Dynamic Coalition Collaborative Session

Summary

This session focused on cybersecurity and safety challenges in the 21st century, particularly regarding Internet of Things (IoT) devices and emerging quantum computing threats. The discussion was organized by three Dynamic Coalitions and examined current security priorities, emerging threats, and global alignment needs for technologies deployed across borders and jurisdictions.

The speakers highlighted that fundamental security issues have persisted for decades, with vulnerable devices still entering markets without security-by-design principles. João Falcao Moreno presented examples of IoT security failures, including the 2015 Jeep Cherokee recall affecting 1.4 million cars and recent Kia incidents where millions of vehicles were vulnerable to remote attacks. These cases demonstrate how IoT botnets can exploit similar vulnerabilities across massive device networks.

Matthias Hudobnik emphasized the importance of securing internet infrastructure foundations, particularly the Domain Name System (DNS), and implementing zero-trust architecture. He stressed that IoT devices often remain in use for years after manufacturers move on, making lifecycle security management crucial. The integration of AI into IoT systems creates both opportunities for enhanced security monitoring and new risks from data poisoning and opaque decision-making processes.

The discussion addressed the urgent threat of quantum computing to current encryption methods, with experts warning about “harvest now, decrypt later” attacks where malicious actors collect encrypted data today to decrypt once quantum computers become available. Both the US and EU have established post-quantum cryptography migration timelines, with the US targeting 2035 for federal systems.

The panelists emphasized that security threats to devices ultimately threaten human users, making user-centric approaches essential. They called for stronger procurement policies, better certification and labeling systems, and international cooperation to ensure secure-by-design principles become standard practice before quantum computing renders current security measures obsolete.

Keypoints

## Major Discussion Points:

– **Current State of IoT Security Vulnerabilities**: The panel discussed ongoing security issues in Internet of Things devices, highlighting examples like the Jeep Cherokee recall (1.4 million cars due to hackable systems) and Kia incidents where millions of cars were vulnerable to remote attacks. These cases demonstrate that despite years of awareness, fundamental security problems persist in connected devices.

– **Post-Quantum Cryptography (PQC) Urgency**: A significant focus was placed on the imminent threat of quantum computing to current encryption methods. The “harvest now, decrypt later” attack vector was emphasized, where malicious actors collect encrypted data today to decrypt once quantum computers become available. The panel stressed that migration to quantum-resistant encryption must begin immediately, with the US setting a 2035 target for federal systems.

– **Human-Centered Security Approach**: The discussion emphasized that security threats to devices are ultimately threats to the people using them. Vulnerable groups, including elderly users and children, face particular risks as they become increasingly dependent on digital services for healthcare, education, and daily activities. The panel stressed the need for user-centric design and intermediaries to help users understand security implications.

– **Procurement as a Security Driver**: The panel identified government and organizational procurement policies as powerful tools for improving security standards. By requiring security certifications and standards compliance in purchasing decisions, large buyers can drive market adoption of secure-by-design principles. However, many governments, particularly in developing countries, are not effectively leveraging existing security standards in their procurement processes.

– **Standards Implementation Gap**: Despite extensive work by standards organizations (IEEE, NIST, IETF) to develop comprehensive security frameworks, there’s a significant gap between standards development and real-world implementation. The panel noted that while standards exist, adoption rates remain low (often below 50%), highlighting the need for better implementation mechanisms, capacity building, and enforcement.

## Overall Purpose:

The discussion aimed to examine cybersecurity challenges across IoT devices and internet infrastructure from multiple perspectives – technical, policy, and human-centered. The session sought to identify current security gaps, emerging threats (particularly quantum computing), and practical solutions through procurement policies, standards adoption, and user protection measures. The goal was to present actionable recommendations for improving security across the digital ecosystem before critical threats materialize.

## Overall Tone:

The discussion maintained a serious, urgent tone throughout, characterized by technical expertise and policy-focused analysis. The moderator’s opening analogy of buying a car without brakes while descending a mountain set an appropriately alarming tone about current security practices. While the speakers were professional and informative, there was an underlying sense of frustration about the persistent nature of these security problems and the slow pace of improvement. The tone became particularly urgent when discussing post-quantum cryptography, with speakers emphasizing that action must begin immediately despite the threat seeming distant. The session concluded on a collaborative note, with emphasis on multi-stakeholder cooperation and the human impact of security decisions.

Speakers

**Speakers from the provided list:**

– **Wout de Natris van der Borght** – Moderator for the session, entered the internet arena in 2004, first IGF presentation in 2009

– **Joao Falcao Moreno** – Working in IoT cybersecurity policymaking for the past four years for IS3C (Internet Standards Security and Safety Coalition)

– **Matthias Hudobnik** – Legal engineer and AI specialist in Europol’s data protection function, combining roles as lawyer and engineer, member of ICANN Security and Stability Advisory Committee, representative of the Dynamic Coalition on the Internet of Things

– **Jutta Croll** – Chairwoman of the Board of Digital Opportunities Foundation in Germany, graduated from University in Politics, Media Research, Journalism and Literature, representing DC Cride

– **Elif Kiesow Cortez** – Project lead of the report “Sociopolitical and Technical Impacts of IoT and PQC Policies”

– **Jonathan Cave** – Game theorist and regulatory economist, associate of Martin Pottenbaum’s consultancy, member of the University of Warwick Economic Department, member of the Alan Turing Institute’s Data Ethics Group and the TREX Reviewer Group, representing DCIoT

– **Liz Orembo** – Chair of IH3C’s working group on ICT procurement, internet governance expert from Research ICT Africa

– **Torsten Krause** – Rapporteur and online moderator for the session

– **Audience** – Various audience members who asked questions during the session

**Additional speakers:**

– **Rehansh** – Leads the Dynamic Coalition on Gaming for Purpose and the community at AI Square

– **Vinicius Fortuna** – Engineer at Google Jigsaw working on access, resilience, and privacy

# Comprehensive Report: Cybersecurity and Safety Challenges in the 21st Century

## Executive Summary

This IGF session, moderated by Wout de Natris van der Borght and organized by three Dynamic Coalitions (CRIOT, IoT, and IS3C), examined critical cybersecurity and safety challenges facing the digital ecosystem. The discussion brought together technical experts, policy specialists, and user advocates to address persistent vulnerabilities in Internet of Things (IoT) devices, emerging quantum computing threats, and the need for human-centered security approaches. Speakers emphasized the urgent need for coordinated action across technical, policy, and social dimensions, highlighting the gap between existing security standards and their real-world implementation.

## Persistent IoT Security Failures: Learning the Hard Way

The discussion opened with a striking analogy from moderator Wout de Natris van der Borght, who compared current IoT security practices to “buying a new car at the top of a mountain and descending without brakes, steering wheel, or brake lights being offered as optional extras only after the car has begun its dangerous descent.” This metaphor captured the fundamental problem where essential security features are treated as optional add-ons rather than built-in necessities.

João Falcão Moreno from the Internet Standards Security and Safety Coalition presented compelling evidence of ongoing security failures. He highlighted the 2015 Jeep Cherokee recall affecting 1.4 million vehicles due to hackable systems that allowed remote control of critical vehicle functions, and more recent Kia incidents where millions of cars remained vulnerable to remote attacks. These examples demonstrate that despite decades of awareness about IoT security risks, fundamental problems persist.

The scale becomes particularly concerning with IoT botnets. Moreno described how malware like Raptor Train spreads across hundreds of thousands of devices, exploiting similar vulnerabilities for malicious purposes. As he noted, “We are learning the hard way” – the IoT security landscape remains fundamentally unchanged over more than 20 years, with devices continuing to enter markets without security-by-design principles.

Matthias Hudobnik from Europol emphasized that internet security depends critically on foundational infrastructure, particularly the Domain Name System (DNS), and stressed the importance of implementing security protocols alongside zero-trust architecture. He noted that IoT devices often remain in use for years after manufacturers have moved on to newer products, making lifecycle security management crucial.

## Post-Quantum Cryptography: The “Harvest Now, Decrypt Later” Threat

Elif Kiesow Cortez, project lead of the report “Sociopolitical and Technical Impacts of IoT and PQC Policies,” introduced the urgent threat posed by quantum computing through the concept of “harvest now, decrypt later” attacks. She explained that “malicious actors might be recording today’s encrypted communications for days or months or longer with the aim to decrypt them once they can utilize a cryptographically relevant quantum computer.”

This revelation transforms the quantum threat from a future theoretical problem to a present-day concern affecting current security decisions. Today’s ‘secure’ communications are potentially vulnerable retroactively, introducing a temporal dimension to cybersecurity that challenges traditional security models.

Both the United States and European Union have established approaches to post-quantum cryptography migration, with the US NIST setting 2035 as the target for federal system migration. The Internet Engineering Task Force (IETF) is developing TLS 1.3 to bridge classical and post-quantum cryptography, particularly for lightweight IoT devices that may lack computational resources for full quantum-resistant encryption.

The speakers emphasized that post-quantum cryptography migration requires immediate action despite decade-long timelines due to implementation complexity. The urgency stems from both the “harvest now, decrypt later” threat and the extensive time required to inventory existing cryptographic systems and implement new protocols across diverse IoT ecosystems.

## Human-Centered Security: Protecting Vulnerable Populations

Jutta Croll, Chairwoman of the Board of Digital Opportunities Foundation in Germany, emphasized that “threats to devices and services are always threats to the people who are using these devices and services.” This human-centered approach shifted focus from purely technical vulnerabilities to consider disproportionate impacts on marginalized populations.

Croll highlighted specific scenarios where IoT security failures have severe human consequences: “What would that mean, for example, for people living in rural areas that rely on health services that are IoT-driven? Or what would that mean to children who are educated remotely?” These examples illustrated how security vulnerabilities directly threaten access to essential services like healthcare and education.

Vulnerable groups, including elderly users and children, face particular risks as they become increasingly dependent on digital services. Croll stressed that safety-by-design must consider all types of users from development’s beginning, and that intermediaries are needed to help vulnerable populations understand certification and labeling systems.

Hudobnik complemented this by emphasizing that digital literacy and capacity building are essential for users to understand security risks, though speakers acknowledged that expecting individual users to make complex security decisions may be unrealistic.

## AI: Amplifying Risks and Transforming Accountability

The integration of artificial intelligence into IoT systems emerged as creating both opportunities and new risk categories. Jonathan Cave, representing the Dynamic Coalition on IoT, observed that “when devices were stupid devices and merely did what they were told, you could hold individuals responsible for them. But when the devices make use of things like deep learning, it may not be possible to make meaningful explanations of what they have done.”

This insight reveals a fundamental shift in responsibility and accountability, challenging traditional notions of human oversight. Cave noted that AI and machine learning create qualitative changes that may exceed human oversight capabilities, requiring new governance frameworks beyond traditional human-centered responsibility models.

Vinicius Fortuna from Google Jigsaw demonstrated how AI transforms previously minor privacy leaks into major surveillance threats. He explained that “when you access a site using HTTPS, the domain name still leaks in plain text… with AI, this changes and it becomes a real threat. Because the domain name reveals a lot about you… I actually ran an experiment where I captured my domain names, ran it to LLM, and built a profile about me.”

This real-world example illustrated how the convergence of existing vulnerabilities with AI capabilities creates emergent threats that weren’t anticipated in original system designs.

## Procurement Policies: Economic Power for Security Standards

Speakers showed strong agreement about government procurement policies’ power to drive market adoption of security standards. Liz Orembo, Chair of IH3C’s working group on ICT procurement, noted that “government procurement determines market standards as governments are major technology buyers,” while the moderator emphasized that economic buying power through procurement can force market adoption.

However, Orembo identified a critical implementation gap: “not many governments use these procurement standards, which take a lot of effort to develop. It could also be because of capacity or also because of even finance itself.” Her research revealed that many governments, particularly in developing countries, aren’t effectively leveraging existing security standards despite significant development efforts by standards organizations.

Successful examples included Taiwan, the Netherlands, and US NIST implementations, contrasting with limited adoption in African Union and African countries. Croll provided historical context through Section 508 accessibility requirements, demonstrating how government standards can drive market change when properly implemented and enforced.

## The Standards Implementation Gap

Despite extensive work by IEEE, NIST, and IETF to develop comprehensive security frameworks, speakers identified a significant gap between standards development and real-world implementation. While standards exist for most security challenges, adoption rates remain disappointingly low, often below 50% in many regions.

This gap was particularly pronounced in developing countries, where capacity and financial constraints prevent effective utilization of existing security standards. Orembo emphasized that “there should be an effort to make sure that even as standards bodies develop these standards, they should also come up with implementation mechanisms.”

Cave suggested that mutual recognition frameworks could enable devices to meet standards across different jurisdictions, while permissive schemes allowing “equivalent performance” demonstrations could encourage innovation while maintaining security standards.

## Resilience and System Complexity

Cave introduced important distinctions between resilience and robustness in maintaining system functions within large complex networks. He noted that device permissions and access rights must evolve dynamically as systems and uses change over time, creating ongoing governance challenges that traditional static security models cannot address effectively.

Interestingly, Cave suggested that quantum computing could be part of the solution for understanding system complexity and detecting attacks, presenting a more nuanced view of quantum technology as both threat and potential defensive tool.

## Key Areas of Consensus and Disagreement

Speakers demonstrated remarkable consensus on fundamental principles: security-by-design must be embedded from development’s beginning, government procurement policies represent powerful tools for driving market adoption, post-quantum cryptography migration requires immediate action, and user-centric approaches are essential.

The primary disagreement concerned quantum computing’s role, with Kiesow Cortez focusing on quantum computing as a major security threat requiring urgent defensive measures, while Cave presented a more balanced view seeing it as both challenge and potential solution.

## Unresolved Challenges and Future Directions

Several critical challenges remained unresolved. The question of how to effectively incentivize adoption of existing security standards remains pressing. The integration of AI into development processes presents ongoing challenges, with questions about ensuring AI tools understand and implement security from the ground up.

The complexity gap where human oversight may no longer be adequate for AI-driven systems represents a fundamental challenge to traditional governance models. Capacity and financial constraints preventing governments from implementing security standards remain significant barriers to global security improvement.

## Proposed Solutions and Next Steps

The speakers suggested several practical approaches: hybrid solutions for post-quantum cryptography migration, permissive procurement schemes allowing “equivalent performance” demonstrations, mutual recognition arrangements between different technical spheres, and the use of intermediaries to help vulnerable groups understand certification systems.

The “Sociopolitical and Technical Impacts of IoT and PQC Policies” report launch was mentioned for December 27th at 9 a.m., providing detailed analysis of the challenges discussed. The creation of cryptographic inventories was recommended as a first step in post-quantum cryptography migration.

## Conclusion

This comprehensive discussion revealed that while cybersecurity challenges in the IoT era are complex and multifaceted, there is significant consensus among experts about both problems and potential solutions. The session successfully integrated technical, policy, and human-centered perspectives to present a holistic view of current security challenges.

The speakers’ emphasis on urgency, particularly regarding post-quantum cryptography migration, reflects the reality that security threats are evolving faster than defensive measures. However, their focus on practical solutions through procurement policies, standards implementation, and user-centered design provides a roadmap for coordinated action.

The path forward requires immediate action on multiple fronts: technical implementation of post-quantum cryptography, policy development for effective procurement standards, capacity building for global standards adoption, and continued focus on user-centered design. The session’s collaborative approach and the upcoming Dynamic Coalitions main session suggest that coordinated action across stakeholders remains both necessary and achievable.

Wout de Natris van der Borght: Good evening and thank you very much. If some of you would like to sit here at the table, because you’re all so very far away from us that you can’t hear, am I audible now? Okay, and number six. And if, yes, I can hear myself, so let’s start. Good afternoon and thank you very much for joining this session. If you would like to join us here at the table, then we can see better who is in the room, so feel welcome to do so. Welcome to the Dynamic Coalition’s Cluster 2 session called Safety and Security, Learning the Hard Way, Cybersecurity and Safety Lessons for the 21st Century. So on behalf of the Dynamic Coalition’s CRIOT, IoT and IS3C, I welcome you and my name is Wouter Natters van den Borcht and I’m your moderator for today. So with me are Joao Moreno Rodriguez-Volgao, online Matthias Hubotnik, here’s Jutta Krol, and we have Liz Orenbo here in the room and Jonathan Cave online and Torsten Krause there is our rapporteur and online moderator. So thank you for being here from all of us. Today we’ll be discussing a few topics and the sessions consist of a panel that focuses on three elements and not just our own Dynamic Coalitions. We look to look a little bit beyond that to the current priorities but also to emerging priorities and global alignment as it concerns global technologies developed around the globe, deployed around the globe and with data and access across borders and jurisdictions. And why learning the hard way in the title? The issues we are discussing have not changed a lot since I entered the internet arena in 2004, so 21 years ago, or my first IGF presentation in 2009 in Charles Malschik. Vulnerable groups and other internet users are still vulnerable due to low numbers of standards deployment, ICTs, devices and services that enter the market without security by design built into them, and in situations where the markets and commercial interests always take precedence over security of what they call the user instead of the customer. In some countries, it may start to change. Others still have a long way to go, and we are learning the hard way time and again. In this workshop, we look at the topic from a few angles and learn that with quantum computing on the horizon, we have to do better to prevent digital and privacy disaster. You’re asked to keep your questions until the end. We have enough time to answer questions, I assure you. But first, let’s look at priorities. Why are we talking about the future also? I think that we have a nice analogy to tell you. Imagine that you’re buying a new car and that car is at the top of the mountain. And you get into the car and you slowly start to descend because the top is not that steep. But all of a sudden, next to you, waving to you, would you like brake lights? Would you like a steering wheel? Would you like to have brakes? And the car goes ever faster and faster and they’re waving more furiously to you and the first hairpin is approaching. And it is a real hairpin and there’s your car. I think that that is an analogy to what often happens on the internet. We get something which becomes your responsibility to make secure. and not the one who’s selling it to you. And I think that is something that needs to change. So, how do we buy secure by design? I think that we can do that to secure our digital environment and how we protect vulnerable groups and what happens should quantum computing be upon us next year or next week even. From there, we’re going to go to a few questions that we are going to be asking the speakers. And here they are. I think the five questions we’re going to answer and then I start to shut up and give the word to the presenters. The first question is the current state of ICT security and safety. What measures are in place and which measures need to be taken to better protect ICT systems and services? How to ensure online safety for different groups while at the same time they rely more and more on digital technologies and who takes responsibility in this regard? How can certification and labelling support users to make the right choices in deployment and uses of digital tools and services? Four, how can public and private procurement policies advance ICT security by design? And finally, what will the social implications of quantum computing be if we do not deploy post-quantum encryption in time that is before the so-called Q day? So, let me stop there and give the first word to, and now I’ve got to find my order of things, but the first speaker is Joao, I think. So, and after that, Matias, and they will look into the first question. So, please, Joao, the floor is yours.

Joao Falcao Moreno: Hello. Thank you, Wout. Well, I’ve been working in IoT cybersecurity policymaking for the past four years for IS3C, and well, I’m here to present briefly what we have in the… IoT security policy landscape, because we need to understand the world that we are into to present actionable actions to fight the insecurity of the world. So when we started to develop this project, we really wanted to understand what was happening. And I decided to bring a couple of examples of attacks that we’ve seen in the past few years and how they evolved until today to better understand how we can fight them. So the first one is the Jeep Cherokee incident that caused a recall of 1.4 million cars. Well, this was a major risk to the drivers because the car had a system, insecure, that could be hacked from close proximity and block the brakes and control the steering wheel. So this could be a huge issue and cause the death of many. So they wisely made a huge recall. And well, we think, OK, it happened in 2015, but what now? I also decided to bring another example, which was the Kia incident on last year, where millions of cars were subject to an attack, a remote attack, that could A malicious person could change the car to his name in the system, the online system, and with this download all information about the car. Which means that they could locate the car, you could unlock it remotely, and also see your history of places you’ve been to. And again, this happened to millions of cars. This shows us a clear need to improve the security. And another issue that we studied was the IoT botnets. Because what we see is that we have millions of devices with similar software and similar vulnerabilities, which makes them vulnerable to massive attacks. And well, I bring an example here, the Raptor train malware, which was spread in hundreds of thousands of devices and served a moot purpose. So the attackers could install information from the owners of the device. They could also engage in malicious activities, attacking third parties, which makes it almost impossible to protect because they seem to be a valid person inside your network trying to access it. And well, this is very difficult to tackle, especially when we have devices spread from all over the world. So to understand, after looking into the insecurity of the world, we dived into the policy landscape. So, we went through the work of ITU study group 20, which have very interesting recommendations. Also, we went to the policies that were developed by European Union, very interesting, and of course, we went to the IETF. And this is the part that I believe really bridges all the things that we are going to discuss here today, which is how to make these devices not only protected to the threats that we know today, but also the threats of tomorrow. So, when going through IETF, they are worried about, well, when we talk about IoT devices, we are speaking of devices that are not powerful at all, and they are automated. So, we need to provide lightweight systems to run, and we will face the quantum challenges. And for this, IETF is currently working in the TLS 1.3, that would bridge the classical cryptography apart with the post-quantum cryptography, that it’s very needed to future-proof our devices.

Wout de Natris van der Borght: Thank you, João. And this is the introduction to the report that we will be telling you about a little bit later. First, we go to Matthias Hubotnik, who is online. Matthias, welcome. He is a legal engineer and AI specialist in Europol’s data protection function, combining his roles as a lawyer and an engineer. He’s also a member of ICANN Security and Stability Advisory Committee and a representative of the Dynamic Coalition on the Internet of Things today. So Matthias, the floor is yours. Perfect.

Matthias Hudobnik: Thanks a lot. Yeah, it’s a pleasure to be here at the Internet Governance Forum. I’m excited to contribute to this panel. I speak today in my personal capacity as a member of the ICANN Security and Stability Advisory Committee and also not necessarily, let’s say, reflecting the opinions and advices of ICANN’s ESSAC. Yeah, as IoT devices connect our hospitals, energy grids, and homes, their security depends not only on protecting individual devices, but on the strength and integrity of the Internet’s core infrastructure and how we govern its evolution responsibly. And today, I will focus on four key areas, Internet security principles and the DNS, IoT security and lifecycle management, AI governance in IoT risk and regulations, and some future outlook and threats. The Internet’s resilience is built on layers or in layers. At its core lies the domain name system DNS and the system that converts domain names to IP addresses. And if the DNS fails, so do IoT services, from smart lightning to critical hospital equipment. And we must secure this foundation with certain safeguards. So first of all, we have the domain name system security extension DNS, which provides integrity by digital signing DNS data, by editing cryptographical signatures to ensure data authenticity. Then we have resource public key infrastructure, which verifies which autonomous system can announce specific IP prefixes, and thereby preventing border gate protocol hijacking. And lastly, we have also DNS-based authentication of named entities with enhancing transport layer security authentication by binding certificates of domain names for enhancing authentication. And these measures illustrate how decentralized redundant systems maintain resilience. And to raise the bar, we must also adopt zero-trust architecture. So treating every request as untrusted until verified. And combining with robust encryption protocols, zero-trust helps to limit the attack surface. And ICANN’s key-as-key rollover is a successful example of multi-stakeholder collaboration to protect these global infrastructure elements. Coming to my second point, IoT security and lifecycle management. As said, IoT devices often live in the field for years. Long after the manufacturer has moved on and making security across the entire device lifecycle a non-negotiable priority. So security must be embedded at every layer. At the device level, security by design should be standard, implementing secure boot, hardware routes of trust, and requiring software bills of materials. Then at the network layer, strong encryption and strict network segmentation are crucial. And at the data level, end-to-end encryption, minimal data collection, and also privacy by design safeguards are essential. Coming to the lifecycle management, this is key. Many devices like smart meters lack over-the-air update mechanism, leaving them vulnerable for years. So secure update path and also transport and also the transparent software bills of materials are essential. This brings me to my third point, AI governance in IoT risk and regulations, as AI is both an enabler and a risk in IoT. We are now able to detect anomalies in milliseconds, predict failures before they occur, and automate entire systems, from traffic control to predictive maintenance. But AI brings also new risks, yet issues such as data poisoning, model drift, and opacity of decisions can undermine systems trust. And as AI aggregates personal data from diverse IoT devices, we must expand data governance to balance data protection with functionality. That includes enforcing transparency, ensuring informed consent, and also avoiding black box decision making. And here, regulations like the AI Act and the General Data Protection Regulation require systems to be transparent, ethical, secure, auditable, and subject to human oversight. And we must ensure that the AI remains accountable, explainable, reliable, secure, and trustworthy governed, especially when we talk about critical infrastructure. This brings me to my fourth point, future outlook and threats. Looking ahead, we face urgent challenges. First of all, quantum computing encryption algorithms like RSA and ECC will not withstand quantum decryption, and the risk of harvest now to encrypt later means attackers may already be collecting encrypted data to break later. And here, we must accelerate adoption of post-quantum cryptography led by NIST standardization efforts or also by the ITF, for example. Another point I want to raise is also connectivity failures. So in an unstable world, resilience means designing systems that survive offline also. That includes local fallback modes, decentralized operations, and graceful failure handling when connectivity drops. A third point I want to raise is also supply chain and certification gaps. So many IoT devices lack secure update mechanisms throughout their lifecycle and also certifications. And a very important point is also capacity and awareness gaps. So beyond technology, there is a human element, cybersecurity education and also capacity building are essential. So users should understand the risks and the importance of data protection and also regulators must be skilled in auditing both technical systems and also AI models. And both technical evolution and coordinated regulation are key to preparing for these threats. And also we must scale capacity building, digital literacy and regulatory training to meet the complexity of emerging systems. Global mutual recognition framework similar to those in the DNS governance must be promoted. To conclude, resilience in IoT is not something we can patch in later. It must be designed from the start. That means a secure decentralized domain name system, secure trust principles and strong encryption like TLS 1.3, lifecycle aware protections, including OTA updates and S-bombs, lifecycle aware protections, including AI systems that are explainable, governed and also privacy preserving. And last but not least, also a robust fallback mechanism for when, not if connectivity fails. And yeah, by aligning with core internet principles and international standards, we can build an IoT ecosystem that is not only innovative. Matthias, your time is up, so please, your sentence. Thank you. Yeah, I’m anyhow done. So I just want to say that’s not only innovative, but also ethical, resilient and trustworthy.

Wout de Natris van der Borght: Thank you. Thank you, Matthias. And what it shows is that there’s a gigantic challenge that all what you mentioned needs to be done somewhere and somebody has to be responsible and made responsible. So thank you for your contribution. The next speaker will go into how to ensure online safety for different groups. And while at the same time, they rely more and more on digital technologies, that will be spoken to by Jutta Kroll, who’s the chairwoman of the Board of Digital Opportunities Foundation in Germany. She graduated from University in Politics, Media Research, Journalism and Literature. The floor is yours, Jutta.

Jutta Croll: Yes, thank you, Wout, for giving me the floor. And also thank you for the previous speakers to drawing up a very vibrant image or picture of what threats we are facing in regard of security of devices. Now I would like to turn to a more user-centric perspective, because threats to devices and services are always threats to the people who are using these devices and services. So when we are talking about, I do not think we need only to focus on vulnerable groups, but firstly to think about all users. When they are more and more relying, as Wout said previously, on all these services, on Internet of Things, for healthcare, for education, all these connectivity services, they are, of course, subject to failures once the technology is failing. Be it not having any more power supplies or being the failures like we have been heard about that come from security issues to the services. What would that mean, for example, for people living in rural areas that rely on health services that are IoT-driven? Or what would that mean to children who are educated remotely because they cannot have access to a school, going to a school? What would that mean in all those cases if the users are relying more and more on these services? Coming from the Digital Opportunities Foundation, I firstly think about the opportunities these services provide. But on the other hand, always have to have in mind that the more the people rely on these services, the more the services need to be stable and secure to the users. So we’ve heard that the aggregation of personal data from various devices, IoT devices, could put also the users at risk. But on the other hand, we always have this Janos-headed thing that all these data will help to make the health services, for example, better or the educational services better. So from a user-centered perspective, we would like to ask not only to focus on the security issues and the capacity building of the users to cope with these security risks. Of course, media literacy, digital literacy, is a very important aspect of the whole game. But on the other hand, we need to build the trust and reliance of the services, and that means the service providers as well. So we’ve also already heard about the principle of safety by design, and that would mean that from the very beginning of a new service, all types of users need to be taken in consideration, not only those who have special needs, who might be vulnerable, but firstly think ahead what would that mean to those users if they are dependent on these services. And then the second step would be to build in the safety that these users need, and that is, of course, resilience of the service, stable connectivity, but it’s also the creation of the services and the interfaces that makes it easy for the users to handle these services and to benefit from using them. I will stop here now, handing over, and then maybe I can step in later on.

Wout de Natris van der Borght: Thank you. Thank you, Jutta. And you’ve presented to us the human perspective in the story of cybersecurity, so I think that gives a very… extra dimension to what we’ve been discussing so far. The next speaker is online, is Elif Kizilkortes, and she’s the project lead of this report called Sociopolitical and Technical Impacts of IoT and PQC Policies. You’ve already heard the work that Joao has done, and now we’re going to hear what Elif has found out about post-quantum, and if we do not fix it in time, what implications could be for society. So Elif, the floor is yours.

Elif Kiesow Cortez: Yes, thank you very much, Wout. I hope everyone can hear me fine. So today we are happy to be presenting the findings of our report, Sociopolitical and Technical Impacts of IoT and PQC Policies. So the name speaks for itself, and we will have an amazing launch on the 27th of June at 9 a.m. I think in, I want to say workshop room one, but you can check with Wout. So this can be seen as a very little preview of this amazing report that you will have also access to, and we’ll get to hear more about, like I said, on Friday. But if you want to have a preview right now so that you can chat a bit more in detail, maybe on site with Wout as well as Joao, you can have a look. But let me now jump into the presentation, what we wanted to mention, like I said, a bit like a preview of our report today. So already I’m saying that the report’s name speaks for itself, but of course we are addressing here the critical intersection of Internet of Things, so the IoT security, and the emerging threat of post-quantum cryptography that we will be calling PQC. And this report is a collaborative study by our dynamic coalition, Internet Standards Security and Safety Coalition, or as we call it IS3C, and the French Association for Cooperative Internet Naming, AFNIC. So, let me jump into the content, addressing actually the fifth question I think about posed in the opening section regarding the impact of quantum computing for cyber security. So, based on many experts’ views, we know that the advancement of quantum computing will pose, already pose, a significant threat to our current internet security. We do not know yet when quantum computers will be fully functioning. Wout mentioned in the opening speech maybe tomorrow, so I guess we hope not. But let’s try to scope a bit what we mean in our report or in today’s presentation when we talk about quantum computing, which has a lot of potential to bring a lot of good to the world as well. But for us, from the cyber security risk perspective, when we refer to quantum computer, for example, we are looking at a quantum computer that is cryptographically relevant. So, a quantum computer that has a focus and capacity on breaking the currently valid encryption. And why is this a significant threat? Well, for our IGF participants today, the risks of a not secure internet are already very clear, I assume. But let me introduce a newer risk that is emphasised a lot in discussions about post-quantum cryptography. This risk is popularly called harvest now, decrypt later. And what it means? It means the possibility of breaking the current encryption would also mean that, in theory, malicious actors might be recording today’s encrypted communications for days or months or longer with the aim to decrypt them once they can utilise a cryptographically relevant quantum computer. Hence the naming, harvest now, decrypt later. And the risk has been recognised by many experts while urging organisations and governments to upgrade their cryptographic systems to PQC solutions. When we say this, of course, in our report, we already provide an overview of the current landscape. So this discussion does not only belong to scholarly discussions in academia, but there is real applications where we are seeing it in policy form, both from the US and the EU. So in our report, we mapped these policies, and we also mentioned the key developments. So, for example, we are seeing that US and EU, they have some distinct but also converging approaches. For example, the US efforts already led to a bit of a top-down approach, let’s say, by NIST leading the standardization efforts for PQC algorithms, and even going further and setting a target for when the federal systems should mitigate, should migrate to PQC systems, and they set this target as 2035. Again, when we hear a date that is a decade away, we might feel like it’s not a current threat. But let me highlight the importance again by saying, and let’s say, painting a picture that it is very, very difficult to make sure that our migration to a new encryption system takes place. Because that is very difficult, giving it a decade actually means the action has to start now, so that we can really reach the target by a date that we do not have any more systems that are using an old and maybe at that point quite irrelevant or, let’s say, risky encryption. And in the EU as well, we see also European-level efforts, but we are also seeing different countries such as France through ANSI also advocating for hybrid solutions, or Germany through BSI providing guidance and participating in several projects that is facilitating PQC migration as well. And in the Netherlands as well, we have a PQC migration handbook. So, we are already seeing then these quite proactive national programs in addition to the programs that were mentioned, let’s say, that is at the more European level. So then we can say that both in the EU and the US we are seeing that there is this more recognized shared imperative to protect our Internet now by highlighting the importance of PQC. So, let me just keep to the time mentioned very briefly that in this report we are also highlighting the societal, legal, economic impacts as well, as well as we are touching upon the environmental impacts. So let me just give two examples, maybe, for example, of course, from the societal impact perspective, we are saying that PQC is crucial for maintaining also the trust of the citizens for digital infrastructure as well. And in addition to, of course, preserving long-term privacy against these kind of harvest now decrypt later attacks. And when you think of this more legal angle, we are assuming that it is possible that data protection regulations like GDPR may also compel the use of quantum resistant encryption. So, we did produce many recommendations in this report as well. The time is about up, so you have to finalize. So, I only need just like a few seconds just to show that we have organizational level, much more technical advice in this report that is starting with, for example, creating a cryptographic inventory. But we also wanted to help, of course, our IGF community as well. And we also included international guidelines that starts with creating global standards that look at interoperability. So, we are not leaving any organizations, countries, people behind when it comes to making our more secure movement towards the better Internet. So, I will stop here. Thank you very much for your attention to our session.

Wout de Natris van der Borght: Thank you, Elif. Again you showed what an immense task is ahead of us if we want to fix it in time. My personal analogy is that the world should come together like it did with the millennium bug in 1999, that everybody started to act on the same principles at the same time, but unfortunately for something that never happened. But it is possible to align movements and decisions and policies. The next speaker is unfortunately not present here today, it is Maarten Botteman, he will be replaced by Jonathan Cave because of personal circumstances and my thoughts are with him at this moment. Jonathan, you are taking care of the question, how does resilience assist us and who has to play a key role here? And Jonathan is also representing DCIoT, Jonathan, the floor is yours.

Jonathan Cave: Thank you very much, Favre, can I be heard? It asks if I want to unmute, okay, that’s fine. Okay, yes, on the issue of resilience, because the IoT and the internet beyond it are large complex networks, one of the questions we have to ask is resilience of what and who is responsible for maintaining this resilience? So as we see the new emerging technological challenges, and I’ll mention particularly AI stroke machine learning and to a certain extent quantum computing, beyond a certain point these are no longer merely quantitative changes, but they bring qualitative changes with them. And much of the governance of the internet and indeed the economic and social systems behind it is predicated on the notion of human beings being usefully responsible for the choices that they make and the oversight they might be able to exercise. But as the speeds increase and as the complexities increase, it may no longer be appropriate or even possible to rely on these things. And when that happens, particularly in a system which has in it many, many generations of devices performing changing sets of tasks, some of these challenges cannot be overcome from a design perspective. Because what happens to the devices once they’re unleashed in the wild, what we do with them and what they do to our thinking and to our behavior, require monitoring and reaction rather than something that we can build in from the outset. So one thing that would happen quite clearly is to maintain the functioning of the IoT or the functioning of the Internet on which we rely. It may be necessary for the permissions accorded to devices, what systems they can access, what processing they can do, to change as the uses that are made of them and the other systems with which they have to interact continue to evolve. And some of this can’t be understood at the level of individual systems, but has to do with emergent effects. Another thing that we notice comes directly from the use of AI. When devices were stupid devices and merely did what they were told, you could hold individuals responsible for them, the engineers designed them, and informed the systems and the users of what they could and couldn’t do, and they would make appropriate changes. But when the devices make use of things like deep learning, it may not be possible to make meaningful explanations of what they have done, and it may be that the recommendations from these devices begin to supplant or change human decision-making. An example of this is the recent report released last week from MIT that looked at the use of AI in educational settings and found that while AI can be useful from a purely mechanical perspective. It results in shallow reading rather than deep reading. It actually changes the way people think and the extent to which they can be usefully held responsible. Another thing is that because these systems interact, what they do collectively may not be the kind of thing that we can easily control from the individual systems level. And in certain contexts like the financial context, if we have devices making trades, for example, you can have devices which effectively collude and break the functioning of the system, even though nothing in any individual device leads you to suspect that that might be possible. And the faster these things operate and interact, the harder it is to detect these things before they become somewhat irreversible. On the level of quantum computing, I think one of the things that’s most particularly interesting is the way in which the Internet’s development has relied on encryption as a way of controlling access to information. And of course, it is the case that fully functioning quantum computers can break our existing encryption levels. But it also means that we can use them on the other side to attack or understand the behavior of the people who might be engaged in sabotaging or breaking the system. Moreover, the use of quantum computing can help us to understand things that are not the result of attacks, but of the complexity of the system itself, what you might consider to be accidents. And so from that perspective, I see quantum computing as rather a part of the solution more than part of the problem. And the final thing is to say that when we use these devices, when we do regulatory change or design change or certification, which I’ll talk about in a few minutes in another part of this session, we have to take account of the history that is available to us. And one of the things that can happen with AI is that it can lock in an interpretation of history. We see a set of events, and what Aleph said about Harvest Now and Decrypt Later comes very much to this point. That when we decrypt these things, we’re decrypting them in a different context than they were originally collected. And it may be that certain, what would you call them, hallucinations become embedded in the way we engineer these systems and the way in which we govern these systems. So that’s actually all I had to say on this. So in the interest of time, I will stop, except to say that the resilience of a complex system is the rate at which it returns to the functions it used to maintain. The robustness of a system is the way in which it is able to fend off attacks and continue behaving the way it used to behave, even if that is counterproductive. And so we have to be very careful that the system’s resilience that we have encourages learning and evolution and doesn’t prevent it in the hopes of preserving something which is no longer useful to us. And as humans and machines begin to share the same responsibility space, we have to be particularly aware of that. Okay, that’s it for now. Thanks, Val.

Wout de Natris van der Borght: And thank you, Jonathan, for stepping in at the last moment to replace Maarten. This is much appreciated. We go to question four. How can public and private procurement policies advance ICT security by design? And Lisa Rembo, who is there, is the chair of IH3C’s working group on ICT procurement, but also an internet government expert in her own right. So, Liz, the floor is yours.

Liz Orembo: Thank you, Walt. It’s my first time speaking into this mic. I wonder whether you’re listening to me, but I’m also listening to myself, which is very, very confusing. Now, I… I guess everyone’s listening to me. My name is Liz Orembo, and I’m from Research ICT Africa, and I led this working group that researched into procurement of internet, of IT devices. Now, why did we do this research? It’s because the things that we buy actually determine market standards. What are the devices that you get secure? Who’s going to determine that? Market follows what is demanded outside there. And who are the biggest users or buyers of technology? As we see, or our assumption in this research, one of them is government. Government does policies, but it also uses technology itself. It also governs what kinds of technologies cross borders and approves what kind of, through consumer protection, what kinds of products are being used by the citizen. So in a way, they are very responsible, or they play a very big role in determining whether the technologies and the services that we use, IT technologies, are secure. And in that way, they protect people, they protect data, they also protect system. But when you look at it also broadly, these devices also form part of what we call global internet infrastructure. So if the devices are not secure themselves, even the security of the internet itself is not very, very secure. So that’s why we looked at government procurement and also we looked at their broader role in guiding markets on procurement. One of our major findings here is that it’s unfortunate that there’s a lot of effort being put in standards development. and also time also given that some of these bodies like IEE for them to come up with standards it takes long efforts of consensus to come through but once these standards are developed not very many governments or even institutions non-government institutions even use them and there’s an evenness even in how they are being used you find that in some in some governments good examples like Taiwan, Netherlands, Italy and the US NIST standards have actually borrowed from some of these standards to ensure that some of their procurement aligns with some of these global standards but in some in some areas like this research we interviewed some countries and with some countries we just went through their procurement documents and that’s where I’m getting these examples from. I looked at African Union and some of African countries and there was very little very little mention of some of the IEE standards on cyber security even data protection standards were also not there. When you go to African Union they really don’t have IT procurement standards there like the European Union or even the US itself what you get there on procurement is a concern that there is interoperability so that from one procurement regime to another the infrastructure is able to speak to one another but not beyond that but then I’d like to talk about the I’d like to move away from from the traditional security standards. So beyond the IEEE standards, data management standards, there are also standards to deal with governance. And those are standards where countries would require that whenever they procure technology, they procure from territories that have political stability, because they also recognize that some of this technology, be it hardware, be it software, for them to protect this infrastructure and devices, they need continuous relationship with the people that they procured it from. And if the other country is not politically stable, then that relationship also can’t be maintained. It means that whenever there’s a system failure, whatever failure of that infrastructure, then it’s going to take longer for them to take care of those incidences. So some of these standards, governance standards, are actually reflected in some of this procurement document. One of them that I saw here was UK procurement protocols and even the Netherlands procurement protocols really called for longer term relationship and called for, actually came up with guidelines from the procurement itself, identifying what it is to be procured, the relationship between the service provider and the person who’s taking the service, what types of handovers that should be there, and even after service delivery, what actions should be there, and even timelines. Some of them look at timelines beyond even five years for some technologies. And then we look at I’m being told that I have one minute, and I have a lot to say, and I’ll try to say it in a very short period of time. Okay, we also look at how are these standards even governed or even put in place. So there are different ways, depending on how government is organized or how they work with different agencies. For example, in my country, Kenya, some of the standards are being coordinated from standards body, which usually is taken care – it’s usually coordinated by trade, a body dealing with trade. So it actually deals with the technology coming in as well as – in the country as well as that which is being sold by the users. The other one is through ministries of ICT, and this tends to work between the two ministries and the standards body. We didn’t really recognize which one works the best, but I think the one body that have really worked very nicely – okay, I have to stop there, sorry. But let me just say this, because this was going to be my parting shot. My parting shot is that not many governments use these procurement standards, which take a lot of effort to develop. It could also be because of capacity or also because of even finance itself. And I think there should be an effort to make sure that even as standards body develop these standards, they should also come up with implementation mechanisms to ensure that countries are able to use them. Also, a campaign for them and capacity building for them. Thanks.

Wout de Natris van der Borght: Yes, thank you, Liz. And I think it’s also called economic buying power because if you don’t buy from somebody who don’t offer the standards, then it means that you’re out of business pretty soon. So thank you very much, Liz. I’m now going to Jonathan again in his original presentation. Jonathan, I forgot to introduce you, but Jonathan Cave is a game theorist and regulatory economist and he’s associate of Martin Pottenbaum’s consultancy, but also a member of the University of Warwick Economic Department and a member of the Alan Turing Institute’s Data Ethics Group and the TREX Reviewer Group. You’re going to answer the question, how can certification and labeling support users to make the right choices in deployment and uses of digital tools and services? Jonathan, the floor is again yours.

Jonathan Cave: OK, thank you, Vogue. I’ll try to be economical in my use of time, but the first thing I wanted to say was that in thinking about this joint session, it became fairly obvious to us that the IoT perspective was only one perspective on a shared problem and that coming from that perspective, if you think of the internet in terms of devices, there are certain assumptions that go with it and certain solutions to problems that naturally suggest themselves. And so it might be thought that we would, from the IoT perspective, come up with device-orientated or hardware-orientated solutions to problems which could also be tackled in behavioral or economic or other ways. And so therefore, I just wanted to be clear about the fact that anything I’m going to say comes largely from the regulatory and device perspective, but the ultimate call would be to use the problems as a common platform where all of our communities can come together and explore different aspects of the issues without trying to take ownership of them. So, that being the case, there have been a lot of approaches to dealing with IoT devices, in particular because the technology, the manufacture and the use of these devices is global in a way that laws and regulations and economic structures and social structures are not. So, therefore, there’s an inherent cross-border aspect to these things. And schemes to deal with these problems, including labeling schemes that enable markets to put demand where devices embody the standards or the practices that people think are valuable, and certification schemes which allow the devices to interoperate with other devices, secure the knowledge that the whole system together won’t topple over, are being developed quite rapidly. And each of them comes from a particular perspective. They can interact through what are called mutual recognition frameworks, and in particular, in modern free trade agreements, there are very often components dealing with the ability to put devices on the market in other countries that depend on mutual recognition and market surveillance schemes to make sure that the devices meet local standards as well. Because of this, the IoT landscape, the ecosystem, is very dynamic and it’s evolving very rapidly, but it’s pushed by all these different forces, governments, civil societies, market operators, and so on. And where there are problems that we already know about, the IoT responds with formal and informal actions, including things like co-regulation. And the thing I want to mention here is that a lot of the discussion has been predicated around the issue of privacy, of the protection of personal identifiable information. But many of the issues increasingly, particularly in the AI context, involve information which is not personal, it’s not to identify a human being. But it may be proprietary, it may be non-personal information whose protection and control is essential if the system is to evolve in the right way. So adapting the GDPR and similar types of mechanism to deal with this broader understanding of data, and data not merely in the sense of I can stop you from using it, but data in the sense that I now have a voice in how those data are processed and used, is particularly important. Now, if you have a good decision, it could benefit everyone. But the structure of the value chains is such that it is unlikely to do so, and certain large firms or certain countries are more likely to benefit than others, and a degree of cooperative multi-stakeholderism is necessary if we’re going to move towards actually getting these things implemented. Now the national differences can arise in some cases because of technological or scientific differences, but also as a reflection of cultural and legal heritage. And so in a certain sense, the technology itself could serve as a platform for countries getting together to address issues that otherwise they couldn’t properly talk about. Now in the ways in which we deal with these, some of the schemes that we have are permissive schemes. Open standards, open labels and certification, which are there to allow the market to work, to encourage the development of good devices, are in place, but they can also lock in or lock out people with different needs, and the result of that lock in or lock out could be innovation, but it could simply be fragmentation. It’s not that we develop a lot of things, each of which serves somebody’s needs, but we develop a welter within which it’s very hard for people to make good decisions. But an example of such a permissive scheme is if, for example, in the procurement rules, you say, you should adhere to this standard or produce, or comply. produce performance according to this standard, or you should be able to demonstrate that you have equivalent performance. That kind of innovation-friendly recasting of procurement rules can help to resolve some of these otherwise intractable problems. Now, it may also be that some of the things we regard as openness, as virtues, like privacy or openness or even trust, are not necessarily good to an definite extent. They should be appropriate. In other words, if I’m talking about an issue of security, and I trust you as the provider of my system to protect that security, I may wind up reliant on you for something which either you don’t deliver to me, or which I can better do for myself, because I have a better sense of when I want to share my information or my decision space, and when I don’t. Okay, that’s fine. Thank you very much. So, we want to be careful about these sort of global issues, and so I’ll just conclude by mentioning a couple of steps that I think might be very useful in this sort of trust but verify or comply or explain type of environment. Mutual recognition, not just between countries in the context of free trade agreements, but between spheres, for example, hardware, software, service provision, or civil society and business. Mutual recognition arrangements are very useful, not in solving problems, but in getting the discussion started. We have to deal with the global aspects of the generation problem, because in some countries there is a higher preponderance of devices which are come from older generations and may break or impair the connection of those countries and those people to more modern systems and deny them access to things which would be of mutual benefit or which would tell the people in the more developed countries about things which they would have in their technological advancement have overlooked. as we saw with the promulgation of things like Raspberry Pi in less developed contexts. And the final thing is that we should monitor, connect and support standards development organizations and figure out how governments and businesses can join with civil society in the maintenance of standards that adapt to change as they occur.

Wout de Natris van der Borght: Okay, all done. Sorry for overrunning that. Thank you Jonathan. Jutta, you’re also going to answer the same question, so please, and Jutta is from D.C. Cride.

Jutta Croll: Yes, thank you, but firstly let me take up two points that were made by Jonathan and also by Liz when they were talking about the standards. Because one example, it dates, I do think, more than 20 years ago for a government taking up a standard was Section 508 when that was adopted by the United States government, making it mandatory for all procurement procedures to adhere to accessibility standards. That was the game changer and from that time on we really have achieved accessibility in all these products that came to the U.S. administration, though I think that is a very good example how governments can react to standards that are already there. My second example would be the ISO IEC standard 27566 on age assurance methodologies and that was a development of a standard that took less time than most of the other standards to come out and that is obviously due to the fact that we have such a huge and fast and quick innovation in that area that it’s important to have the standard ready in time. So now I’m going to answer your question, Wout. And I do think, yes, Jonathan has also been talking about the complexity and the difficulties and the challenges it poses to human beings to being able to cope with the complexity of all these systems they are relying on now and definitely that is an issue that could be addressed by labeling and certification, but we do think that it’s also necessary to have for certain groups, for elderly people, for children as well, kind of intermediaries who help them understand the certification and labeling when they do the decision on the devices they will use. Also the parents who are responsible for the children need to have this kind of guidance which devices are appropriate for their children and which devices are also rights respecting in regard of their children. So yes, labeling and certification may help in this regard, but still we we need to see how do we bring that information to the users themselves to make a competent decision in regard of the services they may use or in regard of the devices. And when it comes to artificial intelligence I do think it’s even the next layer of complexity, making it very difficult to leave the responsibility only with the users. We need to support them, we need to have to have concepts to make them not only acquainted, but to make them considerate in the decision they are going to make. Thank you.

Wout de Natris van der Borght: Thank you, Jutta. And that opens the floor for questions. So who has any questions to the panelists? There are microphones, but also here, but please

Audience: introduce yourself first. Thank you. Can you hear me? All right. Yeah, thank you for hosting this session. I think it’s very important that we discuss safety and security, especially in the new age that’s coming, and it’s important more than ever now. I’m Rehansh, I lead the Dynamic Coalition on Gaming for Purpose. I also lead the community at AI Square. And the burning question I have is for developers and engineers actually, how do we make sure that when developers and engineers on the grassroot level use these AI tools that are coming together to ship products faster than ever. How do we ensure that these tools and these AI systems understand how we need to implement security and safety from the ground up? So, how do we do that? How do we tackle that issue?

Wout de Natris van der Borght: Thank you. Who would like to answer? It could also be online. So, who would like to answer first? Can I go second? Go second? Johan first? Okay, I’ve been told to go first. Definitely what I said before, Rianne, is that have a user-centric approach.

Jutta Croll: So, can you hear me? Okay. So, if the developers have in mind who will be their target group and a broad perspective on their target group, not only considering it’s maybe for a small percentage of users, but for all users, taking in mind that there are users with different needs, then probably this would be the first step to a user-centric approach.

Joao Falcao Moreno: Hi. So, I believe that the developers need to understand that the AI is not a teacher. It’s a tool. So, you cannot learn how to cut a tree with an axe. And, well, it’s very important to understand what are the security risks that your code creates and learn how to test them. So, seeing that in the IoT spectrum, I saw some documents orienting on how you can test your system in the development process to validate if it has a specific vulnerability or not. So, we need to embed the security into the development process.

Wout de Natris van der Borght: Thank you. Thank you for your question. Is there a question online, Torsten? Hello.

Torsten Krause: Currently, we have 22 participants taking part remotely in this session, and we have several comments and also links shared for further reading and information. There was one question to Jonathan Cave, but meanwhile, he answered it in the chat already, and so it’s solved. Perhaps you can read it very shortly so that we know what the question was. The question was raised by Kateryna Bozunovska, I hope I pronounced it correctly. The question was, if possible, I’d like to address a question to Mr. Jonathan Cave regarding his point on the privacy of going beyond PII to the proprietary data. Hasn’t this type of data been already covered by the traditional understanding of confidentiality? If considered covered by the confidentiality concept, this data would be included in the security design of the IoT, for instance, following the CIA trade emphasized by NIST. The answer was from Jonathan Cave, up to the point where information elicited from users is used to train and adjust, for example, AI systems, or where confidentiality comes up against procurement rules for developing systems, for example, contractor collection and exchange requirements, privacy may be more relevant that privacy and NDAS should be negotiated if you are to limit foreclosures for markets.

Wout de Natris van der Borght: Thank you, Thomson, and thank you for your question online, of course. Please introduce yourself first and then ask your question. All right.

Audience: My name is Vinicius Fortuna. I’m an engineer at Google Jigsaw on access, resilience, and privacy. So, just to give a background, when you access a site using HTTPS, the domain name still leaks in plain text, like on the DNS query or when you establish the connection. And that has always been the case, but with AI, this changes and it becomes a real threat. Because the domain name reveals a lot about you. It can give you your employer information, location, your habits, sexual preferences, gender, associations, religious beliefs. So it’s really scary. I actually ran an experiment where I captured my domain names, ran it to LLM, and built a profile about me. With the right tools, people could be building profiles about everyone here that’s now using VPN connected to the public network. There are two solutions for that. One is that needs to be used combined, like encrypted DNS and this other new protocol called Encrypted Client Hello. But we need adoption. So I wonder if this threat is on your radar and how can we incentivize adoption and make sure that this gets deployed to cover and close this gap that is remaining. And with AI, it becomes easier to exploit.

Wout de Natris van der Borght: Yes, thank you. I’ll look to Joao for a part of it, but I think what this was presenting on is these standards are out there in some cases for more than 20 years. And why are they still minus 50% and in some countries minus 25% not being deployed? And that has to do with the will to deploy, but it also has to do with demanding that they’re deployed. And it has to do with legislation, perhaps, but that’s something where in Europe we’re now starting to touch upon. But if we start using procurement as a tool to demand security, then the company has a choice either to have the standard in place. or not, and not get the assignment or the service provided or whatever. So I think that that is the strongest tool possible. Thank you, Torsten. So the next who is going to answer that question is Matthias, and he’s online. So, Matthias, the floor is yours.

Matthias Hudobnik: Hello, everyone. Can you hear me and see me well? Perfect. Yes, it works. So, first of all, thanks a lot for the questions. I just want to quickly respond to the first question related to developers and AI. So I think that’s a very good question, and it can be deckled in, let’s say, various layers. So it’s a typically AI governance question. So you need to check, first of all, what is the kind of organization? So the organizational layer in terms of AI, let’s say, how do you govern, what governance structure do you use? Secondly, I would be then, okay, what kind of laws and policies are applicable related to the organization? And then based on the laws, you have some certain standards which you need to fulfill when you want to deploy, for example, in an ITOOL, like in the IACT. And there is very clearly set what is, for example, a high-risk AI system, what kind of safeguards do you need in place, what people need to be involved. And then another important point is then also a kind of – and based on that, for example, framework, you have some kind of risk taxonomy where you can, let’s say, define the different types of risks. And then you also need to find some kind of operational process layer, how you will operationalize it in your organization. And then a very important is then also a technical infrastructure layer where you say, okay, how do you secure, for example, then this operational thing, like whatever, security and access control, monitoring and logging, testing and validation. And then a very important point is then also finally people and culture layer where you would say, okay, who is involved in deploying the system? Do they have the training? What about the ethics? What about security and AI development? What are the roles and responsibilities and also incentives and accountability, let’s say? So this is to this question. And then there was the second question related to the DNS. I mean, there are various advices with regards to encrypted DNS. and potential threat vectors. Please look on the website. We have 127 advices related to internet security and stability, DNS blocking. Please have a look on the ESSAC website. And if you have further question, we can take it on 101. Thanks a lot for the question.

Wout de Natris van der Borght: Thank you, Matthias. And we’re almost getting to the end of our session, but I’m looking at you, Torsten, could you perhaps in one sentence say what you would think is the main message of the session? I think it’s a hard question. You could also say no, but you’ve been taking notes. So what would be the message that we’re gonna share within two hours?

Torsten Krause: One sentence is really hard. I’ve taken so much notes that I can give in another input of 15 minutes, but maybe what would be kind of the core is that threats to service and devices are not just threats to these tools, but are threats to the users, to the humans. And that’s why it’s so necessary to have safe and secure procurements in place, not to have such safe tools, cars, whatever, IOTs, but to have a safe and secure environment for us as human beings. And that’s, I think it’s the core, and that’s why it’s so necessary to develop all these standards and procurements.

Wout de Natris van der Borght: I think that’s worth an applause to have an abbreviation like that in one minute. Thank you, Torsten. That brings us to the end of our session. And I think we had a very good workshop showing what the three dynamic coalitions represented here on work on, and the results that they’re bringing to the IGF. I’d like to point to the fact that we have a main session of dynamic coalitions tomorrow, I think at nine o’clock, if I’m correct. and we have room because you do an excellent job, which I think that is really commendable. So, and finally, thank you all for being here and showing your interest in our work and we hope to show more next year. So thank you very much. And I’ve got five seconds left, so I’m in time. Bye-bye. Bye-bye. Thank you! Bye-bye. Bye-bye love you. Bye-bye. Bye-bye, bye-bye. Goodbye one, two, three, goodbye. Goodbye one two three, goodbye. Goodbye one two three, goodbye. Goodbye one two three, goodbye.

Agreement points

Security by design must be embedded from the beginning of development

Speakers

– Wout de Natris van der Borght
– Matthias Hudobnik
– Jutta Croll

Arguments

IoT devices remain vulnerable due to low security standards deployment and market prioritization over security

Digital literacy and capacity building are essential for users to understand and cope with security risks

Safety by design must consider all types of users from the beginning, not just those with special needs

Summary

All speakers agree that security and safety measures must be built into systems from the initial design phase rather than added as afterthoughts, with consideration for diverse user needs and proper standards implementation.

Topics

Cybersecurity | Development | Human rights principles

Government procurement policies can drive market adoption of security standards

Speakers

– Wout de Natris van der Borght
– Jutta Croll
– Liz Orembo

Arguments

Economic buying power through procurement can force market adoption of security standards

Section 508 accessibility requirements demonstrate how government standards can drive market change

Government procurement determines market standards as governments are major technology buyers

Summary

Speakers consistently argue that governments have significant power to influence market behavior through their procurement policies, with historical examples demonstrating successful implementation of standards through purchasing requirements.

Topics

Legal and regulatory | Economic | Consumer protection

Post-quantum cryptography migration requires immediate action despite long timelines

Speakers

– Joao Falcao Moreno
– Elif Kiesow Cortez
– Matthias Hudobnik

Arguments

IETF is developing TLS 1.3 to bridge classical and post-quantum cryptography for lightweight IoT devices

PQC migration requires immediate action despite decade-long timelines due to implementation complexity

Internet security depends on foundational infrastructure like DNS, requiring DNSSEC, RPKI, and DANE for protection

Summary

All speakers emphasize the urgency of preparing for quantum computing threats through immediate implementation of post-quantum cryptography solutions, recognizing the complexity and time required for complete system migration.

Topics

Cybersecurity | Encryption | Infrastructure

User-centric approach is essential for effective security implementation

Speakers

– Jutta Croll
– Matthias Hudobnik
– Joao Falcao Moreno

Arguments

Threats to devices and services are fundamentally threats to the people using them

Digital literacy and capacity building are essential for users to understand and cope with security risks

User-centric development approach considering diverse user needs is essential for secure AI implementation

Summary

Speakers agree that security measures must prioritize human users and their diverse needs, requiring education, capacity building, and inclusive design approaches that consider the human impact of technical vulnerabilities.

Topics

Human rights principles | Cybersecurity | Rights of persons with disabilities

Similar viewpoints

Both speakers recognize that traditional data protection frameworks focused on personal information are insufficient for the AI era and need expansion to cover broader categories of data and more complex governance challenges.

Speakers

– Matthias Hudobnik
– Jonathan Cave

Arguments

AI systems aggregating personal data from IoT devices require expanded data governance frameworks

Standards must address non-personal proprietary information protection beyond traditional privacy concerns

Topics

Privacy and data protection | Legal and regulatory | Human rights principles

Both speakers identify significant gaps between the development of security standards and their actual implementation, emphasizing the need for capacity building and better utilization of existing frameworks.

Speakers

– Liz Orembo
– Matthias Hudobnik

Arguments

Many governments don’t utilize existing security standards despite significant development efforts

Digital literacy and capacity building are essential for users to understand and cope with security risks

Topics

Legal and regulatory | Digital standards | Capacity development

Both speakers acknowledge that AI systems create fundamental changes in how we approach governance and oversight, requiring new frameworks that go beyond traditional human-centered responsibility models.

Speakers

– Jonathan Cave
– Matthias Hudobnik

Arguments

AI and machine learning create qualitative changes that may exceed human oversight capabilities

AI governance requires multiple layers: organizational, legal, risk taxonomy, operational processes, and technical infrastructure

Topics

Legal and regulatory | Human rights principles | Development

Unexpected consensus

Quantum computing as both threat and solution

Speakers

– Jonathan Cave
– Elif Kiesow Cortez
– Matthias Hudobnik

Arguments

Quantum computing can be part of the solution for understanding system complexity and detecting attacks

Quantum computing poses significant threats to current internet security through cryptographically relevant quantum computers

Internet security depends on foundational infrastructure like DNS, requiring DNSSEC, RPKI, and DANE for protection

Explanation

While most discussion focused on quantum computing as a threat requiring defensive measures, there was unexpected consensus that quantum computing could also be used defensively to understand complex systems and detect malicious activities, showing a more nuanced view of the technology’s dual nature.

Topics

Cybersecurity | Infrastructure | Encryption

Need for intermediaries in security decision-making

Speakers

– Jutta Croll
– Jonathan Cave

Arguments

Intermediaries are needed to help elderly people and children understand certification and labeling for device decisions

AI systems may not provide meaningful explanations for their decisions, challenging traditional responsibility models

Explanation

Both speakers, from different perspectives, converged on the idea that direct user responsibility for security decisions may be insufficient, requiring intermediary support – whether for vulnerable populations or in complex AI systems where traditional accountability models break down.

Topics

Human rights principles | Legal and regulatory | Rights of persons with disabilities

Overall assessment

Summary

The speakers demonstrated strong consensus on fundamental principles including the need for security by design, government leadership through procurement policies, urgent action on post-quantum cryptography, and user-centric approaches to security implementation.

Consensus level

High level of consensus with complementary expertise – speakers approached the same core issues from different angles (technical, policy, user advocacy) but arrived at similar conclusions about the need for immediate, comprehensive action on IoT security challenges. This convergence suggests robust foundation for coordinated policy and technical responses.

Different viewpoints

Quantum computing as threat versus solution

Speakers

– Elif Kiesow Cortez
– Jonathan Cave

Arguments

Quantum computing poses significant threats to current internet security through cryptographically relevant quantum computers

Quantum computing can be part of the solution for understanding system complexity and detecting attacks

Summary

Elif focuses on quantum computing as a major security threat requiring urgent migration to post-quantum cryptography, while Jonathan presents a more balanced view seeing quantum computing as both a challenge and a defensive tool that can help analyze complex systems and detect attacks.

Topics

Cybersecurity | Encryption | Infrastructure

Approach to AI governance – technical versus human-centered

Speakers

– Matthias Hudobnik
– Jutta Croll

Arguments

AI governance requires multiple layers: organizational, legal, risk taxonomy, operational processes, and technical infrastructure

User-centric development approach considering diverse user needs is essential for secure AI implementation

Summary

Matthias advocates for a comprehensive technical and organizational framework for AI governance with multiple structured layers, while Jutta emphasizes a user-centric approach that prioritizes diverse user needs and human considerations from the beginning of development.

Topics

Legal and regulatory | Development | Human rights principles

Unexpected differences

Scope of data protection beyond personal information

Speakers

– Jonathan Cave
– Matthias Hudobnik

Arguments

Standards must address non-personal proprietary information protection beyond traditional privacy concerns

AI systems aggregating personal data from IoT devices require expanded data governance frameworks

Explanation

While both recognize the need to expand data protection frameworks, Jonathan argues for protecting non-personal proprietary information, while Matthias focuses on personal data aggregation from IoT devices. This represents an unexpected divergence in what types of data should be prioritized for protection.

Topics

Privacy and data protection | Legal and regulatory | Intellectual property rights

Overall assessment

Summary

The discussion showed remarkable consensus on the fundamental challenges facing IoT security, with most disagreements being about emphasis and approach rather than core principles. The main areas of disagreement centered on quantum computing’s role (threat vs. solution), AI governance approaches (technical vs. human-centered), and the scope of data protection frameworks.

Disagreement level

Low to moderate disagreement level. The speakers largely agreed on the problems and general solutions but differed in their emphasis and specific approaches. This suggests a mature field where experts recognize common challenges but bring different perspectives based on their expertise areas. The disagreements are constructive and complementary rather than fundamental, indicating potential for integrated solutions that combine different approaches.

Partial agreements

Similar viewpoints

Both speakers recognize that traditional data protection frameworks focused on personal information are insufficient for the AI era and need expansion to cover broader categories of data and more complex governance challenges.

Speakers

– Matthias Hudobnik
– Jonathan Cave

Arguments

AI systems aggregating personal data from IoT devices require expanded data governance frameworks

Standards must address non-personal proprietary information protection beyond traditional privacy concerns

Topics

Privacy and data protection | Legal and regulatory | Human rights principles

Both speakers identify significant gaps between the development of security standards and their actual implementation, emphasizing the need for capacity building and better utilization of existing frameworks.

Speakers

– Liz Orembo
– Matthias Hudobnik

Arguments

Many governments don’t utilize existing security standards despite significant development efforts

Digital literacy and capacity building are essential for users to understand and cope with security risks

Topics

Legal and regulatory | Digital standards | Capacity development

Both speakers acknowledge that AI systems create fundamental changes in how we approach governance and oversight, requiring new frameworks that go beyond traditional human-centered responsibility models.

Speakers

– Jonathan Cave
– Matthias Hudobnik

Arguments

AI and machine learning create qualitative changes that may exceed human oversight capabilities

AI governance requires multiple layers: organizational, legal, risk taxonomy, operational processes, and technical infrastructure

Topics

Legal and regulatory | Human rights principles | Development

Key takeaways

IoT security remains fundamentally unchanged over 20+ years, with devices still entering markets without security by design and commercial interests taking precedence over user security

Threats to devices and services are ultimately threats to the humans using them, requiring a user-centric approach to security design

Post-quantum cryptography migration is urgent due to ‘harvest now, decrypt later’ attacks, with US setting 2035 as target for federal system migration requiring immediate action

Government procurement policies have significant power to drive market adoption of security standards through economic buying power

AI governance requires multi-layered approaches covering organizational, legal, operational, and technical infrastructure aspects

Current internet security depends on foundational infrastructure like DNS requiring DNSSEC, RPKI, and DANE protection

Many existing security standards remain underutilized despite significant development efforts, particularly in developing countries

Quantum computing presents both threats to current encryption and potential solutions for understanding system complexity

Resolutions and action items

Launch of the ‘Sociopolitical and Technical Impacts of IoT and PQC Policies’ report scheduled for June 27th at 9 a.m.

Recommendation to create cryptographic inventories as first step in post-quantum cryptography migration

Call for global standards development focusing on interoperability to avoid leaving organizations, countries, or people behind

Need for capacity building and digital literacy programs to help users understand security risks and certification systems

Proposal for mutual recognition frameworks between countries and different spheres (hardware, software, services)

Recommendation to embed security testing into the development process for IoT systems

Call for implementation mechanisms and campaigns to support standards adoption by governments

Unresolved issues

How to effectively incentivize adoption of existing security standards like encrypted DNS and Encrypted Client Hello

How to ensure AI tools used by developers understand and implement security and safety from the ground up

How to address the complexity gap where human oversight may no longer be adequate for AI-driven systems

How to balance innovation with security requirements in rapidly evolving IoT ecosystems

How to address capacity and financial constraints preventing governments from implementing security standards

How to handle the governance of non-personal proprietary information beyond traditional privacy frameworks

How to manage the transition period where multiple generations of devices with varying security capabilities coexist

Suggested compromises

Hybrid solutions for post-quantum cryptography migration to bridge classical and quantum-resistant encryption

Permissive procurement schemes allowing ‘equivalent performance’ demonstrations to encourage innovation while maintaining standards

‘Comply or explain’ frameworks that provide flexibility while maintaining accountability

Use of intermediaries to help vulnerable groups (elderly, children) understand certification and labeling systems

Development of mutual recognition arrangements not just between countries but between different technical spheres

Treating AI as a tool rather than a teacher in development processes while maintaining proper security testing protocols

The car analogy: ‘Imagine that you’re buying a new car and that car is at the top of the mountain. And you get into the car and you slowly start to descend because the top is not that steep. But all of a sudden, next to you, waving to you, would you like brake lights? Would you like a steering wheel? Would you like to have brakes? And the car goes ever faster and faster and they’re waving more furiously to you and the first hairpin is approaching.’

Speaker

Wout de Natris van der Borght

Reason

This vivid analogy effectively captures the fundamental problem with current IoT security – that essential security features are treated as optional add-ons rather than built-in necessities. It illustrates how users are put in dangerous situations where they must retrofit security after deployment, when it’s often too late.

Impact

This analogy set the conceptual framework for the entire discussion, establishing the core problem that all subsequent speakers would address. It shifted the conversation from technical details to the human experience of insecurity, making the abstract concept of ‘security by design’ tangible and urgent.

Introduction of ‘harvest now, decrypt later’ threat: ‘It means the possibility of breaking the current encryption would also mean that, in theory, malicious actors might be recording today’s encrypted communications for days or months or longer with the aim to decrypt them once they can utilise a cryptographically relevant quantum computer.’

Speaker

Elif Kiesow Cortez

Reason

This concept fundamentally challenges the traditional understanding of data security by revealing that today’s ‘secure’ communications are potentially vulnerable retroactively. It introduces a temporal dimension to cybersecurity that most people haven’t considered – that current actions have future security implications.

Impact

This comment elevated the urgency of the quantum computing discussion from a future theoretical problem to a present-day threat. It reframed the timeline for action, suggesting that the quantum threat is already affecting current security decisions, not just future ones.

The human-centered security perspective: ‘threats to devices and services are always threats to the people who are using these devices and services… What would that mean, for example, for people living in rural areas that rely on health services that are IoT-driven? Or what would that mean to children who are educated remotely?’

Speaker

Jutta Croll

Reason

This comment shifted the focus from technical vulnerabilities to human vulnerabilities, highlighting how security failures disproportionately affect already marginalized groups. It introduced equity and social justice dimensions to what could have remained a purely technical discussion.

Impact

This perspective broadened the conversation beyond technical solutions to include social responsibility and user-centered design. It influenced subsequent speakers to consider the human impact of their technical recommendations and added depth to discussions about procurement and certification.

The AI governance complexity observation: ‘When devices were stupid devices and merely did what they were told, you could hold individuals responsible for them… But when the devices make use of things like deep learning, it may not be possible to make meaningful explanations of what they have done, and it may be that the recommendations from these devices begin to supplant or change human decision-making.’

Speaker

Jonathan Cave

Reason

This insight reveals a fundamental shift in the nature of responsibility and accountability in IoT systems. It challenges traditional notions of human oversight and control, suggesting that AI integration creates new categories of risk that existing governance frameworks cannot address.

Impact

This comment introduced a philosophical dimension to the technical discussion, forcing participants to grapple with questions of agency, responsibility, and the limits of human control in increasingly autonomous systems. It connected the IoT security discussion to broader questions about AI governance and human-machine interaction.

The procurement power insight: ‘not many governments use these procurement standards, which take a lot of effort to develop. It could also be because of capacity or also because of even finance itself… there should be an effort to make sure that even as standards body develop these standards, they should also come up with implementation mechanisms’

Speaker

Liz Orembo

Reason

This comment identified a critical gap between standards development and implementation, revealing that the problem isn’t lack of standards but lack of adoption mechanisms. It highlighted the disconnect between technical communities creating standards and practical communities needing to implement them.

Impact

This observation shifted the discussion from ‘what standards do we need?’ to ‘how do we ensure standards are actually used?’ It influenced the conversation toward practical implementation challenges and the need for capacity building, particularly in developing countries.

The domain name privacy threat with AI: ‘when you access a site using HTTPS, the domain name still leaks in plain text… with AI, this changes and it becomes a real threat. Because the domain name reveals a lot about you… I actually ran an experiment where I captured my domain names, ran it to LLM, and built a profile about me.’

Speaker

Vinicius Fortuna

Reason

This comment revealed how AI transforms previously minor privacy leaks into major surveillance threats. It demonstrated through personal experimentation how existing ‘acceptable’ privacy gaps become unacceptable when combined with AI’s analytical capabilities.

Impact

This real-world example brought abstract AI privacy concerns into sharp focus, showing how the convergence of existing vulnerabilities with new AI capabilities creates emergent threats that weren’t anticipated in original system designs. It reinforced the session’s theme about learning security lessons ‘the hard way.’

Overall assessment

These key comments collectively transformed what could have been a routine technical discussion into a multidimensional exploration of cybersecurity’s human, social, and philosophical implications. The car analogy established an accessible framework for understanding security-by-design failures, while the ‘harvest now, decrypt later’ concept created urgency around quantum threats. The human-centered perspective ensured that technical solutions remained grounded in real-world impacts on vulnerable populations. The AI governance insights introduced questions about the fundamental nature of responsibility in autonomous systems, while the procurement implementation gap highlighted the disconnect between standards development and real-world adoption. Finally, the domain name privacy example demonstrated how AI transforms the threat landscape in unexpected ways. Together, these comments elevated the discussion from technical problem-solving to a comprehensive examination of how society can build trustworthy digital infrastructure that serves human needs while anticipating future challenges.

How do we make sure that when developers and engineers use AI tools to ship products faster, these AI systems understand how to implement security and safety from the ground up?

Speaker

Rehansh (Dynamic Coalition on Gaming for Purpose)

Explanation

This addresses the critical gap between rapid AI-assisted development and maintaining security standards, which is essential as development cycles accelerate with AI tools

How can we incentivize adoption of encrypted DNS and Encrypted Client Hello protocols to prevent AI-powered profiling through domain name analysis?

Speaker

Vinicius Fortuna (Google Jigsaw)

Explanation

With AI making it easier to build detailed user profiles from leaked domain names in HTTPS connections, closing this privacy gap becomes increasingly urgent

How do we bring certification and labeling information to users themselves to make competent decisions regarding services and devices they use?

Speaker

Jutta Croll

Explanation

While standards exist, there’s a gap in helping users, especially vulnerable groups like elderly and children, understand and utilize certification information effectively

Why are security standards that have existed for more than 20 years still not being deployed at 50% or higher rates in some countries?

Speaker

Wout de Natris van der Borght

Explanation

Understanding the barriers to standard adoption is crucial for improving global cybersecurity posture and protecting users

How can we create global standards that ensure interoperability while not leaving any organizations, countries, or people behind in the movement toward better internet security?

Speaker

Elif Kiesow Cortez

Explanation

As post-quantum cryptography migration becomes urgent, ensuring equitable global transition is essential for maintaining internet security worldwide

How do we balance the benefits of AI aggregating personal data from IoT devices with the privacy risks this creates?

Speaker

Jutta Croll

Explanation

This addresses the fundamental tension between AI-enabled improvements in services like healthcare and education versus user privacy protection

How can mutual recognition frameworks be developed not just between countries but between different spheres (hardware, software, service provision, civil society, and business)?

Speaker

Jonathan Cave

Explanation

Cross-sector cooperation is needed to address the global nature of IoT security challenges that transcend traditional regulatory boundaries