How IS3C is going to make the Internet more secure and safer | IGF 2023

Knowledge Graph of Debate

Session report

Moderator – Wout de Natris

The session titled “How IS3C is going to save the internet” was introduced by Wout de Natris, who coordinates the session. The session is part of the Dynamic Coalition on Internet Standards, Security, and Safety (IS3C) under the Internet Governance Forum (IGF). The aim of the session is to promote a more secure and safe internet through the deployment of internet standards. The overarching goal is to safeguard the internet and ensure its resilience and inclusivity.

Marc Garvel, the senior policy advisor for the IS3C, was praised for his credentials and contribution to the coalition. He assists with steering the IS3C in its efforts to achieve their objectives. His expertise and experience play a crucial role in the development and implementation of policies for internet security standards.

Stephen Tan, a member of the advisory panel, is working on developing a tool that will allow governments and industries to effectively utilize internet standards. The tool, referred to as “the list,” is aimed at ensuring the timely updating and deployment of internet standards. By providing a comprehensive resource, it will help stakeholders navigate the complexities and rapidly evolving landscape of internet standards.

The session focused on several key aspects related to internet security and safety, including education and skills, IoT security, and emerging technologies. Janice Richardson chairs the Working Group on Education and Skills, Nicolas Fiumarelli chairs the Security by Design of the Internet of Things Group, and Maarten Botterman serves as the vice-chair of the Working Group on emerging technologies. These working groups play a vital role in addressing the challenges and opportunities in their respective areas of focus.

One of the working groups, Working Group 6, encountered a delay in publishing their report, which was a regrettable occurrence. However, the session did not provide any details or reasons for the delay.

Concerns were raised regarding the major challenges facing IoT security, particularly regarding the lack of implementation of existing standards and security measures. The significance of user involvement in threat management and the role of global standard unification were highlighted. It was acknowledged that many businesses lack the incentive to deploy improved security measures, and the lack of unified standards poses a significant obstacle to IoT security.

The importance of a comprehensive security by design approach for IoT was emphasized by Working Group 1. They have developed recommendations after analyzing over 30 documents and 400 best practices. This approach focuses on integrating security measures into the design and development of IoT systems from the outset.

The session also highlighted the importance of effective procurement and supply chain management for IoT security. Concerns were raised about the lack of a level playing field for companies that implement robust security measures, as they face higher costs. The procurement documents studied hardly ever discussed cybersecurity or demanded internet standards, which poses a significant risk to overall IoT security.

Advocacy for the mandatory implementation of security standards in the procurement process was expressed. Examples were provided, such as the Dutch Ministry of Interior enforcing the mandatory implementation of 43 open standards, and Microsoft gradually being pushed to deploy DNSSEC and other standards due to such policies. The Internet.nl tool, which allows users to check a company’s security score, was also highlighted as a valuable resource.

The session informed participants that new reports on IoT and procurement are available for access through QR code scanning or website links. This digital distribution of reports represents a modern approach to sharing knowledge, replacing the previous method of printing physical copies.

The session also highlighted the progress of the working groups. Two of the working groups are already functioning, and efforts are underway to generate new outcomes. Additionally, a new working group is expected to start in 2024, further expanding the spectrum of topics and expertise within the coalition.

Wout de Natris expressed his anticipation for positive outcomes from the current and future working groups. In particular, Stephen Tan, an expert in the advisory panel of Working Group 8, was expected to explain the group’s objectives, contributing to the coalition’s overall goals.

The IS3C coalition is currently running a public consultation to invite critique and enhancements to their guiding compass list. This list serves as a foundational guide for decision-makers in making secure and informed ICT procurement decisions. The coalition believes that global collaboration and transparency are vital for navigating the complexities of the digital realm and ensuring a secure, reliable, and inclusive internet for all.

The session also touched on the importance of internet security standards, such as DNSSEC and RPKI, and their low adoption rates globally. Despite being in existence for a long time, many industries and governments have yet to fully implement these standards, leaving the internet vulnerable to attacks.

The need for a change in how these security standards are described and communicated to CEOs and directors was advocated. The aim is to bridge the gap between technical terminology and non-technical decision-makers, ensuring a better understanding and adoption of these crucial security measures.

The session emphasized the importance of IS3C’s work in contributing to the United Nations’ Sustainable Development Goals (SDGs). By promoting a secure and resilient internet infrastructure and raising awareness about the importance of deploying global internet standards, the IS3C is actively working towards achieving SDG targets related to good health and well-being, industry, innovation, and infrastructure, sustainable cities and communities, and more.

The session concluded by addressing the global nature of internet security, stressing the importance of organizations such as ICANN and RIPE NCC in supporting the successful deployment of NSSEC and RPKI. It also acknowledged the multidimensional nature of security, extending beyond technical aspects and involving values, attitudes, skills, knowledge, and critical understanding. The session underscored the need for prevention, rather than mitigation, in cybersecurity, and stressed the importance of consumer advocacy and standardized protocols for vulnerability disclosure.

Overall, the session was an opportunity to discuss and shed light on the various challenges and opportunities in internet standards, security, and safety. It emphasized the urgency and collaborative efforts required to address these challenges effectively, with the ultimate goal of creating a safer and more secure digital landscape for users worldwide.

Audience

The analysis provides a comprehensive examination of various aspects of internet security protocols and policy development. One argument put forward is that the adoption of internet security protocols is not happening fast enough. This is attributed to the fact that the underlying protocols, such as the Domain Name System (DNS) and routing BGP, were developed in the previous century without initially considering security. The analysis highlights a negative sentiment towards this issue.

The analysis also argues that if these security protocol adoption issues are not addressed promptly, there is a risk of potential service interruptions that could significantly impact online businesses. The sentiment surrounding this argument is also negative. The inclusion of security features at the fundamental level is deemed crucial to ensuring the smooth functioning and reliability of the internet.

Regulation is another topic of concern raised in the analysis. It is suggested that if security protocols are not adopted rapidly enough, legislators may consider stepping in to regulate the industry. However, there is recognition that regulation could have unintended consequences, which adds a negative sentiment to this argument.

On a more positive note, the analysis introduces the idea that a multi-stakeholder context can play a pivotal role in solving the challenges of security protocol adoption. It is mentioned that the knowledge and experiences necessary to address security issues are available. Contrary to common perception, the analysis highlights that solving these issues is not as technically complex or expensive as many might believe. Furthermore, the adoption of security protocols is deemed beneficial for everyone involved.

In the realm of IoT security, the analysis suggests the need to continue analyzing new policy documents, incorporating new conclusions and recommendations. It is argued that these policy documents can help enhance current standards and practices related to IoT security.

The analysis also touches upon the challenges associated with compliance requirements and communication to engineering teams in the context of regulation. It is noted that tackling compliance requirements and effectively communicating them to engineering teams can be a significant challenge. The negative sentiment attached to this argument reflects the difficulty observed in finding relevant documents on the subject.

There is increasing pressure for policy makers to be more actively involved in future cybersecurity processes. The analysis emphasizes the importance of increased awareness activities and training for policy makers in this field. The positive sentiment associated with this argument indicates the significance placed on policy makers’ engagement.

Another noteworthy point discussed is the ethical responsibility and preparedness of cybersecurity professionals in relation to their societal roles. The analysis draws a comparison between cybersecurity professionals and undercover officers using dangerous tools to test systems. The sentiment here is negative, suggesting concerns over the ethical conduct of cybersecurity professionals in their line of work.

The analysis also highlights the importance of incorporating security by design for online safety. The sentiment attached to this argument is positive as security by design is considered crucial to mitigate safety risks posed by products that do not adopt this approach. In addition, the analysis underscores the need for education to complement awareness of internet safety measures, as awareness alone is deemed insufficient. A negative sentiment is associated with this argument.

Regarding the training of next-generation cybersecurity professionals, the analysis suggests that it is a learning challenge. The sentiment is neutral, indicating a balance between understanding the highly specific and potentially dangerous knowledge in the cybersecurity space and the need for professionals to comprehend their role in ensuring security.

The analysis also sheds light on the progress made by a coalition in researching and strengthening the platform’s security through tangible outcomes. It is mentioned that the coalition plans to launch a hub and welcomes active involvement and contributions from the public. The sentiment associated with this topic is positive, suggesting a recognition of the value of collaboration and public engagement.

Lastly, the analysis addresses the challenges in implementing security standards, highlighting that these challenges are not solely technical but often influenced by political and economic factors. The analysis also points out a lack of shared understanding or agreement on legal matters across different jurisdictions. This highlights the need for harmonization and collaboration in the international cybersecurity landscape, and the sentiment is neutral.

In conclusion, the analysis provides a comprehensive overview of various aspects of internet security protocols and policy development. It highlights the need for faster adoption of security protocols, the potential consequences of inaction, the possibility of regulation, and the importance of a multi-stakeholder context in addressing these issues. It also emphasizes the significance of IoT security, compliance requirements, policy maker involvement, the ethical conduct of cybersecurity professionals, education, and public engagement. The analysis underlines the importance of incorporating security by design and the challenges surrounding training next-generation cybersecurity professionals. Furthermore, it acknowledges the progress made by a coalition in researching and strengthening cybersecurity efforts. Finally, it recognizes the political, economic, and legal challenges associated with implementing security standards. These insights and observations provide valuable input for policymakers, stakeholders, and anyone involved in the field of internet security.

David Huberman

The overall success of the internet in seamlessly connecting devices and networks can be attributed to standardisation. Engineers have embraced common standards, enabling the internet to work uniformly across various devices and networks. This standardisation has played a vital role in ensuring interoperability and enabling the internet to function consistently for users on iPhones, Android devices, and other platforms. The very foundation of the internet was built upon these widely adopted standards.

Two fundamental standards, BGP (Border Gateway Protocol) and DNS (Domain Name System), serve as the building blocks for all internet services. BGP facilitates routing, allowing different networks to communicate with each other effectively. Without BGP, the internet would face difficulties in routing data packets and maintaining efficient connectivity. DNS, on the other hand, is responsible for translating human-readable domain names into IP (Internet Protocol) addresses, making it possible for users to access websites using familiar domain names rather than complex numerical addresses. DNS enables the scaling of the internet beyond just IP addresses, enhancing usability and accessibility for users worldwide.

Unfortunately, when it comes to internet security, the adoption of DNSSEC (Domain Name System Security Extensions) and RPKI (Resource Public Key Infrastructure) standards has proven to be insufficient. DNSSEC aims to secure the DNS by providing authentication and integrity checks, preventing DNS spoofing and other malicious activities. However, the global deployment of DNSSEC currently stands at only around 15-20%. Similarly, RPKI, which provides a framework for verifying the legitimacy of routing information, also lacks sufficient adoption. The insufficient adoption of these security standards poses risks to the stability and security of the internet.

In light of these challenges, policy makers and decision makers are urged to prioritise the adoption of DNSSEC and RPKI as basic standards for a safer internet. DNSSEC and RPKI play critical roles in ensuring the security of the DNS and BGP, respectively. The current level of adoption falls short, emphasising the need for concerted efforts towards implementing these standards. By embracing DNSSEC and RPKI, stakeholders can work towards a more secure and resilient internet infrastructure, safeguarding users’ data and protecting against various threats.

In conclusion, standardisation has been instrumental in allowing the internet to function seamlessly across devices and networks. BGP and DNS serve as essential standards for enabling internet services. However, the adoption of DNSSEC and RPKI security standards has been inadequate, highlighting the need for increased emphasis and adoption. Policy makers and decision makers have an important role to play in prioritising these security standards to build a safer internet environment for all users.

Janice Richardson

According to a survey conducted in 66 countries, there is a significant gap between the skills that the cybersecurity industry requires and the skills that tertiary education institutes provide. The industry demands graduates who understand how the internet and cloud work, whereas universities are producing graduates skilled in coding and ethical challenges, but lacking in practical knowledge. This skills mismatch has serious implications for the industry.

The survey also reveals that a high percentage of graduates, 67%, lack essential soft transversal skills that are crucial for adapting to future challenges in cybersecurity. Moreover, cyber attacks are increasing at a faster rate than the allocation of resources to combat them, highlighting the urgency to address this issue.

To bridge the skills gap and promote collaboration, the establishment of a cybersecurity hub is necessary. Such a hub would coordinate efforts, drive diversity, provide authentic learning resources, and gather best practices to meet the real needs of the cybersecurity industry. Denmark’s approach to a similar hub has shown promising progress.

In addition to the skills gap, the lack of diversity in the cybersecurity industry, particularly in terms of gender, is hindering innovation and creative problem-solving. Encouraging a more diverse workforce, including women, can bring fresh perspectives and varied approaches to enhance the industry’s progress.

The survey also identifies users as the weakest link in maintaining cybersecurity. Although users are often aware of what is right in terms of internet safety, they fail to consistently practice safe online behavior. Thus, increasing awareness and providing education on best practices is crucial to address this issue.

Merely being aware of cybersecurity risks is insufficient without proper education. It is imperative to understand the impact and consequences of one’s actions. However, the expensive nature of resources for cybersecurity education limits access, exacerbating the problem. Efforts should be made to make cybersecurity education more accessible to all.

Users must go beyond simply learning to use technology and strive to understand how it works. This understanding allows for better navigation of ethical challenges in the technology-driven world. Ethical understanding in technology is meaningless without a comprehension of the underlying mechanisms.

Moreover, knowledge in cybersecurity should be accompanied by values. The Council of Europe emphasizes the importance of teaching values, attitudes, skills, and knowledge together in the field of cybersecurity. Pairing technical competence with values is essential for responsible use of cybersecurity skills.

While cybersecurity knowledge is powerful, there is a need to make products less vulnerable to hacking. Implementing security standards can help mitigate the risks associated with the misuse of cybersecurity knowledge. Additionally, ethical hackers can play a significant role in bolstering cybersecurity if employed effectively.

In summary, the analysis reveals significant challenges and gaps in the cybersecurity field, including the skills gap, lack of diversity, user behavior, insufficient awareness without education, the importance of understanding how technology works, and the need to intertwine knowledge with values and ethics. Collaborative efforts, diverse representation, user education, and a holistic approach to cybersecurity education are necessary to address these issues effectively and promote a safer digital environment.

Maarten Botterman

The analysis explores the perspectives of Maarten Botterman on the governance of emerging technologies, with a particular focus on AI and Quantum technology. Botterman emphasises the importance of proactive governance strategies to effectively navigate advancements in these fields.

According to Botterman, AI is already pervasive in various sectors, and there is a need to catch up in terms of governance. He advocates for the development of a roadmap for governance strategies to regulate the use of AI effectively. Similarly, proactive governance is vital for the responsible and secure development of Quantum technology, which is currently limited to technical circles.

Botterman also stresses the need for a comprehensive approach that considers both the risks and opportunities associated with emerging technologies. He argues that mapping the current risks and opportunities is crucial, but the focus should not be exclusively on risks. Recognising the potential benefits and the need for responsible deployment promotes informed decision-making and innovation.

Furthermore, Botterman highlights the significance of standardisation and global collaboration in governing emerging technologies. While progress is being made, coordination and effective communication between different stakeholders are still lacking. Botterman emphasises the necessity of developing standards in cooperation with international partners, avoiding isolated approaches. This collaboration will enable the establishment of universally accepted governance frameworks for AI and Quantum technology.

Additionally, Botterman supports the creation of a comparative report examining existing governance frameworks worldwide. This report would provide valuable insights for policymakers and researchers, assessing the strengths and weaknesses of different approaches. Botterman mentions examples such as the proposed Algorithmic Accountability Act in the United States and the EU AI Act.

Regarding IoT security, Botterman expresses a keen interest in research in this area and chairs the dynamic coalition for IoT. He highlights the ongoing work needed for IoT security, indicating the need for further efforts to ensure the security and privacy of connected devices.

In the context of internet regulation, Botterman raises questions about how new initiatives can effectively reach relevant authorities and influence their understanding. He emphasises the importance of improved communication channels between regulatory bodies and new initiatives, ensuring a comprehensive and up-to-date approach to internet regulation. Botterman suggests that existing frameworks and the IETF should be open to new ideas, promoting a proactive and receptive approach.

In summary, Botterman’s perspectives emphasise the need for proactive governance strategies, balanced consideration of risks and opportunities, global collaboration, the creation of comparative reports, and improved communication channels to effectively govern emerging technologies such as AI, Quantum technology, IoT security, and internet regulation.

Abraham Selby

Abraham Selby has shared a QR code that allows for the immediate download of reports on topics related to the Internet of Things (IoT) and procurement. These reports are available on their website, and a link to access the reports will also be shared in the chat. Abraham Selby expresses appreciation for the effort that has been put into compiling these reports.

The International Secure and Resilient Internet and Cybersecurity Community (IS3C) is dedicated to creating a secure and resilient Internet infrastructure while promoting global internet standards for online security and data privacy. They actively work towards addressing various Internet challenges through international cooperation and collaboration.

IS3C’s specific working groups contribute to several United Nations Sustainable Development Goals (SDGs), including SDG 3 for good health and well-being, SDG 8 for decent work and economic growth, and SDG 9 for industry, innovation, and infrastructure. These working groups focus on specific areas such as promoting a secure internet and data protection, which are directly aligned with the SDGs. IS3C’s work also contributes to the Global Digital Compact through collaborative efforts.

In summary, Abraham Selby’s sharing of the QR code signifies the availability of reports on IoT and procurement, highlighting their commitment to providing access to relevant information. Additionally, IS3C’s work in creating a secure internet infrastructure and promoting global internet standards reflects their dedication to sustainable development and contributing to the SDGs.

Mark Carvell

The coalition has made significant progress, especially in the last year, and has overcome numerous challenges. Launched a few years ago, the coalition has been working diligently to tackle issues related to cybersecurity and security standards. Through its working groups, the coalition has conducted valuable research that has advanced the understanding and implementation of security standards.

The research conducted by the coalition’s working groups has yielded tangible outcomes and provided a resilient platform for the future. This indicates that the coalition’s efforts have been successful and have resulted in practical and actionable results, which will contribute to further progress in cybersecurity.

Continued support and involvement from participants are crucial for the coalition’s success. The coalition emphasizes the need for help from the audience and advocates for spreading awareness about its objectives. By inviting contributions in areas such as security by design and launching the hub, the coalition seeks to foster a collaborative environment where individuals with knowledge and expertise can come together to address security challenges.

Furthermore, the coalition advocates for proactive global coordination to effectively address security issues. It envisions the establishment of a hub that brings together experts from different fields to bridge gaps in the deployment of key security standards. Such an approach would allow for comprehensive and coordinated efforts to tackle security issues globally, enhancing the effectiveness of security measures and ensuring the development and implementation of robust security standards.

In conclusion, the coalition has made remarkable progress, especially in the last year, and has overcome various challenges through its dedicated efforts. The tangible outcomes achieved provide a solid foundation for future advancements in the field of cybersecurity. Continued support and involvement from participants are necessary for the coalition’s success, and proactive global coordination is advocated to address security issues effectively. The establishment of a hub that brings together experts from diverse backgrounds would enable a collaborative approach to address gaps in security standards deployment.

Stephen WG5

Working Group 5 has taken steps towards facilitating governments and organizations in making secure ICT procurement decisions. They have developed a comprehensive list that serves as a guide for procurement officers, ensuring that security is embedded in their decisions. This is of utmost importance in today’s era, where the lack of essential standards can leave users vulnerable to cyber threats.

The developed list focuses on four core domains: data protection and privacy, network and infrastructure security, website and web application security, and communication security. By addressing these areas, procurement officers can make informed decisions, ensuring that the ICT products and services they acquire meet the necessary security standards.

The list is based on four foundational principles: interoperability, robust security, openness, and ecosystem-wide readiness and implementation. These principles ensure that the ICT solutions acquired align with existing infrastructure, are secure and resilient, are accessible to all stakeholders, and can be readily implemented on a global scale.

One key aspect highlighted is the hidden nature of essential standards. In the current landscape, first-mover disadvantages are prevalent, and it is crucial for organizations to adopt the recommended standards. The developed list acts as a valuable resource, guiding procurement officers and preventing them from unknowingly acquiring products and services that do not meet the necessary security requirements.

Working Group 5 encourages collective intelligence and invites cyber and ICT experts to propose enhancements to the list. By leveraging the expertise and knowledge of these professionals, the group aims to ensure that the list remains dynamic, relevant, and globally applicable. This approach emphasizes the importance of collaboration and continual improvement in the field of ICT procurement.

Global initiatives play a significant role in the implementation of these advocated standards. The validation and amplification of the applicability of these standards by initiatives such as Internet.nl by the Dutch government, the Internet Hygiene Portal by the Singapore government, and WebChat PT by the Portuguese government are crucial in putting these standards into operation. By showcasing successful implementations, these initiatives demonstrate the importance and practicality of adhering to the recommended standards.

In conclusion, Working Group 5’s development of the list serves as a valuable resource for procurement officers. By addressing key domains and principles, the list ensures that secure and informed ICT procurement decisions are made. The encouragement of collective intelligence and the validation of these standards through global initiatives further enhance the list’s relevance and applicability. Overall, this work contributes to the broader goal of promoting security and stability in the procurement of ICT solutions.

Nicolas Fiumarelli

The analysis encompasses a range of documents and discussions on IoT security, highlighting the crucial need for a comprehensive security by design approach. This approach is essential in maintaining the integrity of the interconnected ecosystem. By implementing security measures from the beginning, IoT devices can be better protected against potential threats and vulnerabilities.

Collaboration and multi-stakeholder involvement are also vital in ensuring robust IoT security. The analysis suggests that joint efforts and partnerships play a significant role in bolstering the security of IoT systems. Examples of inclusive policies, such as those observed in Korea, demonstrate the benefits of engaging multiple stakeholders in addressing security challenges.

The use of open standards is recommended to enhance IoT device security. Specifically, standards proposed by organizations like the Internet Engineering Task Force (IETF) are valued for promoting transparency, collaboration, and interoperability. These open standards provide a framework for developing secure and compatible IoT devices and systems.

Proactive threat management and user empowerment are identified as crucial elements in IoT security. The literature emphasizes the need for proactive vulnerability disclosure policies and highlights the importance of user awareness, transparency, and international cooperation. Empowering users to actively engage in security practices significantly improves the overall security of IoT systems.

Integrating security updates directly with device warranty policies is recommended to ensure long-term security. This approach guarantees that IoT devices receive regular updates to address emerging threats and vulnerabilities, ensuring ongoing protection and functionality. Embedding security within the framework of device warranties incentivizes manufacturers to provide timely updates.

Awareness campaigns and education are essential for policymakers to stay informed about the standards and practices needed to address IoT security. Promoting awareness campaigns and organizing tutorials ensures that policymakers are well-informed about the best practices to adopt. This enables them to make informed decisions regarding policy development and regulatory frameworks.

Manufacturers and service providers are encouraged to take the lead in implementing security measures. Strong passwords and continuous software updates are highlighted as essential security practices that should be ensured during the design and manufacturing phases. By taking responsibility for these security measures, manufacturers and service providers can enhance the overall security of IoT devices without burdening users.

Policy documents should reference the work of standardization companies, such as the IETF, and their efforts in developing IoT protocols. This ensures that policymakers are aware of existing standards and can align their policies accordingly. However, the current policy documents do not sufficiently acknowledge the work of these standardization companies in critical areas such as Software Update on the Internet of Things and Trusted Security Environment Protocols.

The analysis suggests greater involvement of policymakers in improving processes related to IoT security. The pressure to enhance IoT security will require policymakers to actively engage in developing regulations and standards.

Lastly, organizing more awareness campaigns and training activities is recommended to increase understanding and awareness of IoT security issues. Interested parties can seek knowledge and training from organizations like the International Secure Systems Technical Centre (ISTC) to gain a deeper understanding of IoT security challenges and best practices.

In conclusion, the analysis emphasizes the importance of a comprehensive security by design approach, collaborative efforts, open standards, proactive threat management, user empowerment, integration of security updates, awareness campaigns, education, and policy maker involvement. Addressing these aspects is crucial in enhancing the security of IoT devices and systems and mitigating potential vulnerabilities in an increasingly interconnected world.

Speakers