IGF 2023 - Day 3 -DC-IoT Progressing Global Good Practice for the Internet of Things - RAW

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> Good morning, everybody. Welcome  --  good morning, Jonathan. Welcome to the session of "Progressing Global Good Practice for the Internet of Things". I will give a short introduction to get us all up to speed what this is about. And then we will dive into the panel discussion with a couple of introductions. Everybody is invited to participate. If you have clarifying questions, we will take those earlier and discussion is for after the contributions.

>> MODERATOR: So with that, I would like to see the slides.

I need to do it from the slide room.

I can see, yeah, we are online. The internet of things, the dynamic relation is really talking about how to get to global good practice on the internet of things. Development that has been progressing over many years. The internet of things, for all clarity is technology that we need. And it comes with benefits as well as challenges. Like all new technologies. And it offers opportunities to respond to today's challenges in ways that were never possible before. Yet it comes with new ones.

And just to remind our preempting any discussion, technologies are not good or bad, the the way we use them.

Particularly, we need them for addressing societal issues, also on the global level, across borders. And this is a global technology, and is developed globally and adopted locally.

So it requires sharing global knowledge about solutions. As well as local knowledge about what needs to happen and action to make things happen to go beyond talking about it.

There's many different applications and just to give a little bit impression of the width, the buoy you see, tsunami buoy and it's connected. It measures the waves. So this gives the people at the coast of vulnerable areas just a half hour or hour extra to get away from the coast when necessary.

Under that you see a sensor which will sensor your blood pressure changes. It will warn you, your blood pressure is going up, maybe lay down and call somebody to rescue you, because maybe you are in a heart attack imminent.

Just above that is in-room measure, you can see there's a lot of different applications ranging from wildlife tracking to autonomous systems that manage networks of roads around busy cities.

Am I going the wrong way?

So we talk about a global approach for society at this global IGF. We have been talking about it in regional IGF more focused in the region that's brought a lot of insight. Also that global solutions aren't always the best locally or regionally.

IoT for us is a specific aspect of the internet, like social media, access to information and it does link to A.I., it does link to big data. It generates data, it uses data.

Specific characteristics the development of future network include, in particular the collecting, storing and providing access to many data related on observation by sensors.

It's autonomous networks to take action following receipt of specific data on sensors and take preprogramme sensor models and learn from it, and A.I. is a clear component that adds to that development and what it can do.

IoT is also, because it's physical as well, something that you can actually weaponize. Whether the multi-devices or IoT devices, that is something to be aware of.

So these specifics make a difference. Dynamic Coalition is set up in 2008, so we celebrate our 15th year and active ever since.

Also regional meetings. And as said, the aim is to develop global good practice. And the dialogue is about meeting multistakeholder on equal terms at global level.

The principle that we currently have and that is always subject to review is taking ethical considerations into account from the outset and find ethical sustainable way ahead, using IoT to create a free, secure and enabling rights-based environment. The future we want.

And for the case of time, I would like to introduce our first speaker today. We both grew older.

This is 2016, it relates to the fundments of the internet. Very happy to have Vint Cerf speak here on how that relates to IoT and how that fits in the vision for the future as well.

>> VINT CERF: Thank you all very much for the invitation to join you. I will have to scoot quickly, I have a Leadership Panel meeting to run at 9:00. My normal one-hour rant will have to be curtailed. The headline I want to avoid is 100,000 refrigerators attack Bank of America. Unfortunately we already had headlines similar to that. Attack from webcams is a good example of that.

The first point I want to make standards in interoperability are critical. We want multiple manufacture rs devices to have compatible kinds of control models. So as consumers of these devices we can acquire and configure them in a way that's useful.

The second thing is that every one of these device is going to have to have an operating system in it. And we had better insist the operating systems both be as secure as possible and also be updatable, because there will be bugs, they need to be corrected. The device in situ needs to be upgradable to correct for vulnerabilities or add more opability.

At the point where you are provisioning the device, putting it into use, it needs to have a strong way authenticated identity, which could be validated remotely.

It also needs to know what other devices it's allowed to talk to. We should insist the device be provisioned to know how to validate an incoming query or incoming demand from another device so it is not subject to take over by an unauthorized body.

The device should have limited access control list. It will listen to and it would ignore. There's a scaling issue here because the number of devices you might have in a residence could number in the hundreds in the long term if every light  bulb has it's own for example, we could be talking about thousands, so configure management and control needs to be programmable. You don't want to be spending the weekend typing into them. The scaling is important.

There's a dynamic discovery question for some of these devices. When something shows up, it should become part of the residential network or part of the corporate network or manufacturing network. You would like to automatically find a way to configure it, but you clearly don't want the wrong parties to be automatically configured in. In a residential setting you can imagine the service person coming to do maintenance, they might have a mobile with them or other devices. You might detect their presence but you have to make the system decide whether or not to incorporate that device into the local control or not. And you might as the owner of the system be asked should I configure the maintenance mobile into the household network or not.

Once again we have to have capability for doing dynamic addition. If you bought a new IoT device you would like to make it easy to add that.

There are some discussions about what happens when you sell the houses full of IoT devices, what does the recipient of the house do? Do they have to reconfigure everything? How do we make that easy to do.

How about voice control? This is increasingly popular. Google has the Google assistant for example. The problem with voice control of course is there are risks. Who is allowed to control the device and what are they allowed to do with it? And you probably want to distinguish among parties with regard to their capacity for controlling the devices. For example, parents might want to have more control than the kids. Although if your experience is like mine, the kids know more how to do this than the parents do.

You certainly don't want the casual Roberto walk up   --  robber to walk up to the door and say open the front door. Voice recognition isn't 100% reliable, may not be the best way to do this. You actually may need to have some identifier with you that is sensible, so to speak.

By the IoT devices that qualify for certain capabilities.

One interesting problem is guests that come to the house. If it's in the residential setting. How do you train the house to know what the guests are allowed to do, and which guests is it? Do you have to issue little badges to them, if it's a voice control system do you have to have them stand in front of a microphone and say a bunch of words so the system can learn their voice to interpret. It would be a weird thing to invite your guests to dinner and recite in front of the microphone to get into the house and get the refrigerator to open and toilet to flush. Suppose you are standing in a room like this with a whole lot of light bulb. How do you turn one on and off, do have you to give names, frank, Jorge and Eddie and teach your guests what the names of the light bulbs are. We have to find ways to interact with the system easy to learn. Also if you give authority to that guest, you don't want that authority to go on longer than they are still welcomed guests. When they leave the house, the house should forget their ability to access it.

Those are a list of various things that come into my mind. I hope in the course of today's session you will shed some light how we achieve some of these objectives of safety, security and reliability and flexibility so that the IoT space turns out to be a useful one, both from the point of view of constructive application but also a big opportunity for companies to design, build and sell these devices that can interwork with each other. So Mr. Chairman, I will stop there and dash out the door. If these were stupid ideas I'm sure you will document that.

But to the extent it stimulates your thinking, I hope it's been helpful.

>> MODERATOR: Thank you so much. And curious who would be the next owner of your house and how they would deal with everything you put in place.

>> VINT CERF: Have to deal with the 3,000 bottles in the wine cellar with the tags on them.

>> MODERATOR: That will make up for all the other hassle, no doubt. Thank you, Vint for sharing that.

If you can go back to the slides.

Then allow me to in a way put also Vint's remarks into context.

Again, the thinking and summary is to embrace IoT to address societal challenges in an ethical way. I mean, IoT to keep this manageable, we need it to be inclusive, deployment needs to be possible when necessary. This also means in areas where, for instance the tsunami buoys or other agricultural systems where may not offer a business case for profit industry to build.

The second thing is to create that IoT system that encourages investment. To do that you need to involve all stakeholders. There's no single stakeholder that holds the key. Regulation is important because you need to understand the legal clarity in which you are going to invest and develop your legal mechanisms. And we realise nothing happens in isolation  or in a vacuum. There is legislation, but how do you deal with it specifically when you develop new applications that are I.T.-based? Maybe legal sandboxes is part of the solution there.

Create anchor systems that are sustainable and inclusive, that also means understand the issues wherever you go.

They may be different.

And stimulate awareness and feedback, because people, develops are nowadays so fast that people don't know what's possible until years off sometimes. That's something that deserves attention to. And as Vint eluded to, if we develop all this, and we are in the process, then it needs to be a trusted IoT environment. So in short, in line with our current good practice document, this means meaningful transparency, and you could think of certifiable labels, understandable risks and how to deal with those, with devices. And bigger systems.

Clear accountability. So who is responsible? Not that obvious, always. So something that needs progress. And lo and behold let's hope there's real choice. I think that's a point for discussion too.

So with that, is Orly online?

Orly, if you are on line please unmute.

Orly wants to talk about the impact of A.I. and IoT.

The core of her discussion A.I. comes with risks but sometimes risks are worth taking, for instance in medical applications where A.I. help to improve the quality of life, even if they affect the way you move around.

And that comes with a lot of ethical aspects as well, that will involve thinking about and exploring. In the end, it's all about people. That's the core of her story too.

So with that, Hiroshi I would love for you to talk about IoT deployment and security perspective how to make that responsibly happen.

>> HIROSHI ESAKI: Thank you for that introduction. I'm Hiroshi Esaki from University of Tokyo.

A.I. doesn't have any algorithm by him or herself. Their algorithm came from data. We need trustful data to use A.I. correctly.

Also I'm working long time regarding the IoT business, say agriculture or other industries.

People are now, every single industry going to digital based on transparent interoperable and trustful data, right?

In order to have the trustful data or transparency of data that is really important for the governance. How the people using the IoT device how it is manufactured, maintained, software, and function in it.

Therefore we need a good ownership of the data devices. The responsibility of the devices in the business field authenticate as well.

Also that is not only on the earth on this day. We are going to include space and moon and Mars. We must have new area to tackle with.

The second thing I want to share with you, is IoT going to mutate into IRF. Things are connected means data are going to travel around on the earth. The function is the next one from the data, means every single function be able to transfer everywhere. If you have the internet.

Completely different from bare middle computer system to cloud computing. So the function will be able to travel around on the globe. That's a completely different paradigm. It means the certification or control or management of the things must be changed to function. Not the physical devices. But what kind of process is going to run over any single device? So we must labelling device but a function software running on the hardware device. That's an important thing, I believe. And also, in order to have a secure or safe operation, we need labelling for certification authentication. Then scalability is quite important.

I always talk with government. They want to control everything. That is not scalable.

Therefore we need a very clever scalable system in order to have such a labelling or certification for secure, safe IoT or IRF devices.

The third point I want to share with you, we have new stakeholder. Maarten mentioned the people didn't come from I.T. or ICT arena. They completely have different culture and terminology.

When I talk with them, completely different language. Completely different structure of the industry. I have to talk with them. That is a new challenge and also we welcome new stakeholders come together. That is the principle of the IGF itself.

I really want to say that new players are going to come into the field.

The other interesting focusing on IoT. IoT device requires very small latency (?) in communications. In the case of internet, we allow 100 millisecond, right? In order to see the video, say ten millisecond. (?) requires micro second. You must feel side of light, sides of the earth, in terms of IoT application. It may be called edge computing. The completely different requirement they have to ask for the computer system at all.

Then, IoT went to IRF there is more trust capabilities required. Because every single device will be able to travel around over the globe. Then you know, air gap, firewall protection doesn't work well. Of course that is beautiful technique. Every single device must have their trust capability in the future. Otherwise we cannot enjoy IoT or IRF.

Then the last one would be IoT device, or every single data for the digital trend (?) has huge contribution to carbon neutral, decarbonization. We must grasp what's going on on the earth, around you. We need data, it must be trustable, it must be transparent, otherwise we cannot live with healthy earth. That's it, thank you.

>> MODERATOR: Thank you very much. Linking where we are today, the challenges today. There's different levels of devices that have different requirements in terms of above carbon neutrality and security, I would say. We will hear more about it later. With that, thank you very much.

Sarah Kiden is a researcher who has been just getting her Ph.D. in design. Congratulations with that, Sarah. And I really would like to hear about your insights from that perspective on IoT and how to make it deployable, wherever it's needed.

>> SARAH KIDEN: Hi, everyone. I hope you can hear me well.

Good evening, from my end. So my name is Sarah Kiden. I would like to start with two things right now. Maybe I will add on some more later.

The first one is as we give guidelines for IoT as Dynamic Coalition or really any group developing guidelines we need to acknowledge their power symmetries in the core system. If you think about it, the people who build or develop the IoT devices, the people who use these devices in the context of consumer IoT and people who are impacted by the devices. The impact could be positive like what Maarten was talking about earlier, the medical IoT device notifies your practitioner and you can get help. Or could be negative, perhaps an IoT has been used for gender-based violence.

University college in London doing interesting research about how IoT is being used in gender-based violence. So this could manifest at different stages. At the design or research phase, where I am currently, if for example, I interview participants and I am analyzing data, the insights that I could draw are based on maybe what I am interested in or what I see. Just acknowledging as designer, as a researcher I come with biases. Things that stand out to me could be underlining infrastructure that supports IoT, access to electricity and so on and so forth. But it might be different for someone else.

At that point it means the designer or engineer has the power to make design decisions. Another point could be a funder for example, they are giving you money to do particular work and you have requirements. That means that the interest now lies with the funder. I think we need to have some sort of mechanism for accountability and responsibility. So that the power is not misused. But also think about if the consumers have any power at all, if they have it, how are they using it. If not, how can we empower consumers to influence future deployments.

The second thing I would like to talk about is something I have seen happen in the A.I. space. So organisations like the algorithmic justice league (?) society and Amnesty International among others are now beginning to document A.I. harms. They are collecting user stories about a harm that is happening to them. It could be a hiring decision, it could be maybe they want to consider for a loan or tenancy application or so on and so forth. It's something that I think as the IoT, people interested in IoT design and deployment could think about.  basically you can use that to create design guidelines. If I use the previous example where IoT devices are facilitated in gender-based violence. If out of 500 reports 100 bought a particular thing you can think about how to implement safety, for example, for some IoT devices. Or you could nudge policy makers in a particular direction, tell them maybe the way the law is written currently you can't litigate a particular issue and maybe we need to amend the law to cover some of the things.

This is initial thoughts I have. I am happy to add some more later on. Thank you.

>> MODERATOR BOTTERMAN: Thank you very much, Sarah. Also for illustrating the differences and the different requirements and different areas that happen. One of the examples we talked about in the preparation was for instance that data protection is legislation existing in many countries. It doesn't mean everything goes in those countries where no data protection legislation is yet in place.

It's one of the things, if you think about it on a global level it's important to address.

If that is the next  --

person. Is Alejandro online?

Okay, Alejandro, are you, you are on line, I hear? Sorry, my computer  --  because I don't have electricity on it any more.

>> ALEJANDRO PISANTY: Yes, Alejandro Pisanty is here.

>> MODERATOR BOTTERMAN: Yes, please.

>> ALEJANDRO PISANTY: Thank you, this is from University of Mexico, Mexico city. Today I am in Washington D.C.

Pleased to be with you. First I would like to very briefly address one point that Sarah Kiden has maded which is who are the entities, certain power through IoT. I think there's room for more detailed analysis. We certainly can think, first of all, Maarten as we have spoken previously and others, we have to distinguish between consumer internet of things and industrial internet of things. Consumer internet of things is a major concern for security, for example, as Vint Cerf stated at the beginning of the session. You don't want your refrigerator to be responsible for launching missiles somewhere. Or an attack on a major government.

The people exerting power in that sphere are ones we think of usually in a north south device. It's usually a company in a large country which is not acting all the time in the system of rules. It doesn't have a large transnational structure, but it's more likely a lot of small companies making devices that are sold at very low price to consumers. To consumers that are not necessarily aware of the need to secure their devices. If the even possible to secure because you don't have any access to them. You don't have any access to pass words and as Vint mentioned to software systems and other underlying layers. We would need to split that analysis into different categories.

Now the main point I was invited to this session is to link with Dynamic Coalition and core internet values with the question whether the internet of things can have an impact on core internet values, on the waiving and its core values are deployed, displayed or challenged.

We remember some of these are the layers, architecture, packet switching, sort of underlying assumptions. And then we have the best effort hypothesis or assumption. We have interoperability, openness and so forth.

And what we see first is the deployment of devices in the consumer internet of things, which do send their packets and data over the open public internet are a challenge already. They are increasing the load on the systems. And they have increased the attack surface for everybody, as seen in many examples, for example, the specific model of surveillance cameras, standard facilities, CCTVs can be weaponized for distributed denial of service, for example.

We have a further, very complex challenge in the standards and layers field. Where the standards for communicating technology and standards for communicating internet of things devices on consumer and industrial use a lot of different technologies. They use open Wi-Fi, they use 4G, 5G or even 6G if they come. For different sets or segments of their communication and for back ups for some of those. As Hiroshi mentioned the requirements might be of micro seconds. You might need VPNs or dedicated links that extract language.

Some may sell you bandwidth that is reserved. Around the six gigahertz band for ex, how you split it in the register part.

These are important challenges. No single manufacturer of these devices will care about this open internet effects or the effects of interoperability as long as their devices work and sell. So we have to find a way to make awareness. And part of this will have to be consumers. One last point is some of these issues have been set up and several attempts to address them by warnings to consumers or registrations or standards. But a lot of these things are sold under the radar of national standardization of these and commercial regulations, so people just pick them up in a mobile market and put them into a network without having to comply with any standards of national telecommunications authority or regulator. Nor anything else. At least this is a way of making a list and inventory of the challenges and giving them some hierarchy so we know some of the solutions proposed may be very limited in reach or workable at all. Thank you.

>> MODERATOR BOTTERMAN: Thank you very much for your perspective, very much informed by the work of the Dynamic Coalition of core internet use. Really appreciate it.

Can I check if you are available to speak to labelling and certification?

Dan Caprio? You are unmuted.

>> DAN CAPRIO: Yes, thank you, Maarten.

>> MODERATOR BOTTERMAN: He is based in Washington D.C. and been involved in the work for a long time and involved in White House initiative looking into labelling and certification. So please, Dan, the floor is yours.

>> DAN CAPRIO: Thank you, Maarten, I'm trying to find my camera.

Is that better?

>> MODERATOR BOTTERMAN: We see you.

>> DAN CAPRIO: Yes, thank you. And thanks for pulling this together and for your continued leadership. I think one of the issues that ties a lot of things together quite well that have been mentioned by other speakers, the issue of power asymmetry and how consumers have some idea of what's happening with the internet of things with their devices, is something that we have observed in the United States.  And it's also happening in other parts of the world.

But the effort to bring consumer labelling to the internet of things, so we have, there's been a real push in the United States, public/private partnership, which was announced by the White House back in the summer. Which is being, the responsible party in the United States is the  Federal Communication Commission, which is our equivalent of the  --  regulator. To have a widely available consumer label on packaging for devices, that gives the consumer some sense of, you know, the security, how this, what level of security is offered on the particular device. How to update the security. How to upgrade it and how to become more aware. Because I think there's a growing appetite, especially at the consumer level for, you know, what is the device that I'm buying? What is the capability? So you know, there are other parts of the world and other speakers that are going to speak to this later. I know we had a regional IGF in Australia where this was the topic of discussion. But I think it's something that is reflective, the idea of the consumer label is something that is reflective of the Dynamic Coalition itself. Which is, it's a very positive development. It's something that we have all been working hard on for a very long time. But I think it also gives the possibility in terms of some of the labelling efforts for international harmonization which goes to Vint's point about labelling and standards. We aren't talking about creating a standard. The a public private partnership that will be run by the Federal Communication Commission and by interested stakeholders. So view it as a very positive development and hope it is something that we can continue to work on in the Dynamic Coalition and see it become more globally accepted.

>> MODERATOR BOTTERMAN: Thank you for that, Dan. The U.S. isn't the only one, there's national initiatives and also initiative by IEEE to look into how to do this. Currently all very explorative, I would say.

Good evening, Wout.

Next speaker, if we can get Sandoche. Could you make Sandoche Balakrichenan co-host. He will speak instead of Lucien Castex.

>> Sandoche Balakrichenan: Can you hear me?

>> MODERATOR BOTTERMAN: Yes. Sorry for this very last-minute request. They made you co-host so you can also present your slides, if you want to.

>> Sandoche Balakrichenan: Yep, that would be fine, yep. I have slides but I will not take much time.

In Vint Cerf's presentation, and also about the zero trust necessity for IoT. Both these presentations are quite a preamble. We are looking at zero trust, identity management angle. So to have identity access management using DNS is looking at (?) we are based in Paris. DNS, the domain name system is a system used by most internet users for internet communication. And it is to simplify mapping the human-based names by domain names to IP addresses. So most of us we use DNS for our internet communication.

So what we are trying to have a look is, how to use the same system this has been mostly used by the internet or IoT based.

Zero trust, if you say briefly what this proposes is that, you can have communication from a device to the network on a case by case base. Where you could have context and different administrative access. And you don't need permission early.

We also see we can do the same with DNS.

This is a use case we see usually in IoT. The device maker with these keys and these keys need to be shared around the stakeholder around the ecosystem. So that's a huge issue. It's an operational nightmare.

So the use of symmetric key works in IoT but it doesn't scale. So that's a problem we are trying to solve here. So we tried to work, with LoRaWAN the classification of network, it's the most constrained networks in IoT and if our proposition works in LoRaWAN it will work in other IoT network devices.

We were able to do the communication between the different servers in LoRaWAN scenario. Both the client and server authenticates each. This could be done by normal symmetry. We do it with self-signed certificates. We are able to do this authentication even when we don't have the certificate at all. For example, in the internet we need a certificate authority. And that certificate authority needs to be authorized by the browser windows. But here we can do that in the DNS without having certificate authority and having your own self-signed certificate. That is done thanks to technology standardized by the ITF, DANE. I will not go deep into it. But it just shows that in the DNS you can publish all the identity solution, as well as which key you have to authenticate. We don't need a certificate of (?) we can use for access management.

We have tested that with TLS 1.3. We even did a hack-a-thon at ITLF. We have zero trust capability here, because we don't need provisioning priority by keys. Or by having a certificate authority. You can do that dynamically, and with the DNS you have scalability. And you can use the existing device, you see IoT different systems like back code (?) etc. And etc.. All these different identifications could interoperate with each other. The supply chain G  --  1 standard also. At Afnic we are working on a dynamic system and blocks by blocks different projects. As you see this slide, the a legal block. We see if we can publish with different identifiers in the DNS. When I say different, it would be digital opt, it could be object identifier, could be a bar code, it could be domain name et cetera.

Then we see if they could resolve with the different ecosystems, that also works. Now with security we added one more layer. And we are now working with another project where we want to add privacy features based on DNS. That's how we plan to do that, and I hope we can also work with Dynamic Coalition on adding this thing here. For information, there are different startup organisations like (?) ITU, or working with the same scenario looking at DNS for resolving the issues we see in IoT. Thank you, if you have any questions I'm ready to answer.

>> MODERATOR BOTTERMAN: Thank you, Sandoche for that. We saw start-up organisations like ITU. I'm not sure if ITU qualifies as a start-up organisation. But thanks for what you do. Basically what also Sandoche brings in is the fact that what is IoT is it a device or cyber physical system that brings together a couple devices or ecosystem of application, coherent one in which self-certification could be quite part of the solution to make sure it's a secure system.

The other element is also if the LoRaWAN works, various IoT in the extension of the internet doesn't mean every IoT application needs streaming video capabilities. Sometimes it's enough to ping once every five minutes or once every hour what's happening.

With that Sandoche's presentation can be shared as well, right?

>> Sandoche: Yeah, it can be shared.

>> MODERATOR BOTTERMAN: Super. Come to me after the meeting and I'll send it be email. But we will make sure the report very clear where you can find the presentations later on.

Thanks for bringing this aspect zero trust self--signed certification as part of the solution and awareness that, yeah. Different networks will facilitate IoT systems in different environments.

>> HIROSHI ESAKI: One is one technique component. Also we need more wider thing, otherwise not only the name domain but other part.

>> Sandoche Balakrichenan: Just to answer, we did work with the supply chain industry on G S1, it is RFID. You see with the LoRaWAN, we are working with MacID's it's not just names and IP addresses.

>> MODERATOR BOTTERMAN: Also to do with privacy issues in systems that have very little extra capability of sharing data. Thanks for that. With us also Wout de Natris coordinator of the  IS3C Dynamic Coalition. The coalition has done research into legislation and policy initiatives in IoT and has recently launched a report, or yesterday launched a report on findings and commonalities with that. Even has some recommendations. Wout, would you be willing to share?

>> WOUT de NATRIS: Be glad to, my name is Wout de Natris I'm a consultant in the Netherlands and as such coordinator of internet standard security coalition within the IGF, as Maarten said, we had our session yesterday and published two reports and launched a toolkit for internet standard deployment.

I was late here because I was on another session IoT presenting on our work and got a ping from Maarten to come here. The Chair of the Working Group is presenting as we speak in that session so I'm taking his place basically here to share his results. Very short, what is IS3C? We started this Dynamic Coalition in 2020 with the idea to get the internet standards that are out there for sometimes decades and would make the internet far more secure and safer if they were massively deployed by industry, most of the time by industry. And for some reason that is not happening. So how can we make the world more secure and safer? It is by incentivizing organisations to deploy these existing standards.

And that is what we are working on. We have several Working Groups and then I will get to the IoT part. We work on security by design internet of things. We do work on education and skills on tertiary education, whether they teach standards there's a use gap there. Procurement by government in industries, are they demanding these internet standards? We have a Working Group on emerging technologies which we will probably start in 2024 and we have a Working Group on the deployment of RPKI and DNS Sec, not just the technical problems but how can we change the narrative so when the CEO or Secretary-General has to make a decision with his organisation he understands why he has to go for security and not because of the technique but political economic Social Security motivation. We have a Working Group that will start in November  --  sorry, December. Where are we? October. It will start in November. And hopefully we will have a result there early next year.

What did we do with IoT, that's the reason I'm sitting here. We plan to do research in policy documents which are findable on the internet and to do a comparison. As I understand they found documents from 18 countries in total 30 documents in 18 countries. Mostly from the Global North.

Between 18 countries there were 442 practices. And do they align? Sometimes. The terminology is explained in a different way. So there's no coherence between these policy documents and that is, I think the first thing that I want to say.

What they did is they studied it from four categories. They looked at it from data privacy and confidentiality, user empowerment and operational resilience. From those four categories they had five research questions.

The first one is, what are the recommended best practices for setting out the responsibilities of all stakeholders involved in IoT security, including manufacturers, service providers and users.

The second question, what policy and regulatory measures can be identified for promoting IoT security by design and specifically with regard to ensuring device resilience against crashes, power shortages and outages.

Three, what policy and regulatory guidelines can be identified to promote user empowerment in IoT security, and what are the recommended best practices for implementing vulnerability disclosure mechanisms?

Four, through what mechanisms are regulatored and policy makers enforcing compliance with the IoT security standards and encouraging manufacturers to adopt the recommended best practices? And five, how do policy and regulatory documents relate security updates with warranty policies for IoT devices and services?

So that's a lot of questions that they put out on these 30 different documents. They found a lot of things. When things became quite clear very soon. What are the main conclusions to be drawn? One, IoT security is complex and multi-phases. Many countries including whole of Global South lack security framework for IoT security there are few exceptions. Many national practices identified did not match other countries policies and there are many differences in taxonomy.

Many of the practices of voluntary guidelines without effective accountability and consequences for non-deployment.

National administrations rarely require or spes security by design in the hardware and software they procure and this would drive and decrease deployment of security related standards.

The standards that form the public core of the internet, which is basically software, and on which the internet runs are not formally recognised by such by governments and normally absent in all policy documents such as analyzed in this research. Specifying links between security flaws and device integrity is a strong basis for security updates.

So that is the findings. As you can see there are huge gaps between what we talk about cybersecurity and what is actually being addressed by these governments.

And that leads to a certain set of recommendations. And the first one is accountability frameworks from the design stage through to use.

Two, strategies for country-owned authenticated vulnerabilities such as denial service attacks. Three, stakeholder cooperation reporting vulnerability disclosure. Four, endorsing global implementation of open standards.

Five, the integration of security updates and warranty policies. And finally, governments get your act together and agree on what term and definition is of a specific piece of IoT.

So can we actually change this situation. If I look back at the whole Dynamic Coalition and all other studies that we found, as I already said, the public core of the internet is something governments discuss and they think it should be protected and it should not be attacked.

And my idea, my personal idea from reading the different reports we are producing is that governments think of the cables of the server parks. They think of undersea cables that have to be protected. What they forget is what makes the internet actually function and work as it does.

So if governments don't recognise it, it will also mean that they won't procure it. So if what would make the IoT or other functionings of the internet more secure is when a government starts putting its money where its mouth is. In ored *r other words if you want cybersecurity you have to demand certain standards to be built in the product you are actually procuring. If you do not demand it up front in some cases you can't even get it afterwards, after you discover the vulnerabilities, because they can't be mandated or they don't do it or its end of life cycle for them.

In other words you have to consider these standards up front. So only when bigger organisations, public and private start demanding security by design and procuring, that is the moment that things will change in the world. That will also mean for us as individual users, they are not going to produce coffee machines that connect with the internet. They will all be secure from that moment on wards. Because they won't sell secure things to the government that are insecure to us. If consumer organisations would start testing these devices also on the IoT component, also that would prove a lot of things. So that is where we try to work with IS3C. But when all else fails, then I'm convinced that there will be only one solution that is they are going to regulate and legislate it. If that is a desirable thing to happen, I'm not so certain about that, but it will happen between now and 5-6 years. So it's time to get our act together. And that act can be by deploying what is out there and can't be that difficult, I'm told. So let me stop there, Maarten, and happy to answer any questions later.

>> MODERATOR BOTTERMAN: Yes, thank you for that, Wout. IS3C is the rapid development make it more and more difficult, also for governments to keep up with what they should do. And legislation is just one, the last resort, one would say.

Very much appreciate the concept that comes forward, that procurement might be a way in. If governments know how to procure for safe, secure IoT devices they know how to propose legislation or guidelines to the rest of the public. Thank you for that insight. I also heard you, having listened to Vint, let's think about the world we want but also act  --  we may not like that. I loved that quote.

The last element I really would like to bring in and to emphasize further, because it's a key element, not only of the society we live in, but also specifically for IoT is how to deal with privacy and data protection. For that, friend and colleague Jonathan Cave online who also volunteered to be Rapporteur for this session. He is expert with policy background, regulatory background and micro economist and game tourists. Jonathan?

>> JONATHAN CAVE: Thank you, Maarten, thank you, everybody. It's coming up on 2:00 in the morning here. I will attempt to be coherent. Not to preempt the discussion. We get quickly into the main issues. But there are a few things I wanted to say in relation to privacy.

I think from perspective of economic, ethical and from the legal perspective, one of the questions that keeps coming up through this discussion is whether the things we are talking about, I include privacy in this but also things we have talked about today like security, transparency and accountability are meant to be principles that we adhere to when we get a chance, are meant to be mechanisms that produce a result? Because the internet of things linked into the internet of people is a complex adaptive system. It produces things that we can't yet imagine. So the engineering perspective of designing things which helps specific characteristics and functions and so on and then you turn them loose and judge them according to how well they do those things for users who are deemed to have fixed characteristics may not be the most useful perspective.

I just wanted to flag up this sort of game thee receiptic   theoretic view. Some of these are things that have been said before. For example, we know we need to have multiple stakeholders but it's important to be quite clear what stakeholders they are, what kind of voice we want them to have and what sort of decisions we involve them in. One of the problems that's come up particularly with the use of A.I. in relation to the internet of things is the question whether agency is still a useful concept in the sense the way we had it before. We where we can base an entire system of markets, engineering and laws on the idea of people being told what they can do and then being held responsible for how they do it.

Now in this respect, I think one of the elements here is the privacy element. And I will just sort of round in on that. We can discuss other things later on.

When we talk about privacy, the central question is privacy of what? And why is this a useful idea? In most cases we start from the perspective of the privacy of data.

But we have heard all the way through, it was hinted by Vint and picked up strongly by Hiroshi and everybody who spoke later. When we talk about the internet of things we are probably talking about the data playing, certainly when A.I. comes in there, because you can't understand what these things or complex assemblages of these things do without understanding how they learn, what they were trained on. Then there are the devices themselves. Are they secure, do they fit certain characteristics. Can they be updated and so on? That's the hardware and it includes the software as it changes over time. Then there are the functions. But because the internet of things contains things that are connected to each other, those functions may not be well or objectively defined. What I use the device for is not necessarily the function that you see. The function that you see may be entirely different. For example, these IoT devices that harvest vast amounts of personal private information from their users even one that has no connection to the nominal functioning or design of the device or its operation. The cars that observe whether we are sleepy or behaving well, that kind of thing.

So as we move up the plain away from the data plain and device plain, things become, as it were, more complicated. And that produces a changing surface, not just attack surface for cybersecurity but surface for, let's call it ethical concerns.

Now so that's item one. The complexity of the things, we can engage with these things at certain levels. But they have implications at other levels. Now I think this is important in terms of the good practice elements of what we want to see for the IoT.

Many of us come from engineering or analytical backgrounds but as many others have pointed out, a lot of people making decisions here may not share those perspectives. And that's not just something we have to patch together as a kind of human interoperability, but as part of the richness and resilience of the system that we have and give expression to those different perspectives. But that brings me to the second aspect of the privacy, which is the privacy of action and intention.

When people use these devices they develop relationships with them and through them, different relationships with each other. People use a smart speaker, for example, they begin to trust it in certain ways. Now partially, that gives the speaker, or the people feeding data and instructions to the speaker a power that they didn't have originally. They move from being sensors to deliverers of content to being actuators to reprogramming their users. And that perfectly innocent function has really profound implications for who gets to be held responsible for these things.

Another small comment I wanted to make that came up early on in the conversation was the question of how we control and hone the data? For a long time we have been told you can't own data and can't own personal data. Of course now we learn in order to make these systems function, we have to resurrect that notion of the ownership of data, simply so we can hold people responsible.

Then, the final thing I wanted to talk about was the nature of our ethical engagement. We can do certain things with law, certain things with standards and  certification but behind that needs to be an ethical framework. Most of our frameworks are based on what Maarten called at the very beginning, respect for the individual. But what we are beginning to learn, the individual, at least as they interact with the world is not a kind of fixed entity. It's not an anchor point for ethical reflection. So if I give you voice and if I give you respect, am I doing it for you right now? Or the you that you will become when you interact with these systems? If it is the latter, how do we take account of the fact that the way the systems operate changes the way people use them. Changes the way people understand them.

Now as an economist, I believe this richness of perspectives is not something that we can resolve or standardize, but is instead, a source of resilient interaction. It helps us to understand the kinds of things that we see.

So in that respect, I will close at this point, simply by saying that I think we need to work on the ethical dimension to understand whether concepts like privacy still serve us as useful principles or need to be modified, particularly in light of the fact that we now have different understanding of how our individual and collective psychology is affected by interacting with devices, which at the one time, are mechanical devices but at the same time are A.I.-empowered entities with whom we form relationships, who change our behaviour, our understanding and the things that we pay attention to.

>> MODERATOR BOTTERMAN: Thank you so much, Jonathan for sharing your insights on this journey.

Basically, it's also amazing how quickly our insights and what good practice should be like is evolving. And then we know the next step is to implement it in society. But also walking around on this IGF, I heard a lot of things at fault are really truly getting us to the next levels of understanding how to deal with systems.

Now for the sake of time, I would first like to ask Avri are there any questions online?

>> MODERATOR DORIA: No, there haven't been any questions online unless one just came in. Please, if anyone wants to put one in the chat or Q&A, I can read it. Please be short because we only have 15 minutes left because we put so much content in the first part. But if anybody puts something in the chat I will read it.

>> MODERATOR BOTTERMAN: Several regional events, so in that way the voice of people has been heard and reflected. We look forward to devices in the room. Barry, please? Please introduce yourself.

>> Yes, this is Barry Liba, I've been working on some internet of things-related stuff for almost 25 years now, from before we called it internet of things. So I've got a lot of thoughts on it, I will try to condense to two points. We talk about security, I don't like using that term as a buzzword. It's much more complex. We need to think about it broken down into different aspects, authentication, authorization, data integrity, confidentiality, all those things. Putting it all together makes a much more complicated picture. Especially when we go to the second point I want to make, when we talk about turning on lights with our voice or even something that is more dear to me as I age of the example you gave of Maarten, monitoring my blood pressure or heart rhythm or something like that, it's still just something we have been able to do for a long, long time. But now it communicates  over the internet. To me that's not the internet of things in its full potential. What I think of internet of things is different sources, all working together.

My car and my house and my calendar and you know, my calendar resets my alarm clock and makes coffee earlier and tells my car where to go in the morning and that kind of stuff. And that really makes the security, all those different aspects of it very complicated to put together. And as we think about making a secure internet of things and a private and confidential and whatever internet of things we really need to think about the real robust scenarios and the complexity that puts into it of how to secure all these different pieces and make sure that the data doesn't leak in all of that sort of thing. So.

>> MODERATOR BOTTERMAN: Thank you very much, Barry. Hiroshi, please?

>> HIROSHI ESAKI: Yes, I think the core part of the internet, in the end should be the same, end to end principle. I mean the end-to-end means, protect yourself first, by yourself.

Community second.

The last one is public health. So the core part of the internet, try to make secure good operation as a backhaul network, end station must have their own protection first.

Then, that is a really, really good thing for we need trustability or interoperability. The meaning of interoperability is, user must have such a capability. That education, capacity-building or literacy. Then one of the action we are doing in Japan is providing traceability to users. Not all. But people can't have traceability function, then how many persons are they going to use? That really depends on the technology usable and how we deploy, or how to allocate those technologies.

Again, end to end is very powerful scalability. So that's the way we should do.

>> MODERATOR BOTTERMAN: Wout, please?

>> WOUT de NATRIS: Thank you, Barry for the question. I think it shows how complex our life is going to be. It's going to be much worse than this, probably, not too long from now. The question is where do we put the accountability or the responsibility? And despite that the end user has a role to play here, when we 100% certain that 99% of the people won't even know how to protect themselves because they think this device works. My car drives and 170 machines just like E.T. phone home in that car at the same time, you have no clue it's happening. Except you get a strange message all of the sudden, your car says what do I have to do? That shows what happens today. The all about the companies gathering the data.

And because of that it's insecure because it's probably harder to get the data for them. But we have to work, as a society we have to work our way around that somehow because otherwise we are probably lost forever. From a privacy point of view, but also from the attack point of view. That's the dark side, it can abuse this 24/7 hours a day. Sorry, you know what I mean.

I think that is why it's so important to make sure that standards are installed at the outset and otherwise it will probably never happen and we have to start working to make that happen. Thanks.

>> MODERATOR BOTTERMAN: Thanks for that, very much.

Mark, please?

>> Mark: Thank you, Maarten, Mark Carvell, member of EuroDIG and advisor to the IS3C coalition on standard security and safety. So a colleague of Wout de Natris on the panel. First of all thanks very much for a very interesting and wide ranging discussion. A couple of points sprang to mind. First of all, quick question to Dan about labelling schemes and Harmonization. Where does he think the best platform is for developing harmonyization given the fact people will be traveling around the world with devices and they need to be able to understand a coherent universal labelling scheme. So where is the platform best placed for that?

I did bump into somebody from the F.C.C. on Sunday, I think it was. So there is I know what Dan said about F.C.C. involvement in the U.S. public private partnership. If I had known about this, I would have asked him if the F.C.C. had some thinking about that, maybe that's why he is here, that particular person. That was the first point.

Now procurement as described as a driver. But I mean we have heard about consumer IoT and industrial IoT. Speaking as a former U.K. government official, I just wonder where we are in terms of IoT applications in public administrations, generally.

How can these applications be developed to meet, in particular, government concerns about security? Given that this could be a revolution in the interface between governments and citizens.

So are you as a Dynamic Coalition looking at that particular aspect and talking to governments? What they need assurance about, in terms of IoT applications.

Thirdly, on Jonathan's point about innovation, I was at interesting session about ethical development of technologies, ethical innovation yesterday evening. Maarten, you were there as well, I think. And you know, the point I made there was that you can strive to innovate ethically, but of course, what direction does IoT, for example, take. The very difficult to predict. The unforeseen consequences and applications may be positive, may be negative. So how are IoT developers really approaching ethics? In a way that's going to ensure that the systems and networks are going to be developed with a degree of confidence, given the unpredictability factor.

Final point, as I said, I'm a member of EuroDIG. EuroDIG has a call for issues. I really urge the Dynamic Coalition to consider using the EuroDIG platform forum next June as an opportunity to advocate the work, the valuable work you are doing. So the call for issues is out now. Okay, thank you. I will stop there.

>> MODERATOR BOTTERMAN: Thank you very much, for sure, like any Dynamic Coalition, I think we also think different messages to different stakeholder groups what their specific role. So that's a key element. Dan, just checking. I realise it's a different part for you, but can you come back on the question from Mark and maybe also the remark from Jonathan in the chat?

>> DAN CAPRIO: Am I unmuted?

>> MODERATOR BOTTERMAN: You are.

>> DAN CAPRIO: Yes. In terms of the U.S. consumer label, it's early days. The FCC just put their notice out back in August. So in the U.S. this is not going to take effect until you know, the end of next year at the earliest. And so I'm happy to get back with you with more specific information. There is some discussion in the rule that the FCC put out about international harmonization and also working hand in hand with the White House and with the state department. I would imagine, I'm glad you asked the question. This is something that IGF can take a very active role in.

Because it's something, I mean with the internet of things something we have all been working on for a very, very long time. So I would like to see, I would like to see IGF and the regional IGF sort of begin to take this issue up. But in terms of what's the exact platform? Or how do you do all this? I mean that's to be determined.

>> MODERATOR BOTTERMAN: Yes, thank you for that. Any last questions in the Zoom room?

>> JONATHAN CAVE: Can I make a last comment? It's very quick on the issue of the ethical reflection, ethical consideration and control of these IoT devices. This is something, and in particular, their consequences once unleashed. This is a particular concern of many organisations. At the Turing institute I'm part of a group T-Rex ethics that scrutinizes the Turing institute's projects for their ethical considerations.

Part of this is, of course, making people think about what will happen when these things are turned out. In some cases you can do these things with behavioral or psychological or sociological analysis. You can make it more predictable with legal mechanisms but in general the answer is usually to keep the conversation open. Not to tick the ethical box at the beginning of the project and then turn it over to the lawyers to manage the liability. But to keep the information flowing. Because the problems that we are thinking about are emergent problems. No single party can possibly perceive them, nor can they be analyzed by considering just one layer, this internet. So really, the only thing to do is attention must be paid and continue to be paid. I just wanted to make that small remark.

>> MODERATOR BOTTERMAN: Very clear point. Can I invite you to introduce yourself?

>> Thank you, good morning, everyone. My name is Elaine Lou, I'm from [ muted ]

[ Muted ]

[ Room is muted on Zoom ]

>> HIROSHI ESAKI: The use case regarding the IoT device or devices, right now we have multiple use. Future use will come out. Even though you have a single device, that have the original usage first. To be used for the other purposes. We have to think about that. That is the use of the devices that will happen. We experience in the internet.

>> MODERATOR BOTTERMAN: Yes, thank you.

And just to at this point to say, indeed, we do, we are very conscious that it's data that it's about. It's a different applications I think, everything we say is also the use of IoT in context whether it's a device or a combination of devices or service or ecosystem. All the different requirements. All the different returns.

Different risks. One of the key things that is visible, in Singapore I'm aware is labelling, informing people about what the risks are they are dealing with. All the information is to be found also, the DC IoT site. I invite you to participate to subscribe to the list from the Dynamic Coalition IoT where we will release news but you can also raise questions or issues if that's what you like. We are also very happy with the support of  --  and maybe it's allow specific websites where we can have discussions where we can also share some of the presentations we have. All the reports are available through that as well. This is an iterative process. So much is clear. The space of change is fast. And we are on it. We are aware we need it and we want it to serve us in a way that it serves us, more as a benefit than as a threat. But in the end it's all risk management is all.

Thank you all for your interest. And speakers for your contributions.

I will hope to see you in the future, either in the regional event, or next year in Riyadh, right?

Thank you very much. This meeting is closed.