WS #198 Advancing IoT Security, Quantum Encryption & RPKI

Summary

This session at the Internet Governance Forum focused on the intersection of quantum encryption, Resource Public Key Infrastructure (RPKI), and IoT security in shaping the future of internet security. Experts discussed how quantum technologies are revolutionizing fields like communication and sensing, with potential applications in healthcare, defense, and environmental monitoring. However, they also highlighted the threat that quantum computing poses to current cryptographic standards, emphasizing the urgent need to develop and implement quantum-resistant encryption methods.

The discussion then shifted to RPKI, a security extension for internet routing. Speakers explained its importance in preventing route hijacks and misconfigurations, while noting challenges in adoption and implementation. They stressed the need for widespread adoption to maximize RPKI’s benefits and protect against routing vulnerabilities.

The session also touched on IoT security, particularly the challenges of implementing robust security measures in resource-constrained devices. Experts emphasized the need for lightweight, quantum-resistant protocols for IoT devices to ensure their protection in the face of advancing quantum capabilities.

A significant portion of the discussion focused on the global disparities in adopting these security measures, particularly in the Global South. Speakers highlighted the need for capacity building, resource allocation, and policy harmonization to ensure equitable adoption of advanced security protocols across different regions.

The session concluded by underscoring the critical importance of collaboration among stakeholders in addressing the challenges and opportunities presented by these emerging technologies. Participants agreed that proactive measures and international cooperation are essential to secure the digital ecosystems of the future against evolving threats.

Keypoints

Major discussion points:

– The potential impacts and security implications of quantum computing on current cryptographic systems

– The importance of implementing post-quantum cryptography and quantum-safe security measures proactively

– The role of RPKI (Resource Public Key Infrastructure) in securing internet routing and challenges with its adoption

– The need for capacity building and resources, especially in developing regions, to implement advanced security measures

– Considerations for securing IoT devices against quantum and other emerging threats

Overall purpose:

The goal of this discussion was to explore the intersections between quantum technologies, internet routing security (RPKI), and IoT security. The speakers aimed to highlight current developments, challenges, and future considerations in these areas to help prepare for a more secure digital ecosystem.

Tone:

The tone was primarily informative and forward-looking, with speakers providing technical explanations as well as policy and practical considerations. There was a sense of urgency in addressing these issues proactively, balanced with acknowledgment of the challenges involved, especially for regions with fewer resources. The tone remained consistent throughout, maintaining a focus on collaboration and the importance of multi-stakeholder efforts in addressing these complex technological challenges.

Speakers

– Nicolas Fiumarelli: Moderator

– Maria Luque: Expert in technology foresight, corporate diplomacy and quantum technologies; Managing Director of the Future of Literacy Group

– Sofia Silva Berenguer: RPKI Programme Manager at APNIC

– Wataru Ohgai: Representative from JPNIC with expertise in RPKI operations

– Athanase Bahizire: Online engagement assistant

Additional speakers:

– Yug Desai: Rapporteur from South Asian University

– Wout de Natris: Consultant for the Dynamic Coalition on Internet Standards, Security and Safety Wout de Natris

– Michael Nelson: Commenter (mentioned in chat)

Revised Summary of IGF Session on Quantum Encryption, RPKI, and IoT Security

Introduction:

This Internet Governance Forum session explored the critical intersection of quantum encryption, Resource Public Key Infrastructure (RPKI), and IoT security in shaping the future of internet security. Experts from various fields discussed current developments, challenges, and future considerations to prepare for a more secure digital ecosystem.

Quantum Technologies and Cybersecurity:

Maria Luque, an expert in technology foresight, opened the session by highlighting the rapid advancement of quantum technologies and their implications for cybersecurity. She emphasized that quantum sensing and communications are maturing quickly, with potential applications in healthcare, defense, environmental monitoring, and space exploration. Luque painted a picture of a future where global communications, both terrestrial and space-based, are integrated through optical networks.

The discussion emphasized the urgent threat that quantum computing poses to current cryptographic standards. Nicolas Fiumarelli, the moderator, stressed that post-quantum cryptography standards need to be implemented now, rather than waiting for quantum computers to become a reality. This sentiment was echoed by Sofia Silva Berenguer, who highlighted the vulnerability of current cryptographic systems to quantum computing threats.

Luque underscored the immediacy of the quantum threat, stating, “My message today is that not only a cryptographically relevant quantum computer and its advent is a threat to this future that I just pointed out to you, to how we leverage this data for good, not only Harvest Now and Decrypt Later is a threat to this vision alone, the threat is up today.” This statement shifted the discussion towards more urgent consideration of quantum-safe security measures and their implementation.

RPKI Adoption and Challenges:

The conversation then moved to the importance of RPKI in securing internet routing. Wataru Ohgai, representing JPNIC, reported that global IPv4 ROA coverage has exceeded 50%, indicating progress in RPKI adoption. He also noted that Tier 1 networks like Google are pushing for RPKI readiness, which is encouraging wider adoption.

Sofia Silva Berenguer highlighted that RPKI adoption faces a collective action problem, particularly for smaller network operators. She discussed the RPKI program and its challenges, emphasizing the need for capacity building and support for smaller ISPs. Berenguer also mentioned the development of ASPA (Autonomous System Provider Authorization) as a complementary security measure.

Ohgai provided a real-world example of vulnerabilities in current security systems, stating, “ROA revalidation is done based on what is written in ROA. So the trust in ROA is a considerably big issue. This year, one of the large network operator in the world located in Spain, which is a ripe region, had their online account used to creating or modifying ROA taken by bad actor.” This comment grounded the theoretical discussion in practical concerns, leading to more focus on operational challenges and the need for robust authentication methods.

IoT Security and Global South Challenges:

Nicolas Fiumarelli highlighted the importance of creating lightweight post-quantum cryptography protocols for IoT devices, given their resource constraints. This led to a discussion on the specific challenges faced by IoT devices in implementing advanced security measures.

Athanase Bahizire, the online engagement assistant, stressed the need for harmonization of cybersecurity policies across regions. He pointed out the challenges faced by developing regions, particularly in Africa, in implementing advanced security measures. Bahizire commented, “We tend not to take very seriously cryptography as what I was giving examples whereby you know putting in place to filter authentication in your database and some other very little best practices. We are not adopting them. We are waiting for when it’s like mandatory or it’s like as a regulation to adopt it’s what is not really a good practice and it doesn’t have that much in securing our system.” This observation shifted the conversation towards discussing capacity building and the need for proactive security measures, especially in the Global South.

Future Internet Security Measures:

Looking towards the future, the speakers agreed on several key points. Ohgai emphasized the need to develop quantum-safe RPKI protocols. Fiumarelli highlighted the importance of post-quantum cryptography standards, mentioning Crystal Deletion, Crystal Kyber, and Sphinx as examples discussed during the Q&A session.

The role of the Dynamic Coalition on Internet Standards, Security and Safety (IS3C) in supporting work on quantum computing and security was also discussed, as mentioned by Wout de Natris during the Q&A.

A notable point raised during the Q&A was the potential vulnerability of blockchain and Bitcoin to quantum computing attacks, further emphasizing the need for quantum-resistant cryptography across all digital technologies.

Conclusion and Future Directions:

Yug Desai, a rapporteur from South Asian University, emphasized the crucial role of multistakeholder collaboration in addressing these complex security challenges. Nicolas Fiumarelli concluded the session by reiterating the importance of collaboration in tackling the challenges posed by quantum computing and in implementing robust security measures.

The session identified several unresolved issues, including effectively implementing quantum-safe cryptography for resource-constrained IoT devices, overcoming the collective action problem in RPKI adoption, and ensuring equitable adoption of security protocols in regions with limited resources.

Overall, the discussion highlighted the need for proactive measures, international cooperation, and continued research to secure digital ecosystems against evolving threats, particularly those posed by quantum computing advancements. The session underscored the urgency of implementing post-quantum cryptography standards and the importance of capacity building initiatives to ensure global preparedness for the quantum era of cybersecurity.

Nicolas Fiumarelli: Good morning, everyone. Good afternoon. Good evening, wherever you are in the world. Let’s proceed. Okay. Welcome to our session on quantum encryption, RPKI, that is resource public infrastructure, and IoT, Internet of Things, security. We are going to tackle intersections on these future challenges. My name is Nicolas Fiumarelli. I came from a tiny country that is called Uruguay in South America. I am pleased to serve as the moderator today. Assisting with the online engagement is Athanasi Vajisiri, ensuring that both virtual and in-person participants are fully integrated in our discussions. The session will tackle three essential pillars for the future of the Internet security. One, the first one is quantum security, which is redefining cryptographic protocols to withstand the power of quantum computing. Just a note here, because this is the only one session about quantum computing in the entire ICF. As you may know, next year is called the year of the quantum, because of the recent advancements on this technology from the different big tech giants around the world. So, this is an important topic for us, and we needed to include it in the ICF. So, the second topic will be on the RPKI, the resource public infrastructure, that is about securing the integrity of the Internet routing. You know, this protocol that is used for routing, that is BGP, or the Gateway Protocol. And finally, the third topic will be IoT security. We will address unique vulnerabilities. and availability of billions of interconnected devices worldwide. So it’s a challenge this session. So our objective is to examine the intersection of these three technologies, right? The challenges and the opportunities, particularly in shaping secure and inclusive digital ecosystems. So the format for today will include individual presentation for our expert panelists, each from each of the topics. We are offering 15 minutes of deep insights into the areas of expertise. So following these initial presentations, we will open the floor for a 30 minutes discussion and questions and answers. One of the ideas to address policy questions and take input from both on-site participants and virtual participants. And finally, our rapporteur, Yuke Desai from the South Asian University will summarize the session and share some insights about his research on the internet engineering task for the mappings. So let me now introduce our speakers and the flow of the contributions. The first speaker is… Okay. First, first speaker. Okay. Okay, first speaker is Maria Luque. Maria Luque is an expert in technology foresight, corporate diplomacy and quantum technologies. She is also the managing director of the Future of Literacy Group. She has extensive experience in creating cross-national innovation schemes to advance the integration of quantum technologies in strategic sectors. So Maria will begin the session with a presentation on cybersecurity for a quantum future, presenting a comprehensive vision of the place of quantum technologies in our shared future, highlighting development in post-quantum cryptography and quantum key distribution. So Atanasis, you can confirm that Maria is online. Okay, so Maria, the floor is yours. She has a presentation to share, so maybe the technical team will help her to share screen. Maria, can you confirm you can speak? Hello? Okay, while the technical team help us to put Maria on the floor. Okay, we are waiting for the presentation. Good afternoon, can you hear me?

Maria Luque: Yes, we can hear you but we cannot see your presentation, so please wait some seconds. Some technical issues here at the stage. Can you see my screen now? Yes, we can see your screen. If you want, you can also open your camera or if you already open, we’ll tell the technical guys to put you on the screen. Let me try that. First the presentation, then you can hear me. You need to allow me to open my camera. Allow her to open the camera. You can start my presentation and then later they will allow you to. put your camera down. Okay, okay. Thank you. So, good afternoon to all of you. Good afternoon, Nico. Good afternoon to those in the audience. Clever enough to pay attention to this presentation right before the closing of the IGF this year. Thank you for being here. I really want to do a brief exercise to start the session. And this is on pair with you not being able to see me through video, that’s very timely, because I’m going to ask you to close your eyes, if you may, those of you in the audience. I want to paint the picture, why we think about quantum technologies today at the IGF, and go a little bit forward. So, eyes closed. By 2045, the world looks nothing like it does today. Profound transformation has taken place, and all global communications, both terrestrial and space-based, they are somehow integrated through optical networks. It is a rather sophisticated infrastructure, born from decades of collaboration and innovation, and it enables real-time data transfers at great speeds, allowing instantaneous communications across the globe, and into the farthest reaches of our solar system missions. The integration of quantum communications, in this time, has extended our reach even farther, and is facilitating secure, near instantaneous transmissions across Earth to the Moon and Mars. This breakthrough is paving the way for us humans to explore and inhabit even other planets, while advancing how we understand the cosmos. But what’s more important, in this age, mature quantum sensing and computing. computing technologies have helped us unlock a new era of capabilities, of possibilities. We now have distributed quantum sensing networks, and they provide us with extreme precision in environmental monitoring, in space exploration, and early warning systems for disaster in every location. This is enhancing our quality of life and our ability to protect both Earth and our expanding presence in space. Quantum computing now is deeply integrated into this global network, and it enables the confidential processing of highly, highly sensitive data, securing information that is critical to national security, to finance, and to global governance. Our relationship with trust in this era is definitely changed. These technologies have transformed sectors, ranging from healthcare to defense, enabling the secure integration of intelligence, of military and defense efforts, and it’s making it possible to effectively confront asymmetric, cyber, and kinetic threats to our infrastructures and well-being. Well, now those of you who share the audience with us can open your eyes, and you can tell them. This picture of 2045 is a bit of a yes, but it’s one of the possible futures I’d like you to start betting for starting today. Now, we set our eyes on 2045 today, but some nations and cutting-edge RTOs are getting ready for 2030. For example, the way we understand smart cities is changing with the introduction of quantum technologies, such as quantum sensing. Quantum sensing is a very mature technology, and it allows us to sense the air. the electromagnetic fields way beyond the scope of today’s parameters. Here at my presentation, you can see a crystal clear bed by TNO in the Netherlands of quantum technologies to help up communities with the energy transition. In this picture, quantum sensors can optimize the efficiency of power grids. They can enhance battery performance and they can improve the detection of leaks in pipelines. And since sensors are abundant in every domain on the energy transition, there are countless opportunities where they can be employed to gather critical data. For example, heat and carbon uptake in industrial environments, to have better models of our reality so that we can choose to make it more sustainable. So if we are lucky, five years from today, most of the critical data that we will gather will be gathered through quantum technologies. And to make that happen, quantum computing and all applications of quantum tech are precise. We mentioned applications for environmental and climate modeling, but we can also think of wearable IoT devices with a quantum sensor transmitting live and critical biomedical data from a soldier to a logistic base. This critical data will become increasingly valuable because they say they’re going to give us a competitive advantage for the industry, a strategic advantage, for example, for defense, or more quality of living, just as we saw. And this data is going to be needed to compute and craft the knowledge models of the future. As we all know that synthetic data is short-lived. So in a few words, the learning curve of future knowledge models, AI models, to compute solutions for the energy. transition, for defense, for field security, depends on this high quality data. So we can expect in the near future that quantum technologies gathered data will be feeding up these models, first through AI power compute, which is happening today, later through quantum plus AI compute, which will be happening in the next five years, and ultimately through quantum computing. That leaves us in a scenario where this exchange coin for our well-being, which is data, is going to circulate all over Earth and space. And my message today is quite different from the one that I gave the last IGF in Kyoto last year. My message today is that not only a cryptographically relevant quantum computer and its advent is a threat to this future that I just pointed out to you, to how we leverage this data for good, not only Harvest Now and Decrypt Later is a threat to this vision alone, the threat is up today. I mean, the current standards for our IT and OT cybersecurity in our industry environments, in our critical infrastructures, these standards and measures are very low-key, very unclear in most cases. Some of them still operate on cybersecurity by obscurity. And the bad news is that it’s only going to get worse, because on the one side, there’s this trend of AI sub-organization of everything that is going to expose our critical infrastructure to more and more blind spots, and also our definition of critical infrastructure is growing in assets. For example, we now have satellites in LEO and ground stations for science and optical communications. So, my bet is that to protect the future that we are trying to build, that we are talking about throughout the entire IGF these years, to protect all of our collective investments in AI, in compute, in quantum, in space, a new framework of cybersecurity and networking is essential. And for this, or to make this happen, quantum security is essential. Now this year, we’re going to make it easier, I’m giving a very high-level and zoom-in and zoom-out overview of cybersecurity in the quantum era, given that today is about a multi-stakeholder future for all, I’m going to give you an overview of what we need to focus on today, tomorrow, or let’s say the day after, to unlock the kind of secure communications that we need for the next set of quantum plus AI progress in our industries. Today, the new normal of today has a focus on protection regarding quantum security. This means that we are working on integrating what are called post-quantum cryptography standards and quantum cryptography algorithms, such as those approved by North America’s NIST, into our existing digital and physical infrastructures. Under the belief that under a quantum computer attack, these algorithms will resist for the most part and not unveil the underlying information behind the data. We are working means with the help from the tech industry and building common understanding for this, such as under the GSMA post-quantum crypto task force, our national governments are issuing guidelines to help us start our migration. to post-quantum cryptography frameworks. And most hyperscalers, such as Amazon, Google, Apple, with their iPhones, are introducing them into our daily cloud-based platforms. Also during November this year, we have seen the mandate to work on RSA keys by 2030, by North America’s needs, and some similar statements in the European Union’s Cyber Resilience Act. So today, well, diagnosing the problem is the easy part, and we have done that. But aligning national and international policies is much harder, and we are on those efforts right now. In the meantime, if the future is quantum, as I presented earlier, the present is hybrid. The new normal of tomorrow, two day and three years from now, the focus is to gather very mature advances in quantum communications, such as quantum key distribution, which promises to render the data unusable impact to the interaction with the physical properties of light, to start hybridizing it in classical telco networks and infrastructures. The advances in QGD and quantum communications we shared last year, I can tell that they keep upscaling. For example, this last week in the European Union, we just signed a contract for the IRIS-2 constellation, and this constellation will be ready for optical communication links. So we will ensure with it the space segment of the European quantum communications infrastructure. Regions worldwide are very active in proof of concepts of the integration of QGD into classical telco. networks, for example, and again, MatQCI, the Madrid Quantum Communications Infrastructure, those in the Netherlands, or for example, GovNQ, which is a network in New York. This today, two years from now example of what we need to do to start integrating quantum communications in existing infrastructures is undergoing a lot of challenges. First one is the challenge of standardization, and this might be the second most important message of the session today for me. The challenge of working on interoperability of these technologies with existing operators and infrastructures. Also the challenge of starting the substitution of RF for optical communication ground stations globally, or even how to develop quantum memory so that we can make quantum networks with size beyond the regions that we’re working with now. Now the day after tomorrow, and this is the part where we collide with the vision at the start, to be really in 10 to 15 years we have projects such as the Quantum Internet Alliance, which is in the European Union striving to mature quantum internet working capabilities to start deploying these dreamy applications that we started the session with. Distributed quantum sensing networks, decentralized and blind computing of data between actors who don’t necessarily have to trust each other to make joint decisions. Thanks to this technology, you name it. We also have statements from NASA’s CAM program speaking about the US-led global quantum network by 2035, but we don’t have much more than that. And for global benefits to occur for this scenario of 2045 to occur, we need to build these networks. as jointly as possible with interoperability as a key priority. Otherwise, the bright promise of the quantum future will turn into a zero-sum nightmare between societies. We need to start with quantum security today, right where you are. Remember that global investment in quantum reached 42 billion in 2024, and it’s outpacing historical tech projects like the Polar project. Many people speak of a quantum Manhattan project in different countries and nations among them, China. My final message in this very high-level overview that I’m presenting today is that quantum-gathered data is needed for all of the knowledge models that we want to advance with artificial intelligence and high-performance computation. In a very short time, we’re going to deal with very sensitive data in our communication infrastructures and our critical infrastructures affecting us personally. So the time to start investing in quantum security is today, right where you are. Thank you so much, Maria. It was very clear. Your message, I think, is a huge moment we are having now in the era of the internet future. It’s important to see that the first approach is to have… I am in… Sorry, my microphone. Sorry. Okay. Can you hear me? Yes. Okay. Thank you. Thank you.

Nicolas Fiumarelli: Thank you. Thank you. Okay, sorry. What I was saying is that the first step, as Maria mentioned, is to have post-quantum cryptography. What is that? It’s to have the algorithms that we have today like RSA, AES, etc., are not quantum resistant. That means that when you send a WhatsApp message, for example, from your phone to another phone, you can see that the message is encrypted from end to end, right? But for the most powerful classical computer nowadays, it will take like 200,000 years to decrypt any WhatsApp message. But for a quantum computer, it will be so rapid, like seconds, right? So with the post-quantum cryptography algorithms, we are having a way that quantum computers will take hundreds of years to also decrypt this new cryptography. So that is like the first step, right? To have post-quantum cryptography algorithms in all the corridors of the internet and ICTs. Then the next step, if I remember from Maria’s presentation, was about the quantum key distribution. It’s a technique that uses the quantum physics to send information in a way that is teleporting information. It’s a property of the quantum physics and in this sense, no one will know your key. So once you exchange this key via the quantum network or the quantum facilities, then you can encrypt your messages with this key in the classical internet. So that is the second step. And the third step is about the quantum internet, that is that everything goes in this new model of the quantum. And the last mile is the quantum internet working session because with these sensors and with distributed quantum computing, you could have more calculations and you could have a lot more features that uses this technology. So now I am heading to Sofia. to introduce the second topic of today, that is the RPKI, and then later in our session we will address some policy questions. So we will return to you, Maria. Sofia, Sofia Silva-Berenguer is the RPKI Programme Manager at APNIC. She is specialising in securing internet routing and improving the adoption of cryptographic frameworks across regions. Sofia will delve into the critical role of the RPKI. RPKI is Resource Public Infrastructure. It’s a security extension for the internet routing. You know that the internet goes with packets, and these packets are being routed by something that is called autonomous systems. So Sofia will delve into the important critical role of the RPKI, explaining about route origin authorisations, there is a concept, route origin validation, that’s safe word against route hijacks and misconfigurations. She will also highlight some about regional adoption challenges, ongoing capacity building efforts, and some solutions that at the IETF, you know there is a company that is, there is a standardisation body that is called the Internet Engineering Task Force, where every protocol you have heard about, HTTP, DNS, FTP, everything was made that, in that standardisation body. And they are every day having new discussions in mailing lists about different new security extensions. One of those is ASPA, Autonomous System Provider Authorisation, that is looking to secure routing paths. So with that, Sofia, the floor is yours for your presentations. Thank you.

Sofia Silva Berenguer: Thanks so much, Nico, for the introduction, and thanks for having me today. Hello, everyone. I’m connecting from Uruguay today, although I’m normally based in Australia. I’m originally from Uruguay, Semblan. Nicolás and visiting family. So as Nicolás mentioned, I will be talking about securing the internet routing. But I want to start by briefly sharing why we need to do that. So internet is not just a network. Internet is the network of networks in which networks learn where other networks are using the border gateway protocol that Nicolás mentioned, BGP. So basically networks exchange BGP announcements where they tell each other you can reach these prefixes through me. But the thing is that this protocol was designed under the assumption of trust. Back in the day when the internet started, everyone knew each other. They could trust what everyone else was saying. But then in the 80s when the internet was open to the commercial sector and it started growing exponentially, this assumption of trust didn’t work that well anymore. And it started to become clear that security needed to be addressed in some way. The problem was that the internet was already working. We could not just replace the routing protocol with a new one. So new layers had to be built on top of existing protocols. And RPKI was one of those layers to add security. So I will be talking a bit about RPKI today. So you may have heard about route hijacks. And that’s one of the incidents that can happen in the internet nowadays. In particular, back in 2008, there was a big incident where the Pakistan government instructed Pakistan Telecom to not allow traffic towards YouTube. And in trying to do that, there was an accident in the configuration where routes were leaked and went beyond Pakistan. The idea was to keep that. local but it went outside of the Pakistan borders and it cost an availability of YouTube for a little while. And that is just one big incident that made the news, but there have been other incidents that have been quite big and could have been avoided. So sometimes those incidents are malicious, are a proper attack, but in some cases they are what we call fat fingers. So it could be someone that mistyped something, for example, or in the case of YouTube and Pakistan Telecom was an error in configuration. And so I will be talking a bit more about adoption in a moment in a couple of my slides but the good news is that incidents like that that happened in 2008, there were a few back then that made the news, and were quite big. And we hear less and less about those incidents in the news, and that’s a good thing. So I’ll tell you more why we’re hearing more about that. So as I mentioned RPKI is that like layer of security that has been added on top of BGP, and how that works is that RPKI allows network operators to make statements of what are the routing intentions. In terms of what is the origin autonomous system that is allowed to originate the prefixes that they are responsible for. And that is in the case of route origin authorization sorry I kind of skipped about. RPKI in general allows for statements on routing intentions that are cryptographically verifiable. And the most popular the most popular type of object. Nowadays, is route origin authorizations that is to authorize a specific origin as to originate a set of prefixes. And that is one side of RPKI that is like creation of ROAS allows to to make those statements. But then on the other side, someone needs to use that information. And so on the other side, what we call route origin validation is using the information in ROAS to decide what to do about BGP announcements. So what my very simple diagram in this slide is trying to show here is that when a router, that black thing in the middle, receives a BGP announcement, based on what they see in the RPKI system, based on the RPKI data, they can decide whether to use that BGP announcement to create a new entry in the routing table and learn maybe a new path, or if they just ignore it and discard that BGP announcement. So where are we on this journey to securing the internet routing? ROAS, this particular object type that as I mentioned is the most popular nowadays. It was standardized more than 10 years ago. And at first, like any technology, it took a little while for it to start being used. But as you can see in the last five years or so, it has been more quickly being used. And these charts in particular are from NIST, from the US government. And it shows the percentage of unique prefix origin pair that are covered by ROAS. And you can see that for IPv4 and for IPv6, we are in a very similar situation right now where it’s 54% for IPv4, it’s 60% for IPv6. But as I mentioned, creating ROAS is just one side of RPKI. The other side is using that information to do validation. And this is where it gets a bit tricky to answer the question where we are on the journey. And actually, I recently saw an article from RIPE Labs, the blog from one of the regional internet registries that was talking about IPv6 adoption. I will be not talking about IPv6 today, but it mentioned Schrodinger’s cat and how IPv6 exists in these two states at the same time. And I feel that it’s very similar with RPKI, depending on who you ask. Some people may tell you, adoption of RPKI has been a success. Recently, there was an article from Job Snyder’s who is very active in the technical community. He works for Fastly and was describing an incident that was kind of similar to the YouTube versus Pakistan telecom incident that I mentioned, but this time the incident didn’t make the news. And that is because there was no real consequence or bad consequence of that incident because of RPKI. So in his article, he thinks that RPKI adoption is a success and this is proof that RPKI works. But I’ve also seen presentations, for example, Jeff Houston, who some of you may have heard of, just recently presented about RPKI and DNSSEC. And from his perspective, he sometimes uses the expression even market failure. He believes RPKI should have been adopted much more quickly. So again, there’s different measurement projects. So depending on where you look, you may find different stats and depending on who you ask, the perception on whether we are at a good level of adoption or not may change. It’s a bit subjective, but one of the projects is RoVista. And I like this project because they have an academic paper. So if you go to that URL of the project, you can check the methodology. There’s also particular challenges on how to measure RoV. I feel with other technologies that stop attacks or that. mitigate risk, it’s hard to measure things that don’t happen. So I will not go into the technical details on how this is measured, but there are challenges on how to measure route origin validation. So according to this particular methodology, one of the charts on my slide here, the one on the left, shows the percentage of autonomous systems that are protected by route origin validation. And they split this into partially protected and fully protected, because network operators may decide to do route origin validation on some of their interfaces and not all of them. So partially protected is when there’s at least one interface where they do route origin validation. And you can see that that number, when I got this chart, and it was just a few days ago, was around 90%. So that’s pretty good. But if you look at fully protected, where all the interfaces are doing route origin validation, that’s just a bit below 25%. I also included a chart, I will not go into the detail of how economies are doing comparing to each other. But I thought it was interesting that Rovista also defines this ROV score. And in this particular chart, they do kind of a weighted average based on the cone size. So it’s based on the customers and customers of customers that an autonomous system has. And so you can see how different economies are at different stages of deployment of this. As Nicolas mentioned, there’s also ASPA. So I wanted to briefly touch on, as I said, route origin authorizations. They prevent some types of attack, but it’s just based on the origin autonomous system used on a BGP announcement. But in order to protect the rest of the path, there’s a new object type that is being discussed in the ITF. That also, thanks to your introduction, Nico, people know now that the ITF is the body that standardized protocols in the Internet. So there is a discussion that is actually has made a lot. of progress, and it’s quite close to being completed and ASPA becoming a standard, but it’s still being discussed. ASPA stands for Autonomous System Provider Authorization, should soon become a standard. And it has already been implemented in a way. So I included a couple of links, if anyone is interested. There was an article about a first route leak that was prevented by ASPA. And also earlier this year, Hurricane Electric announced that they already support ASPA. As I mentioned, depending on who you ask, you may be told that RPKI is going great. Some people think that adoption should have been faster. And I wanted to touch on what are some challenges of, in particular, route original authorizations and validation adoption. As we mentioned, there’s the signing part, creating ROAS, the validating part, ROV. And there is a concept in social sciences that I think may help understand part of the challenge for adoption. And it’s that for RPKI to provide maximum benefit

Nicolas Fiumarelli: to the internet, to everyone, we need each autonomous system in the internet to do their part. We need each autonomous system to create ROAS for all their space, but also to start doing route origin validation. And at some point, there was a bit of a chicken and egg situation, where if there’s not enough ROAS out there, why would I do validation? But also the other way around, why would I create ROAS if no one is doing route origin validation? I personally believe we are past that point, as you have seen from the statistics. I think there is enough level of adoption that there should be more motivation nowadays to create ROAS to do validation. But also a bit of a challenge that I’ve heard sometimes is that technical people do understand the importance of this. But when non-technical decision makers are involved, it may be hard sometimes to justify. the work required to implement best practices because sometimes the commercial benefit cannot immediate. And to that, what I want to say is that we need to keep in mind that by implementing best practices and not just RPKI, but best practices in general, what we’re basically doing is preventing reputational damage. So that should be enough for justification. I know I’m running out of time. So I’ll just try to pick up the pace, Nico, sorry to try to keep on time. Because I am the program manager for the NRO RPKI program, I wanted to briefly touch on what we do to encourage adoption of RPKI. So first, very generally some approaches to encouraging adoption, one is providing support. So by raising awareness, building capacity, engaging with organizations and those that are responsible for implementations, working on system improvements is a way that we can encourage adoption. And then there’s also two big approaches that you may have heard of that is based on reputation. There’s an example of MANRS, which is the Mutually Agreed Norms for Routing Security, where there’s different aspects of routing security that are described as best practices and network operators can subscribe to MANRS and then become part of kind of this ranking on how much they implement those best practices.

Sofia Silva Berenguer: But there’s also regulation-based approaches where you may have heard earlier this year, the United States, for example, is the big example of publishing a roadmap to enhancing internet routing security by which governmental agencies are now mandated to create routes for the space and to start doing route origin validation. And there’s also a similar example from Finland. So as I mentioned, I’m directly involved with the Regional Internet Registry. I work for the NRO, which is the number resource organization that brings together the five RIRs and what the RIRs do to support RPKI adoption. is to organize training events. They have e-learning platforms where they help with that like capacity building side of things. They engage with member organizations, with governments and other entities to support them in the adoption of RPKI. And we have recently launched, actually just in January this year, we launched the RPKI program that I am a program manager for to create more consistency across the RIRs. Because each RIR is an independent organization that has implemented RPKI in their own way. It has become more and more important strategically to create more consistency among the five of them. And a geographically relevant example is the RIPE NCC, that is the RIR that covers this part of the world. In 2023, worked closely with the Saudi Arabia government organizing workshops, both for decision makers and for technical people. And that showed an immediate increase in the uptake of RPKI. So I think that that’s a good example of how we support RPKI adoption. As I mentioned, I’m the program manager for the NRO RPKI program. And what we want to do is to bring more consistency to the RPKI implementations of the five RIRs. But most importantly, we want to create this space of more structured coordination and collaboration. Historically, the RIRs do coordinate and collaborate. But for RPKI in particular, we wanted to create this like more structured with like clear priorities. And we have some specific objectives that we want to achieve in 2025. And I’ve left a couple of links there so that if you want to learn more about the program or if you want to get in touch, you can do that. So in bringing my presentation to a close and trying to connect with the previous topic that is quantum, I am no expert in quantum, but my reflection is. As I mentioned, the statements that we produce through RPKI rely on cryptography, they can validate them cryptographically. And as quantum computing represents a disruptive force that could undermine the current cryptographic standards, RPKI may be affected. So my question for reflection is whether the cryptographic algorithms that are used nowadays by RPKI could eventually be replaced once there’s suitable post-quantum algorithms that are standardized, whether the ones we use nowadays in RPKI could be replaced with those new ones. So I’ll leave the question out there, we can come back in the discussion, I guess. Thanks everyone for your time and thanks again for having me today.

Nicolas Fiumarelli: Sofia, thank you so much for your contributions. RPKI can sound very strange for non-technical persons, but basically this is a security extension of the Internet, right? And one thing that I would like to highlight here is that these technologies in general, the security extensions, are optional, right? It’s something that the operator needs to deploy, this technology, and also the operator needs to deploy the validation of this technology, the routing validators. So there are several reasons for that, right? While we are having enforceable mechanisms like Sofia mentioned in the USA, different countries mandating for deploying these security extensions, you know, there is a topic that is very highlighted in the Internet society that is about fragmentation, right? So what happens, if you mandate that everyone needs to have RPKI, you can be disconnecting networks in some manner, because for the ones that does not implement RPKI. But on the other side, you will be exposed to high-sharking and route high-sharks, so we need to have a balance. And I think these approaches we are seeing… in different countries and Saudi Arabia example that Sophia mentioned is some of the examples that ways to go. So now continuing with RPKI, we have Wataru Ogai, that is from JPNIC, from the Japan ICF. We knew Wataru last year when we went to the Japan Global ICF. He is a representative from JPNIC with the extensive expertise in RPKI operators and he has been instrumental in advancing this routing origin validations adoption in the Asia-Pacific region. So Wataru will present about the global movement of policy and operators in RPKI, discussing some milestone on the global IPv4 ROA coverage, and he will address different aspects of RPKI, also articulating more on the quantum, post-quantum cryptography and RPKI. But yes, let’s talk more, Wataru, about this, how to deploy, what are the strategies of deploying RPKI and about this global movement. So the floor is yours, Wataru. Thank you, Nico, for the introduction and hi everyone.

Wataru Ohgai: My name is Wataru Ogai from Japan Network Information Center, JPNIC. From me today, let me talk about the global movement of policy and operation in RPKI world in 2024. For those who may not know, JPNIC is a national internet registry for Japan, which is a kind of like a national version of the RIR. And we are not the one operating .jp domain name, but instead we manage IP addresses and AS numbers in Japan, and of course, running on RPKI repository based on the registry database. Oh, it’s already December, and let me… Let’s first look back on what RPKI related matter happened in this year. The biggest news was that the global IPv4 ROA coverage have exceeded 50% in NIST RPKI Monitor and other global measurement platforms. This was the first time in this history for exceeding the 50% more than the half of the global network is covered by ROA. An IPv6 has been already achieved a few years ago. So that means over how the internet is now ready to protect it by RPKI. This is not just a wonderful achievement, but it also means that we are already in the next stage, the ROV. Regardless of tier one or not, applying ROV in the network is becoming no longer optional. Over half of the world is ready to go and there is no reason anyone can stop it. The stage of maybe or considering for ROV is already a past. Why can I so sure? Let me explain some background in the next slide. The first one, and it’s also a big step for BGP world, is that one of the tier one network operator, Google, is now phasing out route server based peering in IX, Internet Exchange Point. And moving forward for bilateral direct peering strategy. This affects many networks who have been peering with Google via route servers to shift their peering plan and also requires them to be RPKI ready. In Google’s peering policy, there is no clear sentence for that, but they apparently agree. requires ROA assurance for any direct bilateral peering network as the best current practice, refusing everyone peers with Google to be RPKI, resulting everyone peers with Google to be RPKI ready. This could be an implication that the tier networks like Google is now gearing up for full scale ROV and of course Google and other big parties are already studying ROV in their networks. And the second background is the national security. We’ve talked about the importance of RPKI in private sector so far. The same thing can be also applied for the government who wants to protect the whole environment of the country. The United States are considering seriously about ROV implementation mandatory not only in the federal government organization but also big companies in the country, business sectors for the national security. The U.S. is not only a country but some other countries are also presenting their interest on ROV this year. Thus in some day, whether we like or not, some countries will force domestic companies to do ROV but clearly the internet persons don’t like governments to decide what we do or what we don’t for security so we should go do this by our own hands before they force us. So far, I’ve talked about what happened and what is going on. Then let’s see what will happen or what could happen in the near future. The first ballpoint there is a dedicated, decided future as I talked. In the future, implementing ROV will be just one of the other normal operations, nothing special. Then the not found routes, which have no ROA for associating it, no RPGA ready routes will be vanished from the global routing entry. Of course, not to mention the invalid routes vanishing from the table. In the second bullet, there will be the operational challenges. As you may know, ROV is in fact not a predefined term like ROA. If you say we are doing ROV, then you can handle invalid routes to be rejected, or give some lower local preference value so that they are not likely to be used for routing. That’s your organizational matter, not a predefined matter. This year, we, JPNIC, in collaboration with Japanese government authority and experts from private and academic sector, published operational guidelines for both corporate executives and engineers with command-by-command reference, which I hope contribute to this situation, but it’s still your choice. Another concern is SLAM. SLAM is a way to intentionally ignore some ROV results based on the other trust. Technically, if someone issued an invalid ROA by mistake, and you notice that the ROA and actual routes coming from BGP-PRT first, you can just apply SLAM to ignore that operational failure. But how do you know if it’s SLAM? just an operational failure. Well, how can you tell the incident from malicious attack or even the intended changes of network? We already have a technical protocol slum, but we still in need of the operational policy. We are also facing the trust issue in the ROA itself. ROA revalidation is done based on what is written in ROA. So the trust in ROA is a considerably big issue. This year, one of the large network operator in the world located in Spain, which is a ripe region, had their online account used to creating or modifying ROA taken by bad actor. And that bad actor modified their ROA so that the original routes advertised in BGP to be invalid in ROV result. The recovery took a few hours and the rest of the world are forced to trust the forged ROA. The company already changed their password and recreated that genuine ROA after the incident. And RIPE also responded quickly to this incident and they introduced two-factor authentication on their platform and PASCYs, the newer authentication methodologies for their entire customer account in a few months to prevent further attacks. As I talked in previous slides, we have technological slum, but handle this type of incident from the viewpoint of non-victimized network operators, we still don’t know when to apply slum. The current answer to this scenario is double-checking the information in several community mailing lists. However, I believe there is more sophisticated ways to be able to evolve. Let’s move on to the brighter future now. And there is another technology based on RPKI, which is Asper. Current ROA and ROV is basically just a matching of the IP address prefix, and it’s already originated as but as many of you may know, the internet, the BGP is consisting consists of the exchanging route information. So there should be a certain path that the packet should go this network through this and through this like that. And ROA and ROV is not sufficient to do that. And currently Asper has finished the most standardization process in the IETF and we are seeking for the implementation and actual operation. Post quantum cryptography is another topic of this session. Yes, we are talking about the post quantum cryptography implementation in RPKI world. The current situation in PQC is like something that they can adapt after the actual compromisation to ROA or other algorithm happen by quantum computers. And others like thinks that they need to implement PQC before something is destroyed. One key, I think, to end this binary trade off is to implement quantum quantum safe RPKI today, the day before the entire world is done in ROV implementation. So this is my last slide. And the ultimate question for me is that, who can you trust? Why are they trustworthy? What mechanisms established a necessary trust? Things all is all about the trust cryptography RPKI, PQC, the internet, everything is about the trust. Policymakers and engineers are now required to collaborate to design flexible policies as a way to answer these questions. Thank you and I’m giving it back to you, Nico.

Nicolas Fiumarelli: Thank you so much, Wataru. You made very interesting points. I was wondering why this could happen, right, that you have a password for accessing your RIR platform to create this and route origin validations and once ROV, it says the validators will go to validate you, your routes. This is a huge problem because what happens is someone tamper with your login credentials and then change, as you say, the ASN of origin that is intended to be the origin. So you, the clear effect here is that you will be out of the internet. Your entire network will be fragmented from the rest of the internet and that will be a very complicated thing. So yes, I think that managing credentials of the RPKI systems is something that is very important. And also interesting that you mentioned that there are some quantum safe RPKI way. In my opinion, that needs to be before that everything explodes on the internet when the quantum computer develops and finally develops. So that are some of the challenges that we have for the future now. So heading to our other part of the session today. Sadly, some of our speakers, that is Sorina Sefa from UNECA wouldn’t make it, but Atanase that is with us here will cover her part. The idea was to focus now. Now we have established a about RPKI, about, you know, quantum computing and we need to talk about how to integrate it in governance frameworks, right, across the different regions. So, Atanasi will briefly talk to us about some advanced security measures or how this can be integrated into multi-stakeholder efforts or governance frameworks, particularly in the Global South. So, how can Atanasi address these challenges in harmonising policies across diverse regions? The floor is yours, please.

Athanase Bahizire: Thank you so much, Nico. Yeah, thank you so much, Nico, and this is a very important topic and particularly in Africa, is the capacity of different regions are different and with the advance of quantum technologies, you see, we need actually enough resource to whether host a quantum computer, which resource some of the time we don’t have actually in Africa till now one quantum computer, but the idea is that we should be proactive and what Taru was talking about it again, we don’t have to wait for till we will have the full capacity to start leveraging on this technology and I’m going to share some of the great things that are being done in Africa in order to embrace actually these emerging technologies. One of the things when you’re talking about actually the measures that are being put in place, the UN Economic Commission for Africa, which is the ECA, has brought a programme to build capacity of different governments in Africa when it comes to security measures and in these security measures, we tend to go around some of the DNA-seq, which is very important and how we can secure systems and at this level, we are building the capacity of the different governments so they can understand these techs, but then we didn’t manage to get to very technical aspects such as RPKI and quantum encryption, which I believe we should incorporate in these capacity building initiatives. We also have now the MANRS and what is happening with the MANRS is that it’s voluntarily, so there is no obligatory measure that says to the ISPs that you need to implement the MANRS and which is kind of becoming challenging and we have tried to discuss with the ISPs and you see they will tell you that to deploy these technologies, it’s additional resources and additional technical stuff and some of the time, we can’t see the emergent needs for it now, that’s why we put it for later, but then again, I’m emphasising on why we need to be proactive and start thinking, having an idea of the future when we are developing our solutions, when we are securing our system and when it comes to harmonisation of policies, many of the African countries are developing their cyber security. policies and legislations but not all of them have actually ready policies that are ready. In our country we have a bill that is actually being examined in the parliament but yet we haven’t seen a very much involvement of the technical community in country in the development of this and we have a framework at the African level but whereby technical community have had enough space to influence actually what is entering in this legislation but at the country level we haven’t seen this much involvement of the technical community, the technical community that actually has the capacity and the technical understanding. So that why it’s I believe it’s very important to harmonize what is being done in country with the different aspect, the different aspect that are regional, the African level or the different protocols that are being adopted by whether the ITF and extra level but then again our big challenge is resources for our technical community to be able to keep the pace in the advancement of these technologies, the advancement of the cryptography. We need capacity and some of the time we don’t have the capacity. So we are really calling for more investment in capacity to the technical community actually to be able to strengthen our country’s strategies and also the collaboration between the government and the legislation that are putting in place cyber security strategies with the technical community and various stakeholders. And there is also one thing I wanted to mention here when it comes to the security measures we are having now. We tend not to take very seriously cryptography as what I was giving examples whereby you know putting in place to filter authentication in your database and some other very little best practices. We are not adopting them. We are waiting for when it’s like mandatory or it’s like as a regulation to adopt it’s what is not really a good practice and it doesn’t have that much in securing our system. So I believe it’s time for us to embrace with our low resources as we are still building our resources but also to embrace the benefits that these technologies are bringing to us, embrace the best practices in security and that will be really very helpful. And one other thing you asked Nico it’s about capacity building in to ensure equitable adoption of all these security protocols. There are some organizations that are working in capacity building Africa like we have the Internet Society that has done a lot of workshops with policy makers, with IXP operators and ISPs for around the miners, the mutual agreed security. And what is happening here is we have seen quite an increase in adoption of the miners after these capacity building initiatives. But I believe we need to do more. This capacity building initiative sometimes doesn’t touch those communities with very low operators, operators who have very low capacity, who are managing very small network. So I believe we need to increase this capacity building initiative and go up to reaching the various actors who are into playing this. And that where it comes into play, the different stakeholders here. If the IETF has programs like this to build capacity or other organizations, if they do have these initiatives, I believe Africa is very open to embrace and collaborate in order to all go together in these technologies that are coming very fast. I’m going to stop here, Nico, and back to you. Thank you.

Nicolas Fiumarelli: Thank you so much, Atanase. You raised a lot of different points, very important ones. One thing to mention from my side is that in August this year, the National Institute of Standards and Technologies created three standards for the post-quantum cryptography that are Crystal Deletion, Crystal Kyber, and Sphinx. Sorry for the technical words, but these algorithms are already prepared to be deployed. There are some challenges like the length of the key that is a little longer than the previous algorithms such as RSA and AES. But as the spokesperson from NIST said, there is no need to wait. We need to start deploying these standards now to be more on the proactive way, as Guattaro said. And also, you mentioned, Atanasia, about the costs, right? I think that one of the main objectives maybe of the ANARA or RPKI program, with having these unified global platforms or, I don’t know, documentation or manuals on how to use these interfaces, sometimes provided by the RIRs or by the ANARA IRs like JPNIC, could help people have more capacity building on this. You know that the regional registries are doing the regional meetings every year and they do tutorials about this and everything. But yes, I think that you also mentioned something important that is about the small and medium operators. These ISPs that some kind attend a low portion of population in isolated places, they would be being outside of these efforts and maybe they are the ones that have not this RPKI prepared yet. So another thing that I want to mention is about the IoT, right? We missed also one of our speakers today, that is Shoao, because he had a collision with other session. But what happened with the IoT Internet of Things, you know, it’s about these constrained devices that sometimes has constraints in battery, constraints in energy, and also in memory. So these devices cannot rapidly implement this post-quantum cryptography that demands more and more power computation to do the encryption. So the IETF, that is the standardization body, is looking for a lightweight protocols that could be post-quantum cryptography, post-quantum resistant. I mean, that is something that we need to take a look of, because there are millions and billions of devices, IoT devices, coming around. And if these devices are not fully protected, we will be in a very huge problem, right? So that is another thing to look for, to how to have a hybrid approach on post-quantum cryptography in the IoT. And now is the part of the session when we open the floor for questions for the on-site and online speakers here. Also, the panelists, if you have been, if you have something in your mind you want to also say after all this conversation, please, Atanasis will be looking forward for the hands on the online and also the hands here on site. So we have at least 15 minutes for the Q&A part. So just go with this. I will give the floor then to Atanasis to moderate this part of the Q&A. So we will be receiving questions and our panelists will be responding. Yes, thank you so much. We have one question already in the room. So we are

Audience: going to start by one. Good afternoon. My name is Wouten Atres. I’m a consultant in the Netherlands, but also here at the IGF as the consultant for the Dynamic Coalition on Internet Standards, Security and Safety. And what we’ve been doing in the past, sort of, and are going to do in the near future, encompasses everything that we heard today. And my question to the panelists after I finished is how can we actually as a Dynamic Coalition help you with the situation that you have been describing? Last year at the IGF, we presented a report on IoT security by design. And Nico was the project lead for that as our working group chair for that topic. But we’re going to start a new iteration this year and present that in Liljestrøm near Oslo in June 2025, which combines the post-quantum cryptography and the state that that is at the moment with IoT security. But what we’re going to look in also is the societal implications when things go wrong, the political implications go wrong, and a bit more that the people who are leading are better in voicing than me as coordinator. But the fact is that we’ve been looking at this comprehensively. And my final comment is on RPKI, with thanks to ICANN and the RIPE NCC, we presented here at the IGF a document that helps the technical people convince their bosses to deploy DNSSEC RPKI, but by default all other internet standards, by providing them with arguments that are not technical, but exactly the sort of arguments the CEOs and CFOs want to hear what the implication for a company is if you don’t have that, the implications for your reputation, the implications for your customers or your own employees. So that is what we produced this year, but what I would like to hear is what can you do with us, because we invite you to join. You can go to our website is3coalition.org and we’re going to ask Nico to put it in the chat for me please, our website, but also what could we do for you, because we want to be as relevant as possible. So that’s an invitation, but also perhaps that some of the panelists can reflect on it and from there we can take that with us. Thank you. Anyone who wants to comment on that, my panelists please.

Nicolas Fiumarelli: Yes, Sofia. Thanks for that comment and I guess from my side what I wanted to comment that in terms of answering the question of what can be done, my final question of my presentation, inviting for reflection, can also be extended to an invite for some more work as we discussed the…

Sofia Silva Berenguer: ITF is a space where internet standards are developed. And currently, although there is an RFC describing, I think it’s called Algorithm Agility RFC, but it’s quite old and it has never been implemented. And so if there is kind of a theoretical framework for replacing parts of RPKI, but it has never been put in practice and some people believe it wouldn’t really work. So there is room there for anyone who wants to be more involved in the ITF or who is already involved in the ITF, but wants to be more involved in this space to do work on how to actually impractice the cryptography in RPKI could be replaced for like something that is post-quantum state. So I guess that that’s my only comment. I’m no expert in that space. So I’m not the person to help in the actual work, but I’m just pointing out an opportunity for some work that anyone interested could be involved in. Thank you.

Athanase Bahizire: Thank you. And actually, thank you all for mentioning the work you’re doing at the ISTC. We believe more people need to hear about the work you do. And as for us in Africa, we believe your resources might be very helpful to us. Thank you for sharing these resources. We have a thought in the chat, by Mike Nelson. After Google’s announcement of the Willow quantum computing chip, there was speculations that someday soon Google would use the chip to break the obsolete encryption used to protect the huge stash of Bitcoin created and controlled by Satoshi. He’s wondering, is the only one fascinated about this possibility, or is it that important? Anyone want to comment on this?

Nicolas Fiumarelli: Well, I think… We didn’t include a blockchain and Bitcoin at this session and panel, but blockchain is at risk as well. Because if quantum computing can proceed, if you have your public key from your wallet at the Bitcoin, you will definitely get your private key very instantly. So that means that you will have the money of that wallet. But yes, we are talking about a near future, right? Every day we see a new quantum development on the superconductors, on the different parts of the quantum chain. There was some news recently about quantum annealing. That is a new technique. So you don’t need to have millions of qubits to perform the quantum computation. Now with some thousands of qubits, and Google is close, right? They have this Google Seeker with 1,000 qubits machine already happening. They cannot maintain the state of the photons a lot of time, but they are close to reach these gaps. In my opinion, when people say 10 to 15 years, for me it’s like five years. I think that Maria stated very well in their graphic and statistics about this development. Just leaving with this to answer the question of the blockchain in that. Please, if you have another question, I’ll return to Atanasis. Yes, thank you. Nico, if you have any other question in the chat or in the Zoom room, you can raise your hand, we will give you the floor. In the room, do we have a question? No question for now. There is a comment on the Bitcoin case saying the advancements are important. signify what is to come.

Athanase Bahizire: But at this point, it is mostly hype. There is little practical than they can achieve right now. But yes, Niko said it, maybe not right now, but in the very coming, we may see a big change in this. Yuke, do you want to take the floor and comment on this one?

Audience: Yuke, can you hear me? Yes, I see you are unmuted. Sorry, Yuke needs the permission to speak. Hi, can you hear me now? Yes, sure. Yeah, so quantum is a very new technology and as is the case in any new technology,

Yug Desai: there’s going to be a lot of hype in addition to the actual technological advancements that are happening. And it is important to separate the hype from what is real because that is where the policy interventions will come from. And in case of a lot of the advancements that these big companies are making, they have to hype it up because a lot of investment is going into these areas. So it is important that we take a measured approach when we see these announcements and focus on what the practical implications are and take actions according to that. So, we are going to the conclusion of this session, yeah, okay, Wout, you can have a comment. Yes, Wout Naats is again of IS3C, I have a question to Maria Luka that I just am reminded of myself. You are doing a lot of work on both quantum and on quantum computing and we are going to do that as IS3C in the coming six months, where do we supplement each other or perhaps are we doing double work, what is your impression and how can we potentially cooperate in the coming months? Thank you. I don’t see Maria online anymore, I think, so I will translate this question to her, but I will let our rapporteur, Hugues, to also summarise on the key takeaways from our session, because we are running out of time, Jacques will highlight on the topic, actionable insights and then we are going to conclude, please, Hugues. You have, now you have permission to, to unmute yourself. Okay, yes, thank you, Nicolas. So what I’ve been talking about and great insights by our speakers that I’ll try to quickly summarise so that we have good takeaways to take and think about from this session. So Maria started with the revolutionizing power of quantum technology, especially in fields of communication and sensing, which are relatively more mature technologies, and have great potential in making precise measurements of the electromagnetic field, for instance, they have Hi, Nicholas, can you hear me? Okay. Yeah. So I’ll start again. Actually, I’m speaking. So yeah, so Maria told us about the revolutionizing power of quantum technologies and the more mature fields of quantum communication and quantum sensing, and how they promise to transform industries like healthcare, defense and military infrastructure security. The critical challenge of course lies in reaching cryptographically relevant quantum computers, which would threaten the current security frameworks that we have, especially in in deployed industrial environments. The risk is also particularly acute as we begin to collect data using these quantum instruments and use them to advance AI and existing knowledge models. The global response is already underway and governments are already providing information on how to migrate to quantum secure technologies. hyperscalers like Amazon and Google are already implementing quantum security in their platforms. And a lot of effort is also underway in making sure that the new technologies can integrate with existing technologies so that you don’t have to create everything a new the quantum investments in the quantum space are also at increasing year by year. And this is the exactly the reason why we cannot wait in in moving towards quantum secure technologies. Then we also had a very good discussion on RPKI and how the protocol, the BGP protocol was created with the assumption of trust, but we don’t really live in that reality. So RPKI was created as a secure layer on top of BGP and it has two key components, ROAs and ROVs, but the adoption has not exactly been heterogeneous, is actually heterogeneous, not homogenous across the world. And depending on who you ask, they will tell you that whether it is having the desired impact or not. The main challenge stems from the collective action problem where networks need widespread adoption to see the benefits creating this sort of a chicken and egg situation. Additionally, the non-technical decision makers often struggle to justify the investment that is needed in this transition. However, adopting RPKI is absolutely crucial and many tier one ISPs are making this their priority. And in future soon, it will become important to have RPKI deployed to connect to some of these networks. Also, RPKI is also under threat from quantum computing because it uses cryptography that is vulnerable to potentially cryptographically relevant quantum computers. So we’ll also need to work on making sure that RPKI also becomes quantum safe in the future. I also want to highlight what Anthony has mentioned about the situation in Africa and how capacity building is really important when we are trying to ensure security in this age of emerging internet technologies and posing newer risks to security, the technical communities in Africa and global south alike. need to need more resources to combat these emerging threats and also more capacity building to make sure that the networks of the future remain secure. I will end at that.

Nicolas Fiumarelli: Thank you so much, Yu. And well, I would like to thank you. We are just in time to thank our distinguished panelists for the invaluable contributions they have made, as well as all of you both on site and online. Well, I think with today’s session, we demonstrated the critical importance of collaboration in addressing different challenges and opportunities presented by these three technologies, quantum encryption, RPKI, and IoT security. I think that you at least will bring something to your home from all these learnings by exploring this intersection of technologies. I think we could be better prepared to secure our digital ecosystems of tomorrow. So hope you ensure the rest of the IGF 2024. Thank you so much. Applause.

Agreement Points

Urgent need for post-quantum cryptography implementation

Maria Luque

Nicolas Fiumarelli

Sofia Silva Berenguer

Post-quantum cryptography standards need to be implemented now

Quantum computing poses a threat to current cryptographic systems

There is a pressing need to implement post-quantum cryptography standards to protect against future quantum computing threats to current cryptographic systems.

RPKI adoption is crucial for internet security

Sofia Silva Berenguer

Wataru Ohgai

RPKI adoption faces a collective action problem

Global IPv4 ROA coverage has exceeded 50%

Tier 1 networks like Google are pushing for RPKI readiness

While RPKI adoption faces challenges, it is crucial for internet security, and progress is being made with major networks pushing for its implementation.

Similar Viewpoints

There is a need for increased collaboration and capacity building, especially in developing regions, to address emerging internet security challenges.

Athanase Bahizire

Yug Desai

Africa needs more resources and capacity building for quantum security

Multistakeholder collaboration is crucial for addressing security challenges

Unexpected Consensus

Immediate action required for quantum-safe technologies

Maria Luque

Nicolas Fiumarelli

Sofia Silva Berenguer

Wataru Ohgai

Post-quantum cryptography standards need to be implemented now

Quantum computing poses a threat to current cryptographic systems

Quantum-safe RPKI needs to be developed

Despite representing different aspects of internet security, all speakers agreed on the urgency of implementing quantum-safe technologies, which is somewhat unexpected given the typically slow pace of adopting new security measures.

Overall Assessment

Summary

The main areas of agreement include the urgent need for post-quantum cryptography implementation, the importance of RPKI adoption for internet security, and the necessity for increased collaboration and capacity building in addressing emerging security challenges.

Consensus level

There is a high level of consensus among the speakers on the urgency of addressing quantum computing threats and improving internet routing security. This strong agreement implies a clear direction for future internet security measures and highlights the need for immediate action in implementing post-quantum cryptography and expanding RPKI adoption.

Different Viewpoints

Urgency of implementing post-quantum cryptography

Maria Luque

Nicolas Fiumarelli

Quantum-gathered data is needed for all of the knowledge models that we want to advance with artificial intelligence and high-performance computation.

Post-quantum cryptography standards need to be implemented now

While both speakers emphasize the importance of post-quantum cryptography, Maria Luque focuses on the future need for quantum-gathered data, while Nicolas Fiumarelli stresses the immediate necessity to implement post-quantum cryptography standards.

Unexpected Differences

Focus on regional challenges vs. global solutions

Athanase Bahizire

Maria Luque

Africa needs more resources and capacity building for quantum security

Quantum sensing and communications are maturing rapidly

While Maria Luque focuses on the rapid advancement of quantum technologies globally, Athanase Bahizire unexpectedly highlights the specific challenges faced by African countries in terms of resources and capacity building for quantum security. This difference in focus reveals a potential gap between global technological progress and regional readiness.

Overall Assessment

summary

The main areas of disagreement revolve around the urgency of implementing post-quantum cryptography, the current state and challenges of RPKI adoption, and the focus on global technological advancements versus regional capacity building needs.

difference_level

The level of disagreement among the speakers is moderate. While there is a general consensus on the importance of quantum security and RPKI adoption, the speakers differ in their perspectives on implementation timelines, regional challenges, and the current state of adoption. These differences highlight the complexity of addressing global cybersecurity challenges while considering varying regional capacities and needs. This has implications for developing comprehensive and inclusive strategies for future internet security measures.

Partial Agreements

Both speakers agree on the importance of RPKI adoption, but they differ in their assessment of its current state. Sofia Silva Berenguer highlights the challenges in adoption due to the collective action problem, while Wataru Ohgai emphasizes the progress made with global IPv4 ROA coverage exceeding 50%.

Sofia Silva Berenguer

Wataru Ohgai

RPKI adoption faces a collective action problem

Global IPv4 ROA coverage has exceeded 50%

Similar Viewpoints

There is a need for increased collaboration and capacity building, especially in developing regions, to address emerging internet security challenges.

Athanase Bahizire

Yug Desai

Africa needs more resources and capacity building for quantum security

Multistakeholder collaboration is crucial for addressing security challenges

Key Takeaways

Quantum technologies are advancing rapidly and pose both opportunities and threats to cybersecurity

RPKI adoption is progressing but faces challenges, especially for smaller network operators

Post-quantum cryptography standards need to be implemented proactively

Multistakeholder collaboration and capacity building are crucial for addressing emerging security challenges

IoT devices require specialized lightweight post-quantum cryptography solutions

Resolutions and Action Items

Implement post-quantum cryptography standards now rather than waiting

Increase capacity building efforts for RPKI adoption, especially for small and medium ISPs

Develop quantum-safe RPKI protocols

Harmonize cybersecurity policies across regions

Integrate technical community input into national cybersecurity legislation

Unresolved Issues

How to effectively implement quantum-safe cryptography for resource-constrained IoT devices

How to overcome the collective action problem in RPKI adoption

How to ensure equitable adoption of security protocols in regions with limited resources

How to balance mandatory security requirements with avoiding network fragmentation

Suggested Compromises

Adopt a hybrid approach for post-quantum cryptography in IoT devices

Use reputation-based approaches like MANRS alongside regulation to encourage security best practices adoption

Implement RPKI in phases, starting with larger networks and gradually including smaller operators

By 2045, the world looks nothing like it does today. Profound transformation has taken place, and all global communications, both terrestrial and space-based, they are somehow integrated through optical networks.

speaker

Maria Luque

reason

This comment paints a vivid picture of a potential future transformed by quantum technologies, challenging participants to think long-term about the implications.

impact

It set the stage for discussing the far-reaching potential of quantum technologies beyond just cryptography, broadening the scope of the conversation.

My message today is that not only a cryptographically relevant quantum computer and its advent is a threat to this future that I just pointed out to you, to how we leverage this data for good, not only Harvest Now and Decrypt Later is a threat to this vision alone, the threat is up today.

speaker

Maria Luque

reason

This comment highlights the immediacy of the quantum threat, challenging the common perception that it’s a future problem.

impact

It shifted the discussion towards more urgent consideration of quantum-safe security measures and their implementation.

ROA revalidation is done based on what is written in ROA. So the trust in ROA is a considerably big issue. This year, one of the large network operator in the world located in Spain, which is a ripe region, had their online account used to creating or modifying ROA taken by bad actor.

speaker

Wataru Ohgai

reason

This comment introduces a real-world example of vulnerabilities in current security systems, highlighting the complexity of trust in digital infrastructure.

impact

It grounded the theoretical discussion in practical concerns, leading to more focus on operational challenges and the need for robust authentication methods.

We tend not to take very seriously cryptography as what I was giving examples whereby you know putting in place to filter authentication in your database and some other very little best practices. We are not adopting them. We are waiting for when it’s like mandatory or it’s like as a regulation to adopt it’s what is not really a good practice and it doesn’t have that much in securing our system.

speaker

Athanase Bahizire

reason

This comment highlights a critical issue in cybersecurity adoption, especially in developing regions, pointing out the reactive rather than proactive approach.

impact

It shifted the conversation towards discussing capacity building and the need for proactive security measures, especially in the Global South.

Overall Assessment

These key comments shaped the discussion by broadening its scope from purely technical considerations to include long-term societal impacts, immediate security threats, practical operational challenges, and regional disparities in adoption. They moved the conversation from theoretical possibilities to urgent practical needs, emphasizing the importance of proactive measures and global cooperation in addressing quantum and routing security challenges.

How can the cryptographic algorithms currently used in RPKI be replaced with post-quantum algorithms once they are standardized?

speaker

Sofia Silva Berenguer

explanation

This is important to ensure RPKI remains secure against future quantum computing threats.

How can we develop operational policies for SLAM (Selective Lifting of Anomalies in MANRS) to distinguish between operational failures and malicious attacks?

speaker

Wataru Ohgai

explanation

This is crucial for properly implementing SLAM and maintaining network security.

How can we develop lightweight post-quantum cryptography protocols suitable for IoT devices with limited computational resources?

speaker

Nicolas Fiumarelli

explanation

This is essential to protect the growing number of IoT devices against future quantum computing threats.

How can the Dynamic Coalition on Internet Standards, Security and Safety (IS3C) collaborate with and support the work being done on quantum computing and security?

speaker

Wout de Natris

explanation

This collaboration could help advance the development and adoption of quantum-safe security measures.

How can we increase capacity building initiatives to reach smaller network operators, particularly in Africa and other developing regions?

speaker

Athanase Bahizire

explanation

This is important to ensure widespread adoption of security measures like RPKI across all levels of network operators.