforts that we have tried many standards out there. And then we have also tried things that by then is already dated, right, and that new technologies are coming along the way, and that we have curated this list for everybody to use it. So for countries who are now starting to embrace internet, and to start to take on these various standards, right, the by de facto great standards that many have already tested, and tried, and have also learned our lessons, right, more or less the correct answers are now available. And that for you who are trying to, you know, really trying to get your internet up now, these standards are perhaps, I wouldn’t say it’s the best, but if it will be to second or one another, right, that you may want to actually look at these standards and then, you know, adopt it across your country and then have your ICT providers also develop and actually adopt such best practices. They would, by default now, be great and useful, especially with that many countries have actually already tried and tested already. So this is what we are trying to do here.

Wout de Natris: Yes, thank you very much, Stephen. And apologies that I didn’t understand where the voice came from, because we can’t see anybody online here. So thank you for that comment, because it’s very significant and I think very explanatory. I see the gentleman asking the question, saying thank you and nodding. As we have only an hour, we are going to move into the second section of our open forum, and that is on sustainability. And many of them in the room will have knowledge and most likely opinions on sustainability and the role that different stakeholders have to play to reach a more sustainable future for all living creatures. But how to go about this? Well, the Dutch government is working on a novel approach and use procurement processes. But what is the plan? What is the current state of the plan? What actions can we look forward to? And these are more questions will be answered by Hannah Bouten, whose program coordinator for the Dutch Coalition for Sustainable Digitalization. And then next, Rachel Kuylenburg, who is coordinator sustainability for Logius, which is a part of the Ministry of the Interior. And Rachel is committed to getting sustainable IT a step further. But first we hear Hannah about the project and then Rachel more about the policy side of it. So Hannah, please first.

Hannah Boute: Thank you so much, Wout, and thank you all live in RIAZ and here online for attending the session. And I’d like to take you along and make the bridge from security. sustainability and in the Netherlands we do that with the Dutch coalition for sustainable digitalization. So if I could have the next slide please. So to start with the internet obviously is part of a digital system and that digital systems shouldn’t only be secure but also sustainable. If we zoom out in Europe we call this the twin transition. So we’re in a digitalization transition but the other side of the digitalization transition is the sustainability transition. We see a growth of connections and growth in quality and also technology becoming more efficient but nevertheless we as human beings have the tendency to use efficiency that comes free. So if we can go to the next slide please. So that means that we have to see digitalization in terms of sustainability as well and we can look at sustainability of the digital system in three scopes and the first scope has to do with your own company. Think of your company facilities but also the vehicles of your company. We call this scope one and also scope two where purchasing comes in perspective. So the emissions you make by purchasing energy for example and scope three has to do with the indirect responsibility you have when you purchase something throughout the supply chain and also the distribution to your end consumer. And with regards to IT you can think about e-waste and also the scarcity of minerals and metals. So next slide please. So in the Netherlands we try to give this so-called twin transition. We try to drive it forward. in a public-private cooperation since stakeholder groups all have to play a role in this transition. And here you see a number of the logos of the parties we cooperate with. The Coalition for Sustainable Digitalization is possible with help of all these parties and especially together with the Ministry of Economic Affairs, together with the coalition and the Ministry of Economic Affairs in the Netherlands, we created the Action Plan for Sustainable Digitalization which has analyzed and identified several action points to be able to move this transition forward. If we can go to the next slide please. And we do that in four program lines and that is visualized in this House of Sustainable Digitalization. A very important slide is the first program line technological innovation. This has to do with sustaining the digital system and within the coalition we focus on sustaining artificial intelligence since the big adoption of sustainable intelligence. But also we’re looking at how to make internet more sustainable. Then on the right you see sustainable by IT and as you already heard in my introduction, digitalization needs energy and therefore we’re looking into the relation between the energy system and the digital system. But also making the IT of organizations more sustainable is a very important program line. In the European Union we currently have a directive, it’s called the Corporate Sustainable Reporting Directive, which makes companies to report about the three scopes I just mentioned. And we have several working groups working towards solutions for organizations to start their journey. to making their IT more sustainable. And a very important working group in this programme line… is the IT procurement working group… of which Rachel is our chair. And this is a very natural moment to give the word to Rachel… so she can explain a bit more how we do that with regards to procurement. Thank you so much for your attention.

Wout de Natris: And thank you, Hannah. And, Rachel, the floor is yours.

Rachel Kuijlenburg: Okay, thank you. Thank you very much for this opportunity… to talk a little bit about sustainable procurement of IT. My name is Rachel and I work for Logius… and that’s the digital government service of the Netherlands… of the Ministry of the Interior. And we maintain government-wide ICT solutions and common standards… to simplify the communication between the government and our society. As Logius, we procure a lot of IT… and that’s why I’m also chair of the working group… IT procurement within the coalition. And the proof of the pudding is in the eating… because we can talk a lot, but we should do this. So, next slide. We… Well, I… Well, here you see a policy frame. And in my former job, when I was also in sustainable or tangible world… of plastics and food waste, we developed this framework… to commit our strategies to a policy within an organisation. So, we focus on refuse. That should be the strategy in the tactics is reduce and reuse. So, it was really nice to hear that our former speakers… really try to reuse the standard of the internet.com. But we strive really to… make a better sustainable footprint on IT. And that involves software, but also storage, cloud data, and hardware, because 80% of the footprint of IT is in the production of hardware. So to make sure that hardware should be, well, bought as less as possible, this framework could help. But then the question is, how to procure this? And in the next slide, we show you our focus points. And firstly, it’s really we focus on to minimize our energy needs. So energy efficiency is really impossible, very needed, within the procurement of IT. Also emission-free, so that’s focused on hardware. Also in the data centers to become CO2 neutral in 2030 or 50, whatever your policy is. And in the end, we really try to procure circular and climate proof. But then the question is, how are you going to do this? So at this moment, and that’s on the next slide, we are developing a framework. And here you can see, and it’s not its start. So please, if you want to help us, send me an email. How to really focus on several focus points in relation to hardware, software, and cloud. So in hardware, what you can see if we procure, you can really aim for energy requirements. Also there are some ISO standards or an energy audit. You can ask for. What is a very helping legislation at this moment is to see SARD within Europe. So every big company from whom we procure, they have to report their sustainability credentials. So that also will help you with to become CO2 neutral. And also for cloud, because we within Logius, but the Dutch government, we have our own data centers, but we also procure a lot of data centers. For that, we also have standards to make sure that our suppliers are trying to aim for, well, becoming as sustainable as possible. Within the coalition at this moment, we try to develop, well, a better framework. So coming year, we will focus on hardware, software and cloud. But also a very important part of the procurement is the contract management. So the next step, what we will take coming year is to do more research on how to, not only how to procure, but also how to contain within the contract management that all the IT procurement is going to be secure. So if you, the last slide, if you want to help us, or if you need any information, we are more than willing to share. Just send me an email. My email address is here within the sheet. And well, we make nice steps in procuring sustainable IT. And hopefully, with your help, we can make better steps. So thank you for the attention.

Wout de Natris: Thank you, Rachel. As everything is in Dutch on this slide, perhaps you could translate what people are reading here for them.

Rachel Kuijlenburg: Oh, yeah. Well, it’s about our aims of Logius. What I said, we are the digital government service. And it’s about well, how do I translate this in English? It’s early morning here. Accessibility, I would say. Accessibility, it’s about interaction, it’s about data exchange, the infrastructure, and it’s about standards within IT. So, these are our aims within the company and I should have used an English one. So, my apologies for this Dutch.

Wout de Natris: Sorry for putting you on the spot, Rachel. There’s one question online, but one short comment. I think what was promised is a third topic and that is how things interact between the two topics, but that is procurement. Because if you measure your internet standards, that’s the moment you know what you can procure on to make yourself more secure and the same goes for the sustainability. When you know what it’s about, then you can start procuring measures that are actually supporting sustainability. There’s a question online. I’m pointed to my cell phone. And it’s in the chat. It’s someone called Bart and he’s asking, what does the international inter.nl community focus on and is more the tool or is it usage? And Walter, would you like to answer that? I can do that myself. I think what the community is trying to do is bring together the organisations that are currently working with the internet.nl or a tool like it and the organisations that are interested to do so in the future. And what we would do is to come together twice a year and online, not physically, but online, and discuss where we actually are at this point in time and what the challenges are that we run into to learn from each other, but also, for example, to coordinate on the next step. So if we all would move together to a next evaluation of evolution of the project, then we could do so together, develop together and that way learn together. So that is what we’re going to do in the first year and after the first year we’ll evaluate and see if we continue in the same way or that we have to change it, or perhaps that there’s no interest, that’s the other option of course, but we’ll be working on that in the next year and have two sessions, probably one in the spring and one in the fall, on the Northern Hemisphere at least, and from there see how we develop. I saw there was a question in the room, no there isn’t, then I will move to Koen Wesselman who is our rapporteur, and Koen can you tell us what we went through and what the lessons are that we learned here today, Coen the floor is yours.

Coen Wesselman: Yes I can, thank you all for being here, we started this session off with a clear explanation by Wouter of what internet.nl is and what it’s doing and what it’s standing for, an open free and accessible internet for everyone. We moved into the panel discussion where Annemiek from the Dutch Standards Forum made a clear appeal to build a critical mass of countries and organisations to make lasting changes to internet standards and security. We have seen very promising presentations from the Brazilian Organisation for Internet Standards and the Cyber Security Agency from Singapore, thanks for that a lot, and we hope to see that Japan is moving, Daishi is moving forward to start an internet.nl version for Japan and monitor their internet activities. We have seen clear questions from the present person from Liberia which have been answered and Hannah and Rachel gave a clear insight into what the Netherlands is doing in combining digitalization and sustainability in a private-public cooperation with the government and companies and how procurement plays an important role in improving the situation for the Netherlands and I hope that for everyone this concludes the session.

Wout de Natris: Thank you very much Koen and this is what we will be putting online as a report for this session. I think that we’ve learned a lot in this session and I’m not going to repeat what Koen said because that is the summary already but I think that what is important to know that if you want to procure products you have to know what you’re buying and you can only know what you’re buying when you test it beforehand and I think that is a lesson that we’re starting to learn where sustainability is concerned but also where the security of the internet is concerned and I’ve got a minute so I will make some advertisement about the dynamic coalition that I’m chairing also and I’m a coordinator of which is called Internet Standard Security and Safety Coalition which functions within the IGF and internet standards as I say is the main part that we’re working on and to make sure that procurements start happening especially within governments that they procure secure by design but also to watch education and skills and how our youth trained on cybersecurity and tertiary cybersecurity and can we improve that in the future because there seems to be a skills gap of about 20 years what we’ve been hearing but we’re also looking at IOT security we’re looking at in post quantum encryption pretty soon that is starting as we speak we signed the contract on Friday to research on it but we also hope to move to the next phase and the next phase is not just looking at the theory of our recommendations but to start producing I can’t think of the word in English, but the workshops, the capacity building, so that actually our findings are being used by organizations around the world so that the world becomes inherently more safer for all the users of the internet and not just the privileged few who can afford it. So that’s where we are. For example, at internet.nl, that is me, I can say, because I will be replying to you. If you have any questions, please contact us there. And if you’re interested, you will get an invitation to the first meeting that we will be organizing pretty soon. And we’ll let you know when the first meeting happens, but it will be somewhere in the spring of 2025. But let me end here. We’re actually on time, and we had not expected that that would happen, but we say that our speakers really kept their time. I didn’t have to correct anybody at some point, so that is all kudos here. Let me thank the speakers first, because we’ve heard a lot about their experience, and I think that it’s tremendously important that we’re going to improve ourselves and make ourselves better and keep making ourselves better. It looks like with internet.nl, it’s certainly possible. Doreng, thank you for monitoring online, and Koen, thank you for rapporteuring for us. And I want to thank the technicians for setting everything up, and our scribes somewhere in the world, I don’t know where you are, but thank you very much for making sure that everything is recorded. So let me stop there. Thank you very much for your attention, and hope to meet again pretty soon. Bye-bye. It’s one thing, I think we have a few t-shirts, right? So if anybody wants an internet.nl t-shirt, it’s yours. So, thank you very much. Bye-bye. Thank you. Bye-bye. Bye-bye. Bye-bye. Bye-bye. Bye. Bye-bye. Bye-bye. Bye-bye. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Agreement Points

Importance of Internet.nl tool for measuring internet security standards

speakers

Wouter Kobes

Wout de Natris

Annemieke Toersen

Gilberto Zorello

Steven Tan

Daishi Kondo

arguments

Tool provides quick assessment of ICT environment security

Allows organizations to test themselves and improve security

Promotes adoption of important internet standards

Implemented in Brazil as Top.br with increasing adoption

Developed as Internet Hygiene Portal in Singapore

Interest in implementing a Japanese version

summary

Speakers agree on the value of Internet.nl and similar tools for assessing and promoting internet security standards across different countries.

Government strategies for promoting internet standards

speakers

Annemieke Toersen

Gilberto Zorello

Steven Tan

arguments

Dutch government uses three-fold strategy: mandate, monitor, community building

Engagement with big tech companies to improve standards support

Brazil promotes tool through industry meetings and events

Singapore uses transparent rating system to shift industry behavior

summary

Speakers highlight various government strategies to promote internet standards, including mandates, monitoring, community engagement, and collaboration with industry.

Similar Viewpoints

Both speakers emphasize the importance of engaging with major technology companies and sharing best practices internationally to drive improvements in internet standards.

speakers

Annemieke Toersen

Steven Tan

arguments

Engagement with big tech companies to improve standards support

Sharing best practices internationally

Unexpected Consensus

Interest from developing countries in adopting standards

speakers

Audience

Wouter Kobes

arguments

Interest from developing countries in adopting standards

Tool provides quick assessment of ICT environment security

explanation

The interest from developing countries in adopting internet standards and tools like Internet.nl was unexpected, showing a growing awareness of cybersecurity importance across different levels of digital development.

Overall Assessment

Summary

There is strong agreement on the importance of tools like Internet.nl for measuring and promoting internet security standards, as well as the need for government strategies to drive adoption. Speakers from different countries shared similar approaches and experiences in implementing these tools and strategies.

Consensus level

High level of consensus among speakers on the core issues. This implies a growing international recognition of the importance of internet security standards and the potential for increased collaboration in developing and implementing tools and strategies to promote these standards globally.

Different Viewpoints

Unexpected Differences

Overall Assessment

summary

There were no significant disagreements among the speakers.

difference_level

The level of disagreement was minimal to non-existent. The speakers largely presented complementary information about implementing and promoting internet security standards and sustainable digitalization in their respective countries or contexts. This high level of agreement suggests a shared understanding of the importance of these tools and approaches, which could facilitate international collaboration and adoption of similar practices across different regions.

Partial Agreements

Similar Viewpoints

Both speakers emphasize the importance of engaging with major technology companies and sharing best practices internationally to drive improvements in internet standards.

speakers

Annemieke Toersen

Steven Tan

arguments

Engagement with big tech companies to improve standards support

Sharing best practices internationally

Key Takeaways

The Internet.nl tool allows organizations to quickly assess and improve their internet security standards adoption

Several countries have implemented or are interested in implementing versions of the Internet.nl tool

Government strategies involving mandates, monitoring, and community building can effectively promote internet standards adoption

International collaboration and creating a critical mass of countries can help negotiate improvements with big tech companies

Sustainable digitalization efforts are focusing on areas like sustainable IT procurement and minimizing energy needs

Resolutions and Action Items

Formation of an international community to share experiences with Internet.nl-like tools

Plans to develop a more comprehensive framework for sustainable IT procurement

Invitation for interested parties to join the Internet.nl international community

Development of workshops and capacity building initiatives to implement internet security recommendations

Unresolved Issues

How to effectively implement Internet.nl-like tools in developing countries with limited resources

Specific metrics or targets for sustainable IT procurement

Details on how to balance security and sustainability requirements in IT procurement

Suggested Compromises

Using existing tools like Internet.nl to test websites in countries without their own versions, as a starting point before full deployment

To keep our internet open, free and secure. However, those standards do not implement themselves. You have to implement them actively.

speaker

Wouter Kobes

reason

This comment succinctly captures the core purpose of internet standards and the need for proactive implementation, setting the stage for the entire discussion.

impact

It framed the subsequent conversation around the importance of tools like internet.nl in promoting and measuring the adoption of these standards.

We mandate specific open standards. We can do so by including standards on the comply or explain list.

speaker

Annemieke Toersen

reason

This insight into the Dutch government’s approach to mandating standards provides a concrete example of how to drive adoption at a national level.

impact

It sparked discussion about different approaches to promoting standards adoption, from government mandates to voluntary initiatives.

By lobbying other countries, we create a critical mass that enables more effective negotiations with suppliers.

speaker

Annemieke Toersen

reason

This comment highlights the strategic importance of international collaboration in influencing major tech companies to adopt standards.

impact

It shifted the conversation towards the global impact of coordinated efforts and the potential for smaller countries to influence industry giants.

Since its launch in 2022, IHP has conducted more than 200,000 scans with users from across 40 countries, right? And importantly, more than 45% of domains have also shown improvements from their first initial scan to their most recent evaluation.

speaker

Steven Tan

reason

This data-driven insight demonstrates the tangible impact of implementing such tools on improving internet security across multiple countries.

impact

It provided concrete evidence of the effectiveness of these initiatives, encouraging other countries to consider similar approaches.

Our countries are far behind in terms of internet development. And now we are talking about internet. I’m hearing nl for my country will be internet.LRO. We as regulators for a developing country like mine, what can we do?

speaker

Peter Zanga Jackson, Jr.

reason

This question from a representative of a developing country highlights the global disparities in internet infrastructure and the challenges faced by nations trying to catch up.

impact

It prompted discussion about how to make these tools and standards accessible and relevant to countries at different stages of internet development.

80% of the footprint of IT is in the production of hardware. So to make sure that hardware should be, well, bought as less as possible, this framework could help.

speaker

Rachel Kuijlenburg

reason

This comment introduces the important connection between IT procurement and sustainability, broadening the discussion beyond just security standards.

impact

It shifted the conversation to include sustainability considerations in IT procurement, linking the earlier discussion on security standards with environmental concerns.

Overall Assessment

These key comments shaped the discussion by broadening its scope from a focus on the technical aspects of internet standards to encompass global collaboration, the challenges faced by developing countries, and the intersection of security with sustainability. The conversation evolved from explaining the internet.nl tool to exploring its potential for driving systemic change in internet governance and IT procurement practices worldwide. The discussion highlighted the need for both top-down (government mandates) and bottom-up (community-driven) approaches to improving internet security and sustainability, while also acknowledging the disparities in resources and infrastructure between different countries.

How can developing countries implement tools like internet.nl?

speaker

Peter Zanga Jackson, Jr. (Liberia)

explanation

Important for ensuring developing countries are not left behind in internet security and standards adoption

What advancements have been made with implementing internet.nl or similar tools in the United States?

speaker

Shawna Hoffman (Guardrail Technologies)

explanation

Explores potential for expanding the use of these security assessment tools to other major internet markets

How can international organizations proactively help build capacity in countries with limited technical resources to implement internet security standards?

speaker

Engineer Munzel Mutairi

explanation

Addresses the need for a coordinated approach to ensure global adoption of internet security standards

How to improve contract management for sustainable IT procurement?

speaker

Rachel Kuijlenburg

explanation

Identified as a next step for ensuring long-term sustainability in IT procurement practices

What does the international internet.nl community focus on – is it more the tool or its usage?

speaker

Bart (online participant)

explanation

Seeks clarification on the priorities and activities of the international community around internet.nl