Launch / Award Event #169 Report Launch: Quantum encryption: blessing or havoc?

Summary

This discussion focused on the urgent need to prepare Internet of Things (IoT) devices for the post-quantum cryptography era, presented by the Internet Standards, Security and Safety Coalition (IS3C) and AFNIC at the Internet Governance Forum. The speakers emphasized that quantum computing poses an imminent threat to current cryptographic systems, with the potential for “harvest now, decrypt later” attacks where encrypted data collected today could be decrypted once quantum computers become capable enough to break existing encryption methods.

The presentation highlighted that IoT devices face particular vulnerabilities due to their resource-constrained nature, fragmented protocols, and low user awareness regarding security updates. Historical examples like the 2015 Jeep Cherokee hack and the Mirai botnet demonstrated how IoT vulnerabilities can cause real physical harm and create global security threats. The speakers noted that government agencies in the US and EU have set 2035 as the target date for complete transition to quantum-resistant cryptography, with migration planning required to begin by 2026.

AFNIC’s involvement stems from their role in domain name registry services and their 15 years of experience working with IoT identification and security through the Domain Name System. The coalition’s report provides strategic recommendations at national, organizational, and global levels, emphasizing the need for secure-by-design principles, harmonized global labeling and certification systems, investment in lightweight post-quantum solutions, and comprehensive training programs.

The discussion concluded with calls for immediate action, drawing parallels to the Y2K millennium bug preparation, and proposed using future IGF meetings to coordinate global stakeholder efforts in developing unified action plans for the quantum transition.

Keypoints

## Major Discussion Points:

– **Post-Quantum Cryptography Urgency**: The discussion emphasized that quantum computing poses an imminent threat to current cryptographic systems, with governments setting 2035 deadlines for full migration to quantum-resistant encryption. The “Harvest Now, Decrypt Later” attack scenario was highlighted as a current risk where encrypted data can be collected today and decrypted once quantum computers become available.

– **IoT Vulnerabilities in the Post-Quantum Era**: IoT devices present unique challenges due to their resource constraints, fragmented protocols, and low user awareness. The speakers discussed how these devices are particularly vulnerable to quantum threats, citing examples like the Jeep Cherokee hack and Mirai botnet attacks that demonstrate real-world consequences.

– **Multi-Stakeholder Coordination and Standards**: The need for coordinated global action was emphasized, drawing parallels to successful internet governance models. The discussion covered various policy frameworks including NIST guidelines, EU Cyber Resilience Act, and the importance of harmonized international standards for PQC migration.

– **Implementation Challenges and Solutions**: Practical concerns were addressed including the complexity of transitioning existing infrastructure, the need for lightweight quantum-resistant algorithms for resource-constrained devices, and the importance of starting migration planning immediately rather than waiting for the technology to mature.

– **Public Awareness and Labeling Systems**: The conversation explored how to educate end-users about quantum security risks through certification and labeling systems, similar to safety ratings for cars, while balancing awareness-raising with avoiding unnecessary public alarm.

## Overall Purpose:

The discussion aimed to present findings from a comprehensive report on IoT security in the post-quantum era, emphasizing the urgent need for coordinated global action to prepare for quantum computing threats. The session sought to raise awareness among stakeholders and promote immediate planning for the transition to post-quantum cryptography.

## Overall Tone:

The tone was professional and urgent throughout, with speakers consistently emphasizing the immediacy of the threat despite 2035 deadlines. The discussion maintained a collaborative atmosphere focused on practical solutions and multi-stakeholder cooperation. While technical in nature, the speakers made efforts to make complex concepts accessible to a diverse audience, and the tone remained constructive and action-oriented rather than alarmist.

Speakers

– **Wout de Natris – van der Borght**: Coordinator of the Internet Standards, Security and Safety (IS3C) dynamic coalition at the IGF

– **Benoit Ampeau**: Director of Partnerships on Innovation at AFNIC (French Internet Registry)

– **Sandoche Balakrichenan**: Head of R&D Partnerships at AFNIC

– **Joao Moreno Falcao**: [Role/title not specified – appears to be involved with IS3C coalition and IoT security research]

– **Elif Kiesow Cortez**: [Role/title not specified – appears to be co-author of the post-quantum cryptography report]

– **Ernst E.A. Noorman**: Cyber Ambassador for the Netherlands

– **Nicolas Caballero**: GAG Chair at ICANN

– **Lucien Castex**: [Role/title not specified – appears to be providing session synopsis/reporting]

– **Participant**: [Multiple unidentified participants – one identified as Maike Sippinen, another as Yuri Bokovoy from the Finnish Greens Party]

**Additional speakers:**

– **Maike Sippinen**: [Role/title not specified]

– **Yuri Bokovoy**: Representative from the Finnish Greens Party

# Post-Quantum Cryptography and IoT Security: Preparing for the Quantum Era

## Discussion Report from the Internet Governance Forum

### Executive Summary

The Internet Standards, Security and Safety Coalition (IS3C) and AFNIC presented a discussion on preparing Internet of Things (IoT) devices for the post-quantum cryptography era at the Internet Governance Forum. The session, coordinated by Wout de Natris – van der Borght and featuring experts from AFNIC, cybersecurity professionals, and policy representatives, emphasized the urgent threat quantum computing poses to current cryptographic systems. Speakers highlighted that while government agencies have set 2035 as the target date for complete transition to quantum-resistant cryptography, the threat is immediate due to “harvest now, decrypt later” attacks where encrypted data collected today could be decrypted once quantum computers become sufficiently capable.

The discussion revealed significant challenges in securing IoT devices for the post-quantum era, including resource constraints, fragmented protocols, and the need for coordinated multi-stakeholder action. A critical gap was identified in government participation, with zero current government involvement in the initiative despite the need for policy coordination.

### Opening Context and Problem Framework

Wout de Natris – van der Borght, Coordinator of the IS3C dynamic coalition, opened with an analogy describing cybersecurity implementation as “buying a car on the top of a mountain where the salesman gives you the keys and says just drive down,” with security features like brake lights, seat belts, and brakes being offered as afterthoughts at increasingly dangerous bends rather than being built into the vehicle from the start. This metaphor illustrated the reactive nature of cybersecurity implementation and positioned post-quantum cryptography as an opportunity to implement security-by-design principles.

The IS3C coalition presented their fourth report focusing on post-quantum cryptography and IoT security, representing a collaborative effort between technical experts and industry representatives to address what they characterized as an imminent threat to digital security infrastructure.

### The Quantum Threat: Present Danger

Benoit Ampeau, Director of Partnerships on Innovation at AFNIC, established that quantum computing poses a substantial threat to current cryptographic systems. Elif Kiesow Cortez explained the “Harvest Now, Decrypt Later” attack scenario, where “highly sensitive data such as government communications are currently encrypted, but this encrypted data can be recorded right now, and those recordings can be decrypted once malicious actors are able to utilise a cryptographically relevant quantum computer.”

The urgency is reinforced by concrete policy deadlines. The National Institute of Standards and Technology (NIST) has set 2035 as the deadline for all federal systems to migrate to quantum-resistant cryptography, while the European Union requires transition planning to begin by 2026. These timelines, combined with historical precedents showing that previous technological transitions took over 10 years to implement, underscore the compressed timeframe available.

### IoT Vulnerabilities in the Post-Quantum Era

João Moreno Falcão identified several critical factors making IoT devices particularly challenging to secure in the post-quantum era:

**Resource Constraints and Fragmented Protocols**: IoT devices are inherently resource-constrained with fragmented protocols, making post-quantum cryptography implementation technically challenging. Devices often use different communication protocols, creating a fragmented ecosystem that complicates unified security approaches.

**Low User Awareness and “Set-and-Forget” Design**: IoT devices are typically designed to be automated and forgotten, creating “inertia in patching” where users are unaware of security updates or ongoing maintenance needs.

**Real-World Physical Consequences**: Falcão cited specific examples including the 2015 Jeep Cherokee hack demonstrating how attackers could remotely control vehicle systems, a 2024 Kia incident, and St. Jude cardiac implants that could be discharged remotely. The Mirai botnet, created as a proof of concept by college students in 2016, has spawned over 30 active variants, demonstrating the global scale and persistence of IoT-based threats.

**Smart City and Infrastructure Vulnerabilities**: Smart cities with embedded IoT devices throughout transportation and infrastructure systems create society-wide vulnerabilities, where seemingly insignificant IoT devices can become entry points for attacks on critical infrastructure.

### DNS Registry Role and Infrastructure Challenges

Sandoche Balakrichenan, Head of R&D Partnerships at AFNIC, provided perspective on DNS registries’ role in IoT security. AFNIC’s involvement stems from their 15+ years of experience working with IoT identification and security through the Domain Name System.

Balakrichenan posed a fundamental question: “The multi-stakeholder system that has been working quite effectively in the Internet for the last 40 years, can it be applied in the IoT?” This recognizes that technical solutions alone are insufficient and governance structures matter significantly for implementation success.

From a technical perspective, DNS registries face challenges with larger cryptographic key sizes and increased energy consumption in post-quantum systems. Despite these challenges, DNS registries must transition to PQC-ready infrastructure to maintain trustworthy domain name resolution for IoT devices by the 2035 deadline.

### Policy and Regulatory Landscape

Ernst E.A. Noorman, Cyber Ambassador for the Netherlands, provided insight into current regulatory frameworks:

**European Union Leadership**: The EU Cyber Resilience Act mandates security-by-design approaches including in IoT devices. Noorman argued this act “should become world standard copied by countries outside EU to ensure global cyber resilience.”

**National Implementation**: Several countries including France, Germany, and the Netherlands have launched post-quantum cryptography migration guidelines, though with variations in approach and timeline.

**Labelling and Certification**: Some countries are developing cyber score labels on products to provide end-users with security information, creating market incentives for better security while helping consumers make informed choices.

**Critical Gap**: Nicolas Caballero, GAG Chair at ICANN, revealed “currently zero government participation in the initiative, but they need to be brought in as fast as possible.”

### Strategic Recommendations

The discussion produced several strategic recommendations:

**Mandatory Security-by-Design**: Moving beyond voluntary security measures to mandatory secured-by-design approaches, representing a fundamental shift from current paradigms where security features are afterthoughts.

**Harmonised Global Standards**: Need for harmonised global labelling and certification systems providing consistent security information while creating market incentives for quantum-resistant security measures.

**Investment in Lightweight Solutions**: Targeted investment in lightweight post-quantum solutions specifically designed for resource-constrained environments.

**Supply Chain Engagement**: Organizations should begin with cryptographic asset inventory for their IoT systems and engage supply chains in post-quantum cryptography migration.

### Awareness and Education Challenges

Maike Sippinen raised the challenge of “how to balance raising citizen awareness about quantum threats without causing unnecessary worry while making complex topics accessible.” This reflects the difficulty of communicating highly technical security concepts to diverse audiences.

Ernst Noorman noted that “large organisations like intelligence agencies and companies like ASML are already aware and implementing solutions, but smaller companies may lag behind,” creating a two-tier system where sophisticated actors are prepared while smaller entities remain vulnerable.

The challenge is amplified by IoT devices being designed as transparent to users, conflicting with the need to educate users about quantum threats and security updates.

### Implementation Challenges

Several critical challenges remain unresolved:

**Technical Implementation**: The fundamental challenge of implementing post-quantum cryptography on resource-constrained IoT devices with fragmented protocols lacks clear technical solutions.

**Global Coordination**: Specific mechanisms for ensuring developing nations are not left behind in the transition remain unclear.

**Critical Infrastructure Funding**: Yuri Bokovoy from the Finnish Greens Party raised concerns about critical public infrastructure facing significant risk due to austerity measures and current constraints.

### Future Coordination and Action Plans

The discussion concluded with concrete proposals:

**IGF 2026 Coordination**: Wout de Natris – van der Borght proposed using IGF 2026 as a forum to bring together stakeholders for coordinated post-quantum transition planning.

**Stakeholder Action Plan**: Developing a comprehensive action plan bringing important stakeholders together to agree on quantum cryptography standards and coordinated global response.

**Immediate Steps**: Organizations were encouraged to begin cryptographic asset inventory and supply chain engagement while broader coordination develops.

### Conclusion

The discussion concluded with a call for immediate action, with Wout de Natris – van der Borght drawing parallels to the millennium bug, emphasizing the compressed timeline available for post-quantum migration. The speakers positioned the current moment as critical, representing “a chance to do it differently” by moving beyond reactive security implementation to proactive, coordinated global action.

However, this opportunity requires immediate engagement from currently absent stakeholders, particularly government representatives, and coordinated action across the fragmented IoT ecosystem. Success will depend not only on technical innovation but on the effectiveness of multi-stakeholder governance mechanisms and coordinated global security initiatives.

Wout de Natris – van der Borght: Gilbert Deromo, Felipe Correa, 2018 Marcel Fall, 2019 Sergehny, 2020 Joseph Sassion, 2020 Lubomir Putor, 2019 Wouter Natris, 2020 Walter Nathuis, 2020 Good morning and welcome to our session on securing IoT for the post-quantum era. Is that our session? Yes, the domain name registry perspective. My name is Walter Nathuis van der Borcht and I’m the coordinator of a dynamic coalition here at the IGF called Internet Standards, Security and Safety. And with me are people from the coalition and from AVNIC. And together we’ll be presenting the report that we’re putting out here at the IGF. But first a very short word about what IS3C dynamic coalition is. We have one overarching goal and that goal is to have long-existing security-related internet standards deployed by industry. And we have been producing reports over the past five years since we exist. The first one was on education and skills and trying to close the skills gap between what tertiary cybersecurity curricula offer and what the industry actually demands. And we identified an age gap and a skills gap and a gender gap all in one, all over the world. The second report was on IoT security and that will come back a little in Joao’s presentation so I’ll not go into that further. Our third report was on government procurement. We found out that governments mostly do not procure their IT. on interconnectivity and we added websites because everybody thought that was extremely important to put a point of pressure on for industry as well. Then we produced a toolkit on arguments. What arguments do technicians need to use to convince their CEOs, their CEOs, CFOs, their board directors, etc. to actually either deploy standards or procure standards secure by design and this year we have our fourth report which the people here on the table will tell you about, about post-quantum encryption. The way that I look at it, the history of cyber security is imagine that you buy a car on the top of a mountain and the salesman gives the keys to you and says just drive down, there you go and you go around the first very soft bend because it’s starting to slope down very slowly and there’s a guy saying do you want to buy brake lights waving on the side of the road and by the next bend somebody is waving would you like to have whatever seat belt and then finally do you need brakes, do you need brakes and there’s the first hairpin tail and the ravine going down like this and this is what sort of happens with ICT. You buy a device and then somebody says you have to install this or you have to buy antivirus or you have to whatever and that is something which is not normal for any other product. Benoît Ampeau, Director of Partnerships on Innovation at AFNIC

Benoit Ampeau: We are very happy supporting this fourth report and I will explain why and give you some elements of context on why AFNIC, the French Internet Registry, is very pleased with the outcomes from this report. At AFNIC, we have been working for over 15 years on the Internet of Things, particularly on the technical aspects and the identification of objects, as well as on security and privacy issues through several R&D projects. More recently, like many technical organizations, we need to anticipate the technical transition and we have begun to evaluate the impact of post-quantum cryptography on more operational aspects. As early as 2016, we organized a conference with our scientific council to raise awareness about its impact on our increasingly digitalized societies. Since then, many things have evolved. As part of our commitment, we are working on the digitalization of the Internet of Things and the digitalization of the Internet of Things. In our commitment to R&D, we also have observed that there are still too few studies on the social and societal impact of technologies. This is also a shift for us. We are trying to integrate, when relevant, these important dimensions into some of our studies, which make sense, particularly here at the IGF, the unique place where all stakeholders can dialogue. This report was born from all these contextual elements. Quantum computing is no longer a distant dream, confined to the page of science fiction. In a way, it’s still distant, since we do not know when the threat will be available and ready to crack the global cryptographic scene on our digital services. It is a rapidly evolving field, with some significant investment from both the public and private sectors. While quantum computing promises revolutionary advancements, it also poses a substantial threat to our current cryptographic systems. The algorithms that secure our digital communications today could be rendered obsolete by the computational power of quantum computers. It’s particularly acute for IoT devices, which are increasingly integrated into our daily lives and critical infrastructure. Ensuring the security and privacy for the long term is crucial. This report that will be presented by the Internet Standards, Security and Safety Coalition has been also submitted to the community for comments. So I’m very grateful to the authors and contributors of this report. I think it’s offering a comprehensive analysis of existing vulnerabilities, an assessment of political and regularity. and Pierre-Henri Lévi-Strayer, and last but not least, strategic recommendations to enhance security at national, local and also global levels. In conclusion, even though the quantum computer capable of breaking current cryptography does not yet exist, the complexity of the transition necessitates immediate awareness and also action plans. Adapting infrastructure, revising trust chains, updating software, testing interoperability, this is not just about activating an option or replacing a few lines of codes or having some brake lights for your car, for instance. These are slow, sometimes costly evolutions that require coordination among many actors and rigorous planning. Past experiences in technological transition or the deployment of Internet security extensions shows how these changes, even consensus-driven, can extend even more than a decade. We must collectively anticipate an inevitable transition. Thank you.

Wout de Natris – van der Borght: Thank you. I think you set the stage, Benoît, ideally for the next step. But why is it important for a registry that .afnic is for the .fr region? So, please, Santosh.

Sandoche Balakrichenan: Thank you, Wout. My name is Santosh Balakrishnan, Head of R&D Partnerships at AFNIC. So, thank you, Benoît, for setting up the stage for my talk. In the next five minutes, I will try to explain why a domain name registry is involved in the study about IoT and post-quantum. So, here, if you see in the image here, we have different stakeholders involved in connecting a domain name to the web service or sending a mail to different users. So, if you see from a technical perspective… IETF, which standardizes the IP addresses and the domain names. From a governance perspective, we have, for example, in the domain name sector, we have ICANN, we have CCTLDs like .fr. In the IP address governance, we have IANA, Regional Internet Registries. For example, in Europe, it is called RIPE, Rizzo IP European. So all these different stakeholders are involved in setting up the stage for translating the domain name to IP address. And the system that is used behind it is called the domain name system. But when we see in IoT, we have different stakeholders involved also, but they are working in silos. So what AFNIC is trying to look at is that the multi-stakeholder system that has been working quite effectively in the Internet for the last 40 years, can it be applied in the IoT? So that’s what we are working on. And we are not just telling it, we are walking the talk. We had, for example, worked with different stakeholders on French government and European projects. For example, we started with the supply chain industry in the consumer goods to look at how RFID or barcode could be used in the DNS and then resolve to its service. Then we used to work with the Loralions, which is the LPWAN technology. So we started like in Legos. We started first with seeing whether the identifiers can be added to the DNS database. Then these identifiers like RFID and barcodes could be resolved to service using the DNS. Then we added the next layers like security and privacy. So we had considerable experience in the last 15 years working with IoT stakeholders on how to use DNS. So the IS3C report here, that’s the objective of this talk, looks at today’s pain points in the IoT and how it is amplified by the advent of post-quantum. This report looks at it in detail, which will be explained. and Elif. So from a policy and standards landscape, what happens? In the US, for example, NIST has published different algorithms, like four or five algorithms for post-quantum cryptography. The federal government is saying that by 2035, all federal systems classified and unclassified must be using full quantum-resistant cryptography. For example, in the EU, we have different standardization activities going around PQC. The EU roadmap also says that by 2035, transition should be largely complete for all practical systems. From a domain name perspective, if you see the IETF, the Internet Engineering Task Force, there is also ongoing work on how the DNA system could be getting ready for a quantum secure future. So our role as a registry, what are we going to do? We want to look at the technical and policy perspective on how to transition PQC-ready DNS infrastructure for real-world use. Let’s say, for example, with PQC, we have cryptographic key sizes, which can be large, and there is also energy consumption. Then finally, our objective as a registry is to keep the DNS trustworthy for IoT. Our call for action is that as multi-stakeholders, let’s work together to ensure that when the deadline arrives, like in 2035, the IoT can resolve using DNS. The algorithms used for securing access could be quantum-resistant. Thank you.

Wout de Natris – van der Borght: Thank you, Santosh. I think that that shows that it is an urgent topic. And we focused on IoT, because we had to limit our research, of course, but this could be on many different topics. The DNS will have its own problems, the banking system will have their own problems, the routing system on the Internet will have their problems, but we faced the IoT challenge, and Joao is going to go in. Elif Kiesow Cortez, João Moreno Falcão, Benoît Ampeau

Joao Moreno Falcao: Elif Kiesow Cortez, João Moreno Falcão, Benoît Ampeau Elif Kiesow Cortez, João Moreno Falcão, Benoît Ampeau Elif Kiesow Cortez, João Moreno Falcão, Benoît Ampeau Elif Kiesow Cortez, João Moreno Falcão, Benoît Ampeau What are they? So they are resource-constrained devices, which is our first challenge since post-quantum cryptography is way more complex and way more a resource of intensive technology to be used and We also are here using devices with fragmented protocols, so we have the devices with Flora that uses a bandwidth different And well a protocol different than the IP protocol that we are all used to So, how can we go after it? How can we protect these other devices that talk in different languages? So it makes us feel like in the 70s when we had a couple of devices talking different languages But we need to harmonize them to protect all the ecosystem Not just a part of the ecosystem against the quantum threats so And of course the other part of the landscape that we have is the low user awareness so we have a inertia in patching these systems because most of people even then it’s difficult actually to Look after all your devices that you have in home or in your factory or in your company Because they are intended to be automated. They’re intended to be devices that you are going to drop in The system and you will never Think again of this individual device. So how can we? Highlight that we have this entry points that we have these devices they they are a risk and Use this to protect so The case studies I brought three here. One is the Jeep Cherokee hack. Well, it happened in 2015. They were able to change the steering wheel of the device and also interfere with the braking system. So this was a huge turning point because a physical a Online hack would be able to cause immediate harm to the user. So you can think like, okay It was in 2015. So now we are better. Well, no, in 2024 Kia had an also an incident that you could change the device owner and With this be able to unlock the car and also see the history of the car. So anyone within Kia Car could be hacked in this way and have its privacy violated So the St. Jude Cardiac implants show that it’s not only restricted to a specific industry You can talk about medical devices too that can risk the life of the patients So this cardiac implants had a flaw that could be so the device could be discharged remotely and then Making it unusable to the patient and one thing that we saw very concerning is about the Botnets, so I will go further on this the Mirai botnet is the one most prohibit because it was created in 2016 and It was actually a proof of concept. So a Couple of guys in the college said I think this kind of attack is feasible, so we will write up some code and published on the internet showing how we are vulnerable. Well, this actually created a trend based in their code. There are more than 30 active variants of this malware running around. And they have a huge impact in the privacy of the users and also to cause harm. So we saw other examples being used by Spionage. And we need to look after this kind of threat, that it’s global. So the policy landscape we went through, it’s pretty interesting. So we have ISO, and they are based on foundational knowledge about how we can secure these devices. We have the EU Cyber Resilience Act, which mandates the security by design, including in IoT. We have the Nest, the APEC labeling systems are pretty interesting because they try to bring awareness to the user by validating and certificating the devices. And also, we looked up into the PQC part. We saw that UK created a roadmap to plan the transition up to 2035, which it looks promising, but we need to work on that, too. And also, we saw the role of ITF in the PQC standardization because the main source of communication of ITF. These devices is the internet and we need to have devices to tackle this to people to to tackle this communications So Yeah, the strategic recommendations we saw that we are coming in a good path, but we need to being further on it and create a mandate secured by design universally harmonized global label certification and Invest in lightweight post quantum resistant Solutions and of course train the users and the programmers to be able to use these kinds of technologies. Yeah. Thank you

Wout de Natris – van der Borght: Thank you as well and I think the sort of risk are quite clear at this moment also the recommendations Sorry and a live what are your findings in the research where the the post quantum part and the crypto Cryptography is concerned. So the floor is yours a live and you have nine minutes

Elif Kiesow Cortez: Yes, thank you very much just making sure that my slides are up as well and Of course, we are very happy to be presenting today the findings of our report and you also see the full name that it’s socio political and technical impacts of IOT and PQC and In this report already my colleagues mentioned that we will be focusing on also giving Strategic guidelines. So for me, I think to complement what has been already said Let me just maybe jump to the PQC part with a bit more detail so what we wanted to cover here with our co-authors was Both giving the advice on the importance of the PQC migration but as well briefly mentioned we also wanted to make sure that it’s on a Concrete subject and for this case, we will be referring to IOT also when it comes to our Recommendations. So first we wanted to understand what is the current status of the discussion on these issues? And when it comes to PQC, it’s important to mention also for our audience Yes, we are talking about a threat by a quantum computer and this particular quantum computer that we refer to is defined as a cryptographically relevant quantum computer, so it has a focus, it has the capacity, and it can be utilized for breaking the currently valid encryption, including RSA. And I don’t have to explain why this is a significant threat, but I’m just going to picture for you one version of this threat that has been discussed a lot. This is called Harvest Now, Decrypt Later, and this is to say even if when we are thinking that our highly sensitive data such as government communications are currently encrypted, this discussion, this particular risk is highlighting that this encrypted data can be recorded right now, and those recordings can be decrypted once malicious actors are able to utilize a cryptographically relevant quantum computer. So that is just to give a concrete example on why we say this risk is a big one, and the other of course indicators to understand how this is a current and relevant risk is to look at the policy landscape. We are already seeing and analyzing in our report the actions by NIST, it was also briefly mentioned by my colleagues that they already have guidelines that is on which PQC algorithms are recommended, but also the fact that they set 2035 as a target for all federal systems to migrate to PQC encryption. So again, this can sound like a bit like away, right, because we are talking about 2035, but it has been communicated also by NIST quite strongly that it is really really important to start a migration process as early as possible, so that we can really guarantee So now we are already looking at a five-year deadline, but let me make it a bit more pressuring by also explaining how they actually said that for achieving this timeline of making the switch by 2030, EU is now requiring the PQC transition planning and pilots to be initiated at least by the latest by the end of 2026. So if you walked into our lounge thinking that we will be talking about a sci-fi issue about the future, I guess that was wrong, right? We are launching today this report that is directly relevant to what needs to be done now and not later. So let me just stress that there are also other EU member states including France, Germany and the Netherlands that already launched their PQC migration guidelines. So in our report, you will be also finding more explanations on this as well. And this was again mentioned by my colleagues very briefly. Our report also looks at the societal impact angle as well. So for example, if we are talking about this like harvest now, decrypt later attacks, then we have to preserve the long-term privacy of the citizens as well against these kind of attacks. And we also have to secure critical services when it comes to societal impact. Also when we are thinking about the legal impact now that, for example, we are saying the PQC migration plans must start latest by 2026, the regulations like the GDPR should be also compelling the use of quantum-resistant encryption in the near future. And when we look at the economic impact, of course, there will be significant costs for upgrading systems and hardware. That is also why we are urging for the migration plans to be started early. It has been mentioned again that we will be also covering in our report the environmental impact as well. I think João made a soft reference to it about how the algorithms can be also quite energy-intensive. And for making sure that we are thinking about the environment, we will need to be working towards a lighter, possibly working very well algorithms as well. So now I will be just jumping into the recommendations. Again, it was already highlighted that this will be on different levels. So we will be giving recommendations in this report that are both on the national and organizational levels in detail. But we also made a call for global cooperation as well. And we have different levels of recommendations. Again, you will find all of this in our lengthy report that we are looking at, for example, some more timeline perspectives in more detail on how to handle PQC migration. And then we are also explaining in detail how organizations should tackle this. But another added value of our report is we got a chance to apply it to a particular case, particular study, which is on this IoT security. And for this, we also gave international level guidelines that is about global standardization, interoperability, that is focusing on international R&D as well as capacity building. And we are also very happy that we managed to give this very concrete national level recommendations as well, starting from government initiatives for awareness and R&D, continuing with making mandatory the PQC compliance, because again, now I think it’s very clear that the risk… The threat is there. We know now better than, let’s say, 20 years ago to not to ignore cybersecurity requirements, right? So in that sense, we are also highlighting that there has to be already educational training programs as well, but also we need to be thinking from things like national synergies, things like supporting, for example, product developers in PQC so that we are really covering a 360 aspect of this migration issue. Again, we said that we gave concrete guidelines also when it comes to IoT and PQC intersection. Here you can see in our report that we will be explaining how step-by-step a company, an organization can also work towards or move towards the PQC migration, starting from a cryptographic asset inventory for their IoT systems to, of course, getting to, for example, the data privacy policies in line with that, as well as the supply chain engagement. So again, I already said that we are very happy to be launching this report. So I think that Valt also has a few printed out copies with him as well, but you can scan this QR code as well to download our report. And if you are interested in working with us, of course, our colleagues are on stage. If you want to learn more on our report, like I said, you are happily provided this free and publicly accessible link to download and benefit and cite this report in your future work as well. Thank you very much, Valt.

Wout de Natris – van der Borght: Thank you very much, Elif, and very much on time. I think that what Elif shows is that we have an option and that option is to start acting now and be secure in the day of quantum. But the other thing is that we have a Dutch saying, saying a donkey does not run into the same stone every time. So where cybersecurity is concerned, I think the world has proven not to be a donkey because we’ve made the same mistake over and over. and others with launching new products, Insecure by Design. This is a chance to do it differently. I think that with that I open the floor for questions. Are there any online questions? No? There’s a question in the room because the experts are here. So who would like to ask a question? There are microphones. So Ernst and Mikey, please move to the microphone. And please introduce yourself and your affiliation first. Does the mic work? Okay.

Ernst E.A. Noorman: Thank you very much. My name is Ernst Norman. I’m the Cyber Ambassador for the Netherlands. I’m not a specialist on quantum computing. And really thank you for the presentation. I will read the report with interest. First of all, I was really happy that in one of the presentations, there was a reference to the Cyber Resilience Act because Raoult said it was especially important when doing procurement from governments. But actually, that’s already too late. I mean, it should already be in the products anyway because of the Cyber Resilience Act. And I hope that many other countries outside the European Union will look at the legislation and also try to copy it, what’s relevant for their own legislation to ensure that it becomes a world standard to include cyber resilience in the products of the companies. For me, the risk in quantum and IOTs was a new angle. I’m really interested to learn about it. I discuss also quite often with specialists, professors from universities, the risk of post-quantum computing. And I must say there was also some different discussions. They say, you know, the organizations for which it’s really relevant, you know, the harvest decrypt later, they are already aware of it and they’re busy with it. So like the intelligence agencies. But if you look, for instance, to companies, small and medium-sized companies, I am wondering what your view is on that, because you read a lot that it makes enormous risk and at the same time I speak to professors and say we already have post-quantum encryption. Those organizations who really need it, they are already aware of it and they use it. Also companies like ASML, for instance, they are truly aware of the need to secure their data. I am curious about your view.

Wout de Natris – van der Borght: Thank you, Erso. Maike, we will take your question and then we answer both at the same time.

Participant: Thank you. A very exciting and interesting session. Please introduce yourself first. Can you hear me now? Yes. Oh, introduce yourself. I am Maike Sippinen. Thank you for this nice, interesting session. It’s certainly an exciting topic, but also quite complex and I can imagine that for citizens it’s not super easy to really grasp all the challenges here and probably most of our normal people living their everyday lives don’t really think about it much or even know that they are using RSA or other encryption systems. So I’m wondering, one of your recommendations was about this global labeling and certification. It was exactly to increase citizen trust. So it would be interesting to hear a tiny bit more what that could look like and what would it be like in practice, since it’s sound. It sounds like something a bit challenging, because if you want to promote this kind of labels you also are, I believe, promoting these challenges, like with this Store Now Decrypt Later, which probably many citizens are not aware of yet. So, how do you balance raising awareness and not just worrying people, or how to create trust without making it all way too complex? Thanks.

Wout de Natris – van der Borght: Thank you, Mikey. Thank you, Ernst, for your questions. Who would like to answer Ernst’s question first and then we go to Mikey’s question? You take it, Ernst?

Joao Moreno Falcao: Yeah, okay. So, the first one is like, is it a problem with most of the devices? So, yeah, I argue in this favor, because when we think of the cities that we are, the intelligent cities, it has embedded several IoT devices all over the world. And if these devices are not secure enough for the kind of challenges that we will face, we make our society as a whole vulnerable to these kinds of attacks. So, if you’ve been able to fake the ownership of a specific device that it’s crucial to the working of a transportation system, for example, it’s been made by very tiny pieces, and if you break this chain, you can cause real harm.

Wout de Natris – van der Borght: And about the labeling part, well, we already have labeling in cars. You can see like, oh, this car is rated safety A, this car is rated safety D. I believe people buy them knowing this, and for their restrictions, they are willing or not. vulnerabilities that we need to consider that we’re not even thinking of. It’s not about ASML because they have money enough, but it’s about the things that lie there for 20 years or 40 years and what happens with them. So it’s far more complex I think than just the big companies or a big bank that will probably be able to to deal with it. So that’s the sort of thing we have in the back of our mind. We have time for one more answer, so who would like to? Yes, Sandro?

Sandoche Balakrichenan: I could add to the question before the production and the research. So if you see the PQC is already in the research and it’s just now the NIST or the other organizations are trying to quantify which of the algorithms production could use. So I would like to take just an analogy of what happened in the DNS. For example, people are saying that there are security vulnerabilities. So DNSSEC was a solution, but nobody was adopting that. But suddenly came the Kamienski attack and then there was a huge adoption. So I think in the quantum world also things like that would help to easily add adoption.

Benoit Ampeau: Yeah, just to add also from the end-user perspective and raise awareness. Some countries are also thinking about developing like a cyber score label on products. So it could be also a way to directly give information to the end-users and consumers about the level of security announced by your product.

Wout de Natris – van der Borght: So, thank you very much. 45 minutes over before you know it and they are almost over. So we’re closing. I liken this topic to the millennium bug. Although everybody worked for nothing it seemed, everybody was able to act at the same time, take the same measures that were agreed upon up front. I think that is something that we need to do with this topic, that the whole world starts acting, that nobody’s left behind, that developing nations are assisted to set the steps they need to take. Because if they are vulnerable, we are vulnerable. So I think that the IGF in 2026, I’m confident that will continue, would be an ideal place to bring this together because we have so many different stakeholders that will have to take their own actions and they have to agree upon these actions. So what if we start later this year with an action plan bringing important stakeholders together and start discussing what is the issue, what are the actions, what is the quantum, what is the cryptography that we agree upon and start to make an action plan. And then it goes outside of the IGF and from that moment on hopefully everybody starts taking the same decisions. And Nico, you can have a very, very short comment, but please introduce yourself. We have one minute left and then they switch us off. So please introduce yourself. But I would like to thank everybody first and then we’ll see how far we come. Thank you guys. Thank you over there and the Norwegian organization because you’ve been absolutely brilliant these days and Lucia for reporting. Very, very brief.

Participant: Yeah. I’m Yuri Bokovoy from the Finnish Greens Party. I feel like the largest actor that is being under risk here is not the private companies, not the industry, not the ICT private operators, but the critical public infrastructure that is being quite harmed by austerity and the current…

Wout de Natris – van der Borght: Okay. You’ve made your point. Sorry. Yeah. Very quickly.

Nicolas Caballero: My name is Nico Cavallero. I’m the GAG Chair at ICANN. I just wanted to know how many governments do you have at this point participating in the initiative and how they can…

Wout de Natris – van der Borght: Zero. Zero. Yeah. Zero. That’s your answer. So we want to bring them in as fast as possible. Oh. All right. I’ve heard you, Nico. Thank you. You heard my question. I’m sorry. Okay. It’s zero. So we want to bring them into the project. So they can still participate? Yes, of course. Okay. So we have 30 seconds, Lucia. In one sentence, what is the conclusion of this session?

Lucien Castex: A few very good points, and I’ll be brief. The first one, and I have two, is that it’s quite important to keep in mind that other transitions like IPv6 or the adoption of DNSSEC took like 10 years. We need to be faster. The second one, well, we launched this report at the IGF, which is a key multistakeholder forum. That’s excellent and needs forward thinking.

Wout de Natris – van der Borght: Okay, that was very brief, and thank you very much for this synopsis. I want to thank everybody again for showing up so early on the last day and for your interest. Thank you again, everybody, and hope to see you at the next IGF. Thank you.

Agreement points

Urgent need for immediate action on post-quantum cryptography transition with specific deadlines

Speakers

– Benoit Ampeau
– Elif Kiesow Cortez
– Sandoche Balakrichenan

Arguments

Quantum computing poses substantial threat to current cryptographic systems that secure digital communications

NIST has set 2035 deadline for all federal systems to migrate to quantum-resistant cryptography, with EU requiring transition planning by 2026

DNS registries must transition to PQC-ready infrastructure to keep DNS trustworthy for IoT by 2035 deadline

Summary

All speakers agree that the quantum threat is imminent and requires immediate action, with concrete deadlines already established by major organizations like NIST and the EU

Topics

Cybersecurity | Infrastructure | Legal and regulatory

Multi-stakeholder coordination is essential for successful quantum transition

Speakers

– Benoit Ampeau
– Elif Kiesow Cortez
– Sandoche Balakrichenan
– Wout de Natris – van der Borght

Arguments

IGF provides unique place where all stakeholders can dialogue on technological transitions

Global cooperation needed at international, national, and organizational levels for standardization and interoperability

Multi-stakeholder system that worked effectively for Internet over 40 years can be applied to IoT security

Need for action plan bringing important stakeholders together to agree on quantum cryptography standards and coordinated global response

Summary

There is strong consensus that the quantum transition requires coordinated effort across multiple stakeholders, similar to successful Internet governance models

Topics

Infrastructure | Legal and regulatory | Development

IoT devices present unique vulnerabilities that are amplified by quantum threats

Speakers

– Joao Moreno Falcao
– Sandoche Balakrichenan
– Elif Kiesow Cortez

Arguments

IoT devices are resource-constrained with fragmented protocols, making post-quantum cryptography implementation challenging

Smart cities with embedded IoT devices throughout transportation and infrastructure systems create society-wide vulnerabilities

Post-quantum cryptography brings challenges of larger cryptographic key sizes and increased energy consumption for DNS systems

Summary

Speakers agree that IoT devices face particular challenges in implementing post-quantum cryptography due to resource constraints and widespread deployment in critical systems

Topics

Infrastructure | Cybersecurity

Policy and regulatory frameworks are advancing but need global harmonization

Speakers

– Elif Kiesow Cortez
– Joao Moreno Falcao
– Ernst E.A. Noorman
– Benoit Ampeau

Arguments

Countries like France, Germany, and Netherlands have already launched PQC migration guidelines

EU Cyber Resilience Act mandates security by design including in IoT devices

Cyber Resilience Act should become world standard copied by countries outside EU to ensure global cyber resilience

Some countries are developing cyber score labels on products to give end-users information about security levels

Summary

There is agreement that while policy frameworks are emerging, they need to be harmonized globally to ensure comprehensive protection

Topics

Legal and regulatory | Cybersecurity

Similar viewpoints

Both speakers emphasize that cybersecurity threats have real-world, immediate consequences that can cause physical harm and privacy violations

Speakers

– Joao Moreno Falcao
– Elif Kiesow Cortez

Arguments

Real-world IoT attacks like Jeep Cherokee hack (2015) and Kia incident (2024) demonstrate immediate physical harm potential

Cryptographically relevant quantum computers can break currently valid encryption including RSA through ‘Harvest Now, Decrypt Later’ attacks

Topics

Cybersecurity | Human rights

Both recognize the challenge of awareness gaps – between large and small organizations, and between technical complexity and public understanding

Speakers

– Ernst E.A. Noorman
– Participant

Arguments

Large organizations like intelligence agencies and companies like ASML are already aware and implementing solutions, but smaller companies may lag behind

Need to balance raising citizen awareness about quantum threats without causing unnecessary worry while making complex topics accessible

Topics

Economic | Development | Sociocultural

Both emphasize learning from past technological transitions to ensure faster, more coordinated implementation of post-quantum cryptography

Speakers

– Lucien Castex
– Wout de Natris – van der Borght

Arguments

Past technological transitions like IPv6 and DNSSEC took 10 years, but we need to be faster for post-quantum migration

Need for action plan bringing important stakeholders together to agree on quantum cryptography standards and coordinated global response

Topics

Infrastructure | Cybersecurity | Development

Unexpected consensus

Zero government participation despite critical need for policy coordination

Speakers

– Nicolas Caballero
– Wout de Natris – van der Borght

Arguments

Currently zero government participation in the initiative, but they need to be brought in as fast as possible

Explanation

It’s unexpected that despite the critical nature of quantum threats and the need for policy coordination, there is currently no government participation in the initiative. This consensus on the absence highlights a significant gap that needs immediate attention

Topics

Legal and regulatory | Infrastructure

Critical public infrastructure as the most vulnerable sector

Speakers

– Participant
– Joao Moreno Falcao

Arguments

Critical public infrastructure faces significant risk from quantum threats due to austerity and current constraints

Smart cities with embedded IoT devices throughout transportation and infrastructure systems create society-wide vulnerabilities

Explanation

There’s unexpected consensus that public infrastructure, rather than private sector entities, faces the greatest quantum threat risk due to resource constraints and widespread IoT integration

Topics

Infrastructure | Economic | Cybersecurity

Overall assessment

Summary

Strong consensus exists on the urgency of quantum threats, need for multi-stakeholder coordination, IoT vulnerabilities, and policy harmonization. However, significant gaps remain in government participation and public awareness.

Consensus level

High level of consensus among technical experts and industry representatives, but critical gaps in government engagement and public understanding threaten effective implementation. The consensus implies that while the technical community understands the threat, broader stakeholder engagement is essential for successful transition.

Different viewpoints

Scope of organizations at risk from quantum threats

Speakers

– Ernst E.A. Noorman
– Joao Moreno Falcao

Arguments

Large organizations like intelligence agencies and companies like ASML are already aware and implementing solutions, but smaller companies may lag behind

Smart cities with embedded IoT devices throughout transportation and infrastructure systems create society-wide vulnerabilities

Summary

Ernst suggests that organizations truly needing quantum protection are already aware and implementing solutions, while Joao argues that the threat is much broader, affecting entire smart city infrastructures and creating society-wide vulnerabilities through interconnected IoT devices.

Topics

Economic | Development | Infrastructure | Cybersecurity

Unexpected differences

Urgency and scope of quantum threat implementation

Speakers

– Ernst E.A. Noorman
– Elif Kiesow Cortez

Arguments

Large organizations like intelligence agencies and companies like ASML are already aware and implementing solutions, but smaller companies may lag behind

NIST has set 2035 deadline for all federal systems to migrate to quantum-resistant cryptography, with EU requiring transition planning by 2026

Explanation

This disagreement is unexpected because both speakers are cybersecurity experts, yet they have different assessments of the current state of quantum threat preparedness. Ernst suggests the most critical organizations are already prepared, while Elif emphasizes the urgent need for widespread immediate action across all sectors.

Topics

Cybersecurity | Economic | Development

Overall assessment

Summary

The main disagreement centers on the scope and urgency of quantum threat response, with some speakers viewing it as a targeted issue for high-security organizations versus others seeing it as a broad societal challenge requiring immediate universal action.

Disagreement level

Low to moderate disagreement level. While speakers generally agree on the existence of quantum threats and the need for action, they differ on implementation scope, urgency, and target audiences. This disagreement could impact policy prioritization and resource allocation, but the overall consensus on the need for post-quantum cryptography migration provides a foundation for coordinated action.

Partial agreements

Similar viewpoints

Both speakers emphasize that cybersecurity threats have real-world, immediate consequences that can cause physical harm and privacy violations

Speakers

– Joao Moreno Falcao
– Elif Kiesow Cortez

Arguments

Real-world IoT attacks like Jeep Cherokee hack (2015) and Kia incident (2024) demonstrate immediate physical harm potential

Cryptographically relevant quantum computers can break currently valid encryption including RSA through ‘Harvest Now, Decrypt Later’ attacks

Topics

Cybersecurity | Human rights

Both recognize the challenge of awareness gaps – between large and small organizations, and between technical complexity and public understanding

Speakers

– Ernst E.A. Noorman
– Participant

Arguments

Large organizations like intelligence agencies and companies like ASML are already aware and implementing solutions, but smaller companies may lag behind

Need to balance raising citizen awareness about quantum threats without causing unnecessary worry while making complex topics accessible

Topics

Economic | Development | Sociocultural

Both emphasize learning from past technological transitions to ensure faster, more coordinated implementation of post-quantum cryptography

Speakers

– Lucien Castex
– Wout de Natris – van der Borght

Arguments

Past technological transitions like IPv6 and DNSSEC took 10 years, but we need to be faster for post-quantum migration

Need for action plan bringing important stakeholders together to agree on quantum cryptography standards and coordinated global response

Topics

Infrastructure | Cybersecurity | Development

Key takeaways

Post-quantum cryptography migration is an urgent, present-day issue requiring immediate action, not a distant future concern, with government deadlines set for 2026 (EU planning) and 2035 (full implementation)

IoT devices present unique vulnerabilities in the post-quantum era due to resource constraints, fragmented protocols, and low user awareness, creating society-wide security risks

The complexity of post-quantum transition requires coordinated global action across multiple stakeholders, similar to how the multi-stakeholder Internet governance model has worked for 40 years

Current cybersecurity approach of ‘insecure by design’ products must change to ‘security by design’ mandates, with the post-quantum transition offering an opportunity to break this cycle

DNS registries play a crucial role in IoT security and must prepare their infrastructure for post-quantum cryptography to maintain trustworthy domain name resolution

Past technological transitions like IPv6 and DNSSEC took over 10 years, but the post-quantum migration timeline is more compressed and urgent

Policy frameworks like the EU Cyber Resilience Act should become global standards, with labeling and certification systems helping consumers make informed security choices

Resolutions and action items

Launch of the IS3C coalition’s fourth report on post-quantum cryptography and IoT security at the IGF

Proposal to develop an action plan bringing important stakeholders together to agree on quantum cryptography standards and coordinated global response

Suggestion to use IGF 2026 as an ideal forum to bring together diverse stakeholders for coordinated post-quantum transition planning

Call for organizations to begin cryptographic asset inventory for their IoT systems and engage supply chains in PQC migration

Recommendation for countries outside the EU to adopt legislation similar to the Cyber Resilience Act to create global standards

Need to bring government participation into the initiative (currently zero government involvement identified)

Unresolved issues

How to effectively balance raising citizen awareness about quantum threats without causing unnecessary worry while making complex topics accessible

Gap between large organizations (intelligence agencies, major corporations) that are already implementing post-quantum solutions and smaller companies that may be lagging behind

Challenge of securing critical public infrastructure that faces constraints from austerity measures

Technical challenges of implementing post-quantum cryptography on resource-constrained IoT devices with fragmented protocols

How to address the ‘inertia in patching’ problem for IoT devices designed to be automated and forgotten

Coordination mechanisms needed to ensure developing nations are not left behind in the transition

Specific implementation details for global labeling and certification systems

Suggested compromises

Development of lightweight post-quantum cryptography solutions specifically designed for resource-constrained IoT devices

Phased approach to post-quantum migration with clear timelines – planning by 2026, full implementation by 2035

Cyber score labeling system that provides security information to end-users without overwhelming them with technical complexity

Multi-level recommendations addressing international, national, and organizational levels to accommodate different stakeholder capabilities

Learning from past security adoption patterns (like DNSSEC after the Kamienski attack) to identify catalyzing events that drive adoption

The way that I look at it, the history of cyber security is imagine that you buy a car on the top of a mountain and the salesman gives the keys to you and says just drive down, there you go and you go around the first very soft bend because it’s starting to slope down very slowly and there’s a guy saying do you want to buy brake lights waving on the side of the road and by the next bend somebody is waving would you like to have whatever seat belt and then finally do you need brakes, do you need brakes and there’s the first hairpin tail and the ravine going down like this and this is what sort of happens with ICT.

Speaker

Wout de Natris – van der Borght

Reason

This vivid analogy effectively captures the fundamental problem with cybersecurity implementation – that security features are typically added as afterthoughts rather than being built into systems from the beginning. It’s particularly insightful because it makes a complex technical issue accessible through a relatable metaphor.

Impact

This comment set the conceptual framework for the entire discussion, establishing the core problem that post-quantum cryptography represents another opportunity to either repeat past mistakes or finally implement ‘security by design.’ It influenced subsequent speakers to emphasize proactive rather than reactive approaches.

This is called Harvest Now, Decrypt Later, and this is to say even if when we are thinking that our highly sensitive data such as government communications are currently encrypted, this encrypted data can be recorded right now, and those recordings can be decrypted once malicious actors are able to utilize a cryptographically relevant quantum computer.

Speaker

Elif Kiesow Cortez

Reason

This comment transforms the quantum threat from a future abstract concept into a present, concrete danger. It reveals that the threat isn’t just about future vulnerabilities but about current data being compromised retroactively, which fundamentally changes the urgency and timeline for action.

Impact

This explanation shifted the discussion from treating quantum computing as a distant future concern to recognizing it as an immediate threat requiring urgent action. It provided the technical foundation that justified the aggressive 2026-2035 timelines mentioned throughout the session.

So the multi-stakeholder system that has been working quite effectively in the Internet for the last 40 years, can it be applied in the IoT? So that’s what we are working on. And we are not just telling it, we are walking the talk.

Speaker

Sandoche Balakrichenan

Reason

This comment introduces a crucial governance perspective by questioning whether successful internet governance models can be adapted for IoT security. It’s insightful because it recognizes that technical solutions alone are insufficient – governance structures matter for implementation success.

Impact

This comment broadened the discussion beyond purely technical considerations to include governance and coordination challenges. It helped establish why a domain registry would be involved in IoT security and reinforced the need for multi-stakeholder collaboration that became a recurring theme.

This is a chance to do it differently. I think that with that I open the floor for questions. Are there any online questions? No? There’s a question in the room because the experts are here. So who would like to ask a question?

Speaker

Wout de Natris – van der Borght

Reason

While brief, this comment encapsulates the session’s central thesis – that the post-quantum transition represents a unique opportunity to break the cycle of reactive cybersecurity and implement proactive, secure-by-design approaches from the outset.

Impact

This comment served as a call to action that transitioned the discussion from problem identification to solution-seeking, opening the floor for practical questions about implementation challenges and real-world applications.

They say, you know, the organizations for which it’s really relevant, you know, the harvest decrypt later, they are already aware of it and they’re busy with it. So like the intelligence agencies. But if you look, for instance, to companies, small and medium-sized companies, I am wondering what your view is on that…

Speaker

Ernst E.A. Noorman

Reason

This question challenges the universal urgency narrative by suggesting that awareness and preparedness may be unevenly distributed, with sophisticated actors already prepared while smaller entities remain vulnerable. It introduces important nuance about the differential impact of the quantum threat.

Impact

This question forced the presenters to address the complexity of implementation across different organizational scales and capabilities, leading to discussions about smart cities, critical infrastructure, and the interconnected nature of vulnerabilities that make even small, seemingly insignificant IoT devices potential systemic risks.

Overall assessment

These key comments fundamentally shaped the discussion by establishing both the conceptual framework and practical urgency for post-quantum cryptography adoption. The car analogy set the stage for understanding cybersecurity as a systemic design problem, while the ‘Harvest Now, Decrypt Later’ explanation transformed the quantum threat from abstract to immediate. The governance perspective broadened the scope beyond technical solutions to include coordination challenges, and the final exchange with Ernst introduced important nuance about differential preparedness across organizations. Together, these comments created a comprehensive narrative that moved from problem identification through technical explanation to practical implementation challenges, ultimately positioning the post-quantum transition as both an urgent threat and a unique opportunity for systemic improvement in cybersecurity practices.

How can the multi-stakeholder system that has worked effectively for the Internet over 40 years be applied to IoT?

Speaker

Sandoche Balakrichenan

Explanation

This addresses the fragmented nature of IoT stakeholders working in silos and explores whether proven governance models can be adapted for IoT security

How can we harmonize devices that use different protocols (like LoRa vs IP) to protect the entire ecosystem against quantum threats?

Speaker

João Moreno Falcão

Explanation

This addresses the technical challenge of securing IoT devices that communicate using fragmented protocols and different languages

How can we highlight and manage IoT devices as entry points and risks when they are intended to be automated and forgotten?

Speaker

João Moreno Falcão

Explanation

This addresses the challenge of low user awareness and the difficulty of managing devices that are designed to be ‘set and forget’

What would global labeling and certification look like in practice for IoT devices?

Speaker

Maike Sippinen

Explanation

This explores the practical implementation of security labeling systems to increase citizen trust and awareness

How do you balance raising awareness about quantum threats without worrying people, and create trust without making it too complex?

Speaker

Maike Sippinen

Explanation

This addresses the communication challenge of educating citizens about complex security threats like ‘Harvest Now, Decrypt Later’ attacks

How many governments are currently participating in the IS3C initiative and how can they join?

Speaker

Nicolas Caballero

Explanation

This identifies the need for government participation in post-quantum cryptography initiatives, with the answer revealing zero current government participation

How can developing nations be assisted to implement post-quantum security measures?

Speaker

Wout de Natris – van der Borght

Explanation

This addresses the global security concern that if developing nations remain vulnerable, everyone remains vulnerable

What is the impact of post-quantum cryptography transition on critical public infrastructure affected by austerity measures?

Speaker

Yuri Bokovoy

Explanation

This raises concerns about the vulnerability of underfunded public infrastructure during the quantum transition

How can we develop an action plan for IGF 2026 that brings together stakeholders to agree on quantum-resistant actions?

Speaker

Wout de Natris – van der Borght

Explanation

This proposes a coordinated global approach to post-quantum cryptography implementation through the IGF platform

How can we ensure faster adoption of post-quantum cryptography compared to previous transitions like IPv6 or DNSSEC that took 10 years?

Speaker

Lucien Castex

Explanation

This addresses the urgency of quantum transition given the 2030-2035 deadlines compared to historical technology adoption timelines