IGF 2023 – Day 4 – Open Forum #57 Procuring modern security standards by governments&industry – RAW

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> OLAF KOLKMAN: Dear friends.  Last session for me and probably for you.  We're in the IS3C Internet standards and safety Commission.  Which is a Coalition here at IEGF.  The topic of this workshop is Procuring Modern Security Standards By Governments and Industry.  That is part of the interest of the Dynamic Coalition. 

In general, when you look at security being deployed in organizations, then there is always an informed self‑interest to protect yourself.  The problem with securing the Internet is that it is security for the common good.  And usually you're securing something within your infrastructure to protect yourself, partly, but also others.  So there are all kinds of economic incentive problems that make the introduction of Internet security standards and common practices might be difficult. 

And this Dynamic Coalition sets out to both study and stimulate the deployment of those modern Internet standards.  I'm looking at Wout seeing if I am summarizing this well.  We're here to discuss a number of the work items that the Coalition has been working on.  Can I have the next slide? 

Oh, can I have the next slide?  We're here with a bunch of speakers and panel members.  My name is Olaf Kolkman.  I'm from the Internet Society. We have Satisch Babu, and Flavio Kenji Yana.  Liz will join us later. Wout de Natris is here at the end of the table.  Satisch and Flavio are at this table, of course. Gerben Klein Baltink is online, if everything is well. Annemiek is to my left, to the right for the watchers.  And Gilberto Zorello is in Brazil and online. 

The layout of the session ‑‑ Skip this slide.  Everybody knows by now I'm that person.  I'm giving the introduction at this moment.  Then Gerben Klein Baltink and Annemiek Toersen will talk about the role of open standards particularly at procurement in Netherlands.  Oh, wait, wait.  Then Wout de Natris will talk with Liz, who will be there.  And then we have an opportunity for questions from the audience here and online. 

And then Satisch Babu will give perspectives.  Then close to 2:30.  Then a panel.  No, we will have Gilberto Zorello and Flavio Kenji Yana giving perspectives from Brazil.  And then we'll have only a couple of minutes for a panel discussion and further questions.  If everybody is still awake and not falling asleep from a long, long week.

So ... let's go.  Without further ado... The session on the platform Internet standards in the Netherlands.  Before we go there, Alissa Ever for the Dutch Government, Ministry of Economic Affairs is here.  She would like to say a couple of words.  Camera swing to the microphone about this initiative.

>> ATTENDEE: Yes.  My name is Alissa.  I'm from the Dutch Government.  From the Ministry of Economic Affairs.  And the Netherlands or Dutch Government has been fully supportive of this platform Internet standards and of the Forum standardization where Annemiek is from.  These two standards, public‑private partnership s have been really crucial in the Netherlands to at least for the Dutch Government to further adopt standards that are deemed of importance.  And I think it is good that we're having this session here.  I would also really like to encourage other Governments to work together with the ‑‑ with experts in their countries, on Internet standards and on other types of standards to see which standards should be adopted by Government and used for procurement.  You will hear a lot more about that.  Yeah, I really think that we should ‑‑ I'm really pleased that we have this good relationship in the Netherlands.  I hope to see this spread across the world.  Have a good session here. 

>> OLAF KOLKMAN: I guess that is back to me.  Yes.  Without further ado, I think we are going to listen to Gerben Klein Baltink.  If the Zoom room can be open so Gerben Klein Baltink can speak.  That would be great.  Gerben, are you with us? 

>> Gerben Klein Baltink: I am with you, but can you hear me? 

>> OLAF KOLKMAN: Now we can hear you.  Hello, Gerben. 

>> Gerben Klein Baltink: Good morning.  As mentioned by Olaf talking about standards is not relevant just for the individual user of the Internet but for the common good.  It has been some I think 10 years ago that amongst other people, Olaf and I met at the Minister of Economic affairs at the Netherlands, where we set together with organizations across the board from the Internet Society in the Netherlands and Dutch Government.

All of us were involved in some way in trying to bring open, modern standards forward.  But we all realized this was not an easy thing to do.  The doing process is sometimes for slow.  It can take many years before the actual take‑up of a new standard is realized. 

And discussing this topic, we realized we could do something perhaps in close cooperation in the public private initiative that then was called the platform Internet standards.  The first meeting was around nine years ago of this new body, this new platform.  We soon realized we really had to stick together.  Government, public organizations, private organizations to make it work. 

One of the things that we soon realized is that if we would like to make modern Internet standards more acceptable for everybody, it would help if there would be a test tool to make sure that everybody could see if their own website and email or local connection could actually use these modern standards.  And if they used them, whether the standards are set up in the right way. 

Of course, this is not something that many individuals will do themselves.  We initially focused at organizations, hoping to attract both the technical people in such an organization as well as the Board Members, because it is not something that can be done by I.T. technicians alone.  It has to be accepted by the Board of an organization as well. 

This test tool ‑‑ some of you may know it or even use it, can be found at the business Internet.NL.  There we dive into many of the modern open standards.  But we do not only explain the standard and test the standard, we also point out how you can go and this is the procurement part, to your supplier if something is not set up correctly.  Or if the standard is simply not used.  So one of the things that we offer is insight in does your website, your email your local connection function correctly with the local standards?  If not, what is the kind of solution you can apply? 

At this website, you will also find the whole of thing of the websites that are already 100% up to speed with these modern standards.  But also, Hall of Fame of hosting organizations that can help you, if you want to have their support to have your own website and email set up in a correct way. 

And we have seen the use of Internet.NL is being used by many organizations and individuals is growing and growing.  We will pass over one million tests this year in the year 2023 itself.  We come from say 650,000 tests last year.  And we also see tests in a more technical environment.  Our API and our dashboard where you can run multiple domains, multiple email servers at once and see if these are all set up correctly.  The modern standards, we think will benefit everybody because your safety and security and connectivity online will be enhanced greatly.

So what we try to achieve is that as many people have and organizations have these modern standards, so that we can all benefit from an Internet that is functioning correctly.  And the good news is as Alissa mentioned in the beginning, it would be great if other countries would have the same idea about the modern open standards and applying them opinion and we are more than happy to help other organizations, other countries to set up something similar.  And some countries already have like Brazil.  Like Denmark.  Like Singapore.  So we see initiatives around the globe in the adoption of the standards and tooling.  We're open to learn from other experiments as well.  You can't do without explanation.  The explanation can be found at the website itself.  And also in the help team we have to provide organizations with support.  We have also made some tooling available and not only from our platform Internet standards, but also from international and national organizations that have the same kind of idea.

So for now, I would like to hand over to Annemiek and let her explain what the Dutch Government does with it.  And you are more than welcome to visit Internet.NL and make use of our test tools.  Thank you. 

>> Annemiek Toersen: Thank you Gerben for your introduction.  Thank you for attending our session, all of you here and abroad.  My name is Annemiek Toersen from the Netherlands standardization.  I would like to tell more about how Holland and Netherlands do something about adoption of those standards.  Why actually open standards ‑‑ I'm sorry.  I'm from the Forum upon Netherlands Standardisation Forum, it is I think tank on interoperability of the Dutch Government.  The standards of the Forum promotes and advises the Dutch Government about the usage of open standards.

The Forum has about 25 members with various backgrounds from Government, business, and science.  The main topic of the Forum is the organization of the so‑called comply or explain list of open standards.

This list should be applied by the complete public Sector organizations, central as well as decentral.

Why open standards.  All open standards we promote regard information exchange between Government and citizens and between Governments themselves.  With open, we mean the specifications of standards is publicly available and interested parties can participate in the standardization process.  So there should be no single party that controls the standard.  So open standards are more important because of the interoperability as mentioned here and the security, which influences trust of course.  Accessibility and Government is obliged to inform the whole society, the society as a whole and have neutrality.

When it comes to Internet standards, the Dutch Government has a thee‑fold strategy shown here in the picture.  I will go briefly through it.  First, the standardization form can  mandate specific open standards and do so on this list.  The so‑called comply or explain this.

This is done after careful research in which we consult technical experts.  Standards on this list should be required when Governments are investing in new I.T. systems or services.  As we survey some of the bigger ICT organizations within the Dutch Government, we have seen quite some progress using open standards.  However, it also became clear that some organizations hadn't moved yet.  In addition to the comply or explain list standardization Forum can also make agreements.  Agreements with ultimate implementation dates.  That might be handy because we have already done so for several modern Internet standards like you might know HTTPS and the intersect and we have plans to make an agreement for RPKI as well. 

Sorry.  Go back.  I wasn't finished yet on number two.  I just finish number one upon the mandatory.  Cooperation.  We work together.  I will show a little bit more finally we will apart from number two, we have specific open standards law.  The open standard HTTPS is since July 1 in Holland, Netherlands, obliged by the law, WDO.  Digital Government law.

If we go to the second block on the left side, cooperation we invest in community building.  We tried to bridge the gap between technical experts and Government officials.  So therefore we already are happy with the Internet standard platform, as Gerben mentioned.  And participating in the platform.

This enables us to be more effective and half upon to  ‑‑ helpful to Governments with the technical questions and questions on how to regard modern Internet standards from vendors. 

And the third block on your right side, we monitored adoption of standards.  So how do we do that?  We review tenders, and procurement documents and for modern Internet standards.  We happily use of course the Internet.NL, the chairman mentioned to frequently measure over 2,500 Government domains.  A small note, I can mention here is that since Internet.NL now has a test for RKPI, we will perform a large scale measurement for RPKI, and this will be used in the decision process for ultimate implementation date for RPKI.  We go indeed to the next slide.  Yes.  In order to benefit the use of open standards, it is very important to have a certain critical mass, because if only one or two organizations use the standards the public society has no advantage at all.  We need more and more participants using open standards.  By creating more transparency we create more openness.  We refer to the analysis of the Bureau of Economic policy here.

In the note under the two downwards on this sheet.  You can have the link, if you like, from us. 

I go to mandatory number one, specifically I told you we have a comply or explain list.  On the list we have 40 standards.  The standards are evaluated through four criteria.  Openness, added value, market support and proportionality.  Therefore the critical mass as mentioned before.  Standards should be actually proven in practice.  That is very important.  Open standards vary in different categories like well the Internet and security standards.  Document standards, web standards, but also administration like e‑invoicing.  There are many more.

When the Government invests they should request for those relevant standards. 

Government should use the standards in case they don't use it then they should report it.  With a specific reason.  For instance, if it costs extremely much money, then they can report it in the annual financial report why they didn't use the open responds. 

40 standards that are related to security.  There is spoofing, eavesdropping and you might know better already.  Those are some of the Internet standards.  RPKI I mentioned.  And IPV6.  This security text is a new one.  Very handy.  Next page, please. 

As you recognize number two, the cooperation.  Go further in the use of the standards we don't only mandate but cooperate.  We do that a couple of ways.  International and nationally.  We haven't mentioned platform Internet standards with the secure Coalition.  Last year my colleagues were in Messeu talking about international possibilities and we reuse Internet inform L codes as much as possible.  Denmark, Australia, Brazil started.  We invite you as well.  If you are interested, stay in contact with us.  The code is available in English.  We will assist whenever you want to create the critical mass.  The more people it works more sufficient and have more little gathering together and get better everyday.

Besides that, we contact vendors and hosters, think about Cisco, Microsoft, open exchange.  Akamai.  We can mention more.  As an example, Microsoft we contact them to support Dane security standards.  This inspired Denmark to write a letter.  The results are with success.  Because 2024 spring they will fully support the Dane standards.  We look forward to seeing that.  Microsoft will work together. 

Finally monitoring I was talking about.  We manage on the relevant open standards.  And we research whether those open standards are included.

So apart from that we check whether they requested open standards and are included in the offer of suppliers.  If they didn't we call, get in touch, ask why because some don't explain unfortunately in the reports.  We also would like to know why they didn't ask it.  And a lot of procurement departments don't know how to start with it.  We support him with a special text for tenders and we support them within the decision tree, which makes it handy for people not so technically ‑‑ don't have a technical background but a procurement background can support them to ask for the specific standards. 

Unfortunately, we conclude these standards still not fully complete.  That is a pity.  We report once a year, to the cabinet in the Netherlands. 

The Internet.NL mentioned here a couple of times.  You see also this nice T‑shirt.  If you score as a Dutch organization 100% then you have a very special T‑shirt apart from the Hall of Fame, of course.  I haven't mentioned.

The actual usage of the standards is so measured twice a year.  Twice a year we offer it to the cabinet.  The tooling, we can do it en masse.  Some organization like their own measurement, that is also possible.  Please contact us.  We conclude that there is quite some glass in using the standards, due to the cooperation.  We mentioned already the cooperation with Microsoft and also other vendors.  And that might ‑‑ well, they have the results.  Good to hear.  It works.  That is what it says.

Good to know for you is we sometimes dig deeper.  For instance, vendors that lag behind we contact and if there is room we advise about standards and so the use improves.  And last?  Final ‑‑ well, actually it says already, if you don't ask it you don't get it.  That's for sure, right?  Some lessons learned, please make sure whenever your Government tender asks for open standards.  Check it with the tool, the tooling Internet.NL, like in Denmark, Australia, Brazil who did reuse the code.  I invite you if you have questions, but is it something for our country or our Government, feel free to question.  Thank you very much.  I hand it over to Olaf.

>> OLAF KOLKMAN: Thank you.  I typed in my personal domain.  And Internet.NL, yes 100%, that T‑shirt is mine! 

As a remark.  I have to smile when you talk about modern Internet standards.  Because some of the standards that you refer to as modern are indeed a quarter of the age of the Internet itself.  However the security TXT standards is published in April 2022.  That is really interesting, fresh standard.

To give you a little bit of a feeling.  Why that standard is so important, the security.txt standard is simple.  It says publish contact information of the person who is responsible for the security of the website in a specific location.  Of your website.  Somebody that finds the bug of vulnerability in the website knows where to find that contact information.  It is a simple standard about if you want to look at something, do it there.  By doing so you help people that do security research be able to contact the people responsible for the problems.  That makes a great difference in the security of the Internet.  Again, this is not about your own infrastructure, although this one helps, it is also about collaborating in the greater good.  I think they think it is an easy explainable example of this.  A quick logistical question about will you take your session now or shall we first move on to ... you will take over? 

Then ‑‑ Wout, you have something to report? 

>> Wout de Natris: I have.  My name is Wout de Natris.  I'm a consultant in the Netherlands.  Within the IGF community, I'm the coordinator of the Dynamic Coalition of Internet security and safety.  As you see on the line.  The line is making the Internet more secure and safe.  That is something everybody tells you and everybody says.  We came up with an Action Plan to do that.  Next slide, please.  Next slide.

That started at the virtual IGF of 2020 with a concept of the dynamic coalition in 2021 we were able to present three Working Groups.  And that is number one, two, three you see on the list.  The first one is security by design.  On the Internet of Things.  That Working Group released its report this Tuesday here at IGF.  The sec one is education and skills.  That is already releasing first report last year in Addis.  And we'll come to number three very soon.  And number five as well.  Number four is internal, but also does analysis of our relevance compared to the Global Digital Compact and Sustainable Development Goals.  And that last report was presented here at IGF.  Number six is data Governance and privacy that was supposed to be released but done with UNDESA and they decided not to release.  So we could not share that information here.  Number seven is a skeleton that never came true.  I had a meeting today that may revive it soon.  That is encouraging news.  Number 8 is on DNS SEC and RPKI, standards mentioned many times at the table already.  This is not talking about the technique of deployment, we will try to produce a narrative that convinces people in decision taking positions to actually procure secure by design.  They probably need political, economical or security arguments to be convinced to invest or demand levels of security.  Number nine we announced on the emerging technology and we have several talks here at the IGF.  It is encouraging we can start this Global comparison on policies that are being developed on AI, quantum and perhaps metaverses.

Number 10 ... you see a dot.  Number 11 is a dot.  Anyone has an idea to fit the Dynamic Coalition.  Contact me or Bevil.  And share your thoughts.  I am proceed to three and five.  That is what we are presenting on here today.  Next slide.

The Working Group number 3 is called procurement and supply chain management and business case.  The person that should be presenting is Liz Redbol, but her session took longer than planned, and hopefully she still comes in.  If not, I will do the presentation completely.  I have done it before, it is not really an issue. 

This Working Group produces first report here at IGF.  We released it on Tuesday.  Next slide, what we did is a Global comparison of procurement policies of Governments, next slide.  The group tried see how many procurement documents are available on the Internet.  But also to see if they're from the Government or from the Private Sector.  What we found are only public documents.  We found 11 ‑‑ Mallory, you can take over right away.  I'm only at the first slide.  Sit and present if you like.  Great timing.  On the first slide.  Explaining what we were trying to achieve.  This is Mallory Knodel.  Mallory Knodel did the whole planning and part of the research she was responsible with Liesyl for the report.  Mallory, great to have you here.  Please take over from me. 

>> Mallory Knodel: How much time do I have, I don't want to go on and on.  About 10.  Good, right.  So sorry to interrupt the whole flow.  I was at a different session and it just ended.  So I'm glad to be here.  I'm glad the timing worked out. 

The first slide where we're really explaining what the goal of this work has been defined as.  When we look at the procurement and supply chain management and business case, that is in addition to other tactics where we can further the security standards throughout the Internet. 

At this very particular point we want to consider what is the Internet Governance's role in this work?  How could the IGF from where it sits and stakeholders that participate in it, benefit from the research and perspective and guidance when talking at a high‑level about norm setting around the recommendations for procurement and for supply chain management.

We will go to the next slide, please.  Do I have to do that myself?  Great, great.

Of course we wanted to then in the plan, you know, figure out where we're headed how we'll get there.  It primarily to me seems to be a research project.  Assuming there are in fact many procurement guidances out there already.  The question really is do they include and consider security standards?  And if we are creating new guidance at the Global level we want it to be impactful and to be taken up.  Part of the research figuring out what already exists in the space is an exercise in finding out who the main stakeholders would be and ensuring the work‑product that comes out is any good.  That is what the slide really tells you.  The text is too small for you to read here.  But we identified the outcome as meeting global Internet security standards is a ubiquitous baseline requirement in any public or private Sector procurement and splay chain management policy.  The objectives speak to the outcome I mentioned.  We want to fully scope and map the variety of procurement policies that already exist to determine what are the current challenges and opportunities for people setting the policies? 

.

The second objective is to make sure we can distill that into actionable guidance for anyone writing these policies, or refining them for that matter or implementing them.  The last thing is of course, we want to create a group and community, Dynamic Coalition around the work so it continues and is strengthened by reiteration and research.  Those are the offenses.  I will not elaborate each one, but suffice to say this is the first bucket.  Looking at the early stage of the research itself and the scope of what we're up to.  That is what we accomplished with the first research paper.  The next, where we distill it to real guidance, building a community of practice around this.  That comes in the years to come.  Next slide, please.  Yes.  This is what our survey achieved.  We really just had to of course create a research question.  Create subquestions, actually go out, find source material to question, you know, be curious about.  What is done by others on procurement and supply chain management guidance?  What is out there.  There is a really uneven spread.  We sort of assumed at some point we would hit a gold mine, maybe a regional document created and all of the countries in the Region followed the document.  That never really actually happened.  In fact, it is patchy.  You have some European countries that have done something and you have some Latin American countries, but it is not even.  It is actually not clear where this sort of norm setting could happen which indicates that there is a gap and this is something we can do.  The next slide, please.  I'm not going through the terminology, but for the purposes of the paper we try to define what the concepts mean.  Next slide, please. 

So the methods was really quite straightforward, it was desk research.  We didn't get to a stage where we would do interviews with people.  I felt like that might be next phases where we look at what kind of guidance is helpful and actionable.  You talk to people that have done this before and understand what they have done in a qualitative way.  It was let's find the documents we can that seem to fit the brief, read them, break them down.  We created subquestions when asking, curious about only procurement that talks about cybersecurity, not our procurement.  We don't care where people's pencils come from.  And distilled it to ‑‑ they had to be published.  Then we were looking for clues that security standards would be present in those documents.  Next slide, please. 

Yeah, I think this is a start forward.  I want to say we take care in making sure we have representative samples.  We were hoping to have a spread on language.  That was a challenge, the main researchers were English speaking.  We wanted to make sure not just Global North but also Global South we looked for similarities and also gaps.  Next slide.

In order to present the findings, we did track the findings as looking through these.  We struggled out how to present the findings because it was a patchwork sampling and not the synergy we expected.  We adopted an existing framework that comes from NIST.  That takes cybersecurity functions and breaks them out.  This allows us to be more incisive as we were instilling the advice.  In the report it helps orient the reader to the NIST framework so you can see why we rationalized presenting the findings the way we did.  Next slide.

The conclusions are the most important part.  I won't rush through so much.  I will let you read them.  I will point out a few. 

So actually I will point out two.  I will focus on the Netherlands for both of them.  You know, we can all be proud of how well the Netherlands has done in this area.  It is something to expect going into it but specifically what we thought worth mentions, one of the few procurement policies that mentions standards at all was the coming out of the Dutch ministry.  I cannot pronounce the name. 

>> OLAF KOLKMAN: We just had a presentation. 

>> Mallory Knodel: They turned up in our examples that will make it to our guidance to follow.  Next slide.  The other real confusions here are worth mentioning is where this research points to future work.  It was our intention to not really do anything new with this research and but the way with regard what could have been done.  We make a case on why we should take future action.  This is for others that want to take up the work and use the IGF as a platform to move some of the significant worked for open cybersecurity standards should be points of reference.  There is an opportunity to make use of that.  There are international Treaties that also could be translated into compliance mechanisms that could implicate supply chain.  There are many places that don't have stand alone documents or that haven't used them openly whoop we can give that caveat.  That is the opportunity to do that and encourage it.  If you maybe you ought to consider it because it is important.  The fourth future work area is we being also, you know, develop these frameworks.  Right?  This I imagine is in the larger work within the Dynamic Coalition where you connect this strategy as one of many to the larger work being done in the framework. 

There is a need for proper documentation in the sense of monitoring, evaluation of how it works when there is an incident, folding that in, trying to learn from it in the context of procurement.  The very last thing is just it would be great in the IGF to leverage multistakeholderism and offer coordination.  This might be a conflict of interest with industry and Government especially when industry go after the procurement contracts.  But in fact, that ability to collaborate and work closely would have good effects.  That should be the last slide.  Maybe we see.  Of course, contact us.  This is all information that is also in the report itself.  You don't have to worry about this slide.  I think that's it, then.  Thanks.  I hope that was on time. 

>> OLAF KOLKMAN: That was per  perfect. 

>> Wout de Natris: She voiced it better than I could.  Thank you, Mallory Knodel for joining us.  This is not on the slide, but from the other research we have gone from IoT security, what we see is the same what comes out here.  This open Internet standards that we are talking about are almost not recognized by Governments, not in policy papers or in legislation which we are not advocating here.  The fact that Governments don't recognize the existence of exactly that what makes the Internet work is worrying.  Does it mean that they don't know these exist?  They don't understand what the implications are if you don't protect that inner core of the Internet.  So that is a question that comes up in all our research.  We went through procurement study and Global comparison study with the recommendations and conclusions we just saw.  We have a Working Group that is called prioritizing and listing existing security related Internet standards and ICT Best Practices.  What this Working Group has done and just like the procurement thanks to the right community funds that graciously funded this work, is that if Governments are to start procuring, there are probably 10,000 standards to be procured.  It would be hard for someone that doesn't know they exist.  We got a team of experts and asked for the most urgent existing open security standards out there.  It won't be surprised we asked the project manager to step in to help. 

With people in India, from Latin America, from Singapore and a few other countries, they got together and starting talking.  And through the past months they came up with a list on consultation since last Tuesday.  What we tried do is provide decision takers and procurement officers involved in ICT procurement with a list containing the most urgent Internet standards.  So they can actually have a tool to start working with and start understanding why this is so important.  Then comes the Working Group I mentioned, the narrative that is going to be another component of this whole thing, the IS3C is trying to produce.  Next slide.

So as I said, that there is a consultation going on since the 10th.  You are happy to join it.  The link can be provided at any moment.  It closes Sunday, November 5.  What is it exactly that we are consulting?  Next slide.

What did our advisory panel do?  First, to grasp the meaning.  After that they decided it needs scoping.  And scoping came down to four parts.  You can see that three of the four are the same as what was presented now by Annemiek. 

The first one, the standards had to be interoperable.  You don't only protect yourself, but you protect somebody else.  Somebody else has to protect you.  It is about two sides that need protection to have an effect.  The second one is they're all security related.  These are a lot of other standards.  All of the standards have to have an open process.  Available for everybody.  You don't have to pay for them.  You can access them and start using them without having to become a member of an organization or without nothing.  You can just find it on the Internet and deploy them.  And finally, they have to be proven as a success.  So others must have deployed them as well and successfully. 

That is number four is different from the form standardization.  You can see this is an influence coming from other parties as well.

When we decided on the scoping we came to categories.  After a lot, lot, lot of discussions, we came to four categories.  The first is data protection and privacy.  The second network and infrastructure security.  The third is website and applications, web application security and finally communication security.  What was debated the most, fifth one Cloud security.  That is one of the biggest topics out there at the moment.

Most of the exteriors said no.  Because these four categories go for the Cloud so we don't need a separate Cloud component.  They all function in the Cloud.  So the Cloud should adhere to the four.

The next step, we had that and start thinking about which standards are actually going to be in the list?  That proves a lot easier than the scoping and categories.  That was done in a few days.  Everybody more or less agreed except for those that want that one, that one.  We want about 40.  That is manageable.  We have a concept list at this point in time.  Next slide.  I'm not going to mention which are in there.  But a lot have been mentioned by Annemiek because the most urgent one will be in her list.  There are differences.  Other people from other places in the world stressed and know the standard.  That is what we will do next.  In this consultation document, we explain what we tried to do.  We motivate with arguments the decisions that we make.  We want the wider community and the world to come in as well.  Tell us if we are scoped right or give us good arguments to change it.  Make good arguments why we need another category and suggest other standards. 

So if that happens, then in the second half of November we come together as an expert team and I am the cared coordinator.  I'm a storyteller in the field.  It is decision time.

We will decide ‑‑ the experts will decide whether the standard will be in there or not or that the Councils are changed based on the arguments made.  Hopefully by December we are able to present the tool and have another tangible outcome of the IGF process.  That then needs to be proliferated and what Mallory says.  It is something that will go immediately under her report.  Present that as much as possible and share it.  From there, hopefully get the traction to improve procurement policies in the near future.  That will be a second project.  With that I conclude.  Thank you, Olaf. 

>> OLAF KOLKMAN: Thank you.  I promised I would give question time.  I will allow for questions.  I hope there are none.  Because then we will be exactly in the planned time scale again. 

I have a question but I will leave it until after the session so that yeah? 

>> ATTENDEE: (Off mic) ... oh, I have a question about the testing website for in the Netherlands for the website which is really working well.  I just tested my own website and it was 100%.  I want a T‑shirt.  And I think it would be a really good idea, that is what you are doing here as well, to promote use of the testing websites internationally.  But there may also be some interesting advancements of the Dutch website.  For instance, I'm thinking of a few more soft standards, such as accessibility or maybe in the future testing the sustainability elements of your website.  So I would love to make a strong case for including those kind of standards on that website as well. 

>> OLAF KOLKMAN: I think people responsible are in the room. 

>> (Off mic)

>> Annemiek Toersen: We're not responsible for that.  People can apply that.  It is obliged in the Netherlands.  WCHG.  I know there is developing in the Netherlands also at Ministry of Internal affairs and infrastructure also are combining Internet with other dashboards like accessibility.  People are thinking about it.  Now it is a thing to get all the ideas together.  Because everyone is inventing the wheel again.  It is not good of course.  It is a good issue you point out, Valerie.  There must be more experts to combine this and one dashboard.  We are pushing that as well.  Good suggestion.  Thank you. 

>> OLAF KOLKMAN: Person at the mic was Annemiek Toersen.  For the record. 

I just noticed something.  We often forget that the sessions are made possible and accessible actually on that point of accessibility by people doing real work.  I just saw a name in the Zoom room.  Rochelle is doing the captioning.  And I would like to thank Rochelle and her team for her hard work here.  Because it really makes a difference in these type of environments. 

.

.

Let's see, yeah, I think that is appropriate. 

(Applause)

Satisch Babu, you have perspective from India? 

>> Satisch Babu: Thank you, Olaf I'm Satisch Babu from India I will share two or three slides for what we are doing in India, inspired by the Dutch initiative.  I will skip this.  The background of what we are trying to do is the first kind of step was in 2016 when some of us founded the India school on Internet Governance.  We started cooperating with the GFCE, Martin and I together in ICANN.  You know, we talked and decided to have a collaboration with GFCE.  2018 we had the first workshop.  Olaf was there in Delhi for the workshop.  This was a day 0 on the India school on Internet Governance.  This was Internet initiative of GFCE, a Global Forum for cyber expertise.  We repeated the workshops, 2018, 19, COVID, 22 and couple of weeks back, 23.  It is part of NSIG.  It is to enhance trust on the Internet with international standards, norms, Best Practices.  So in the 2030 edition we announced the India Internet initiative, that is a transfer in the DT3I and tries to measure the complaints of the standards to the website.  The DNS and email to modern security standards.  We made a list of 400 websites, the most popular websites in the categories, Government, financial institutions, sports institutions, et cetera, et cetera.

We ran it through Internet.NL on a scripted basis.  We have the numbers now, the limited numbers, we're trying to explain the numbers.  Not going to release individual information of a particular website.  But in the groups we can compare.  Getting a good picture of the current status of complaints and it is pretty bad.  We're trying to monitor this every six months and see the transition what happen s, you know, over the period of time? 

So in India, the whole digital thing is very important for us.  India is betting heavily on digital technologies for its growth.  It made several strides in Digital Transformation.  For example, the digital public infrastructure called India stack.  Multiple digital public goods including when COVID was there we had a huge website for vaccines.  Now, India is one of the most populous countries in the world, if not the most pop laws.  What application we built it has to be scalable to the citizen.  These are large applications and include financial health, logistics, the smallest villages we see people using mobile phones to move money. 

Some are nervous with this growth.  It is good in a way.  If you look at the underlying core Internet itself, you find they're not complying to the latest standards.  This is worrying.  That is why we kind of created this initiative.  This is completely based on volunteer work. 

Currently we're trying to raise seed funding to create or recreate an Internet.NL kind of thing for India.  We have mentioned accessibility and there additional requirements.  One is the multilingual part, and the universal access which is a challenge.

This is when you create a domain name in a script other than Latin.  Say Hindi.  You create an email out of it.  We find that email does not work.  It does not work on many websites.  The reason is that the preliminariers who created the software have not programmed for these kind of email ID.  This is a huge problem, it doesn't work at big tech companies like Google.  ICANN is trying to resolve the problem.  In India, we have to test on these as well.  Trying to add to the code while making it open source itself.  So people can use it.  If you are trying to recreate the Internet.NL with features with specific requirements.  We plan to disseminate the results to all stakeholders in the guarantee.  Hope to be pushing them to adopt the standards.  As was mentioned earlier, like many other countries, point has no law that says you have to comply with this.  If you are working bottom‑up to get the institutions to start implementing the standards.  I will stop here, thank you very much. 

>> (Off mic) 

>> OLAF KOLKMAN: I need to use the microphone.  That is true.  Thank you for that.  That was clear, concise and comprehensive.  Thank you.  The Brazilian situation.  Gilberto Zorello and Flavio Kenji Yana.  Let's see if Gilberto Zorello is audible.  Can you speak something?  We hear you here.  I hand over the microphone to you and to Flavio Kenji Yana. 

>> Gilberto Zorello: Okay.  I'm sharing my presentation.  Can you see my presentation? 

>> OLAF KOLKMAN: Yes, we can. 

>> Gilberto Zorello: Okay, good.  Thank you for the opportunity to participate in this event.  I'm Gilberto Zorello.  I am a manager from the Brazil Network Information Center.  We make decisions and project design by Brazil Internet Steering Committee GCIBI, which is responsible for the coordination and integration of all Internets and initiatives in the country.

This is about the top, in Portuguese or test standards in English.  Based on the Internet tools.  In the security that must be adopted on networks on Brazil.

We're proposing the standards to Brazil.  That is the idea.  That is the Agenda for the presentation.  And about NIC.BR, the information center.  It is nonprofit civil entity that since 2005 has been assigned with the demonstrative and operational functions through the dot‑BR domain.  In addition to maintaining domain name, research, activity.  NIC.BR goes beyond similar countries.  We have actions that brings a serious benefit to improve the Internet in Brazil.  With revenue collected exclusively through the provision of the domain name registration.

Some of our efforts are focused on many Sectors of Brazilian society.  Disseminating knowledge about Best Practices.  To be adopted in networks and related areas.  In some case we threaten relationships with private, Governmental and nonprofit entities, to create the adoption of Best Practices to be adopted in Internet services.

The top project here in Brazil.  The broadcast was developed by NIC.BR for websites, to create the connection.  It use open source code, provided by the implementation.  It is part of the Programme of safer Internet.  In Brazil.  Which works with ISPs.  Internet Service Providers and equipment operators to disseminate the best security practices that they should implement on their respective networks.  Then BR in Brazil using this Programme, the part of this Programme.

The operation was started in December of 21.  And can be assessed by top.NIC.BR, domain.  A little about the Programme. 

The Programme is act in support of the Internet technical community in reduction of denial of service attacks.  CERT.BR, the team inside the NIC.BR sends notification to the technical community in Brazil, about the problem. 

Improvement of the natural work surrounding security are MANRS recommendations.  That is an Internet Society initiative.  The Programme spreads, then the security best practices, top recommendations and disseminated the best security practices for configuration websites and e‑mail services from top recommendations.  It is the encouragement of implementation of IPv6 in final users and Internet services, using top as a testing tool.  A testing tool.

There is plans of action performed by NIC.BR.  There are several teams inside of the NIC.BR.  Cept.BR is security. The CEPTRO is the history list domains.  IX.BR and systems.  The groups create technical teaching materials and some good practice.  Raising awareness aimed at targeting co‑community, bilaterals.  Of course, training, directing direction with network operators.  Bilateral meetings to explain how to implement the Best Practices and recommended in the situation. 

Defining KPIs to monitor the effectiveness of the actions, some ideas and results of the plan now.

We have some studies, this shows the quantity of the IP address notified with this misconfigured service.  Noted a reduction since the beginning of the Programme.

Now, the reduction is about 70% of this kind of problems.  The other issue that we're working inside the Programme is implementation of MANRS in Brazil.  This statistic shows the distribution by country of Internet providers.  Brazil has the largest number of participants and it is increasing every year.  25% upon of matters participants comes from Brazil. 

Now we have some numbers for the top implementation.  Started at the end of 20, 21.  We have some, we are increasing the tests.  Study shows the number of connection test and presentation of the DNS server and users with the IPv6 implemented.  And the percentage of service that is validated using SSEC. 

     And now statistics about the website test.  The number of domains tested.  The number of (?) top test and number of sites that get tested 100%.  The Hall of Fame in our case.

It is similar to ask for email tests. 

Many associations ‑‑ ISPs, Internet Service Providers, associations support the Programme here in Brazil. 

Of course, TOP, Academia, too.  Academia is our RNP.  The connection is accruement operations and other association.  Here are the association of Internet Service Providers. 

Brazil has more than 10,000 Internet Service Providers P. Small and medium operators, around the country.  It is a specific situation of Brazil.  We have of course, incumbents, responsible for about 50% of the Internet draft.  The rest of the traffic, this is small and medium operators, responsible for the will watch for the rest of the track in Brazil. 

The remarks of implementation. 

Top was delivered end of 21.  Running version 1.4 of the Internet ‑‑ no.  Today, we don't have (?) It yet and RPKI.  And 1.7 version is implemented in test server.  We are now validating the implementation.  We intend to deliver the end of this year. 

The best recommended from the tool to NIC.BR to technical community in Brazil. 

The idea is the best practices, propose, the technical community.  In Brazil, together with Best Practices of MANRS and Best Practices by the CERT.BR.  And two being together with the Programme in the country. 

The technical events for specific Sectors such as Government, Academia, Internet operators. 

The accounting area of Brazil's legislature carried out many tests, a month ago.  The Government just started using the tool to test their sites, but they are ‑‑ this is in the beginning.  That is the point in Brazil.  The up to provides important indications of the implementation status of the recommended Best Practices and provides a baseline for operator, to prevent them in their networks.

That is a main point of the talk.  They created a baseline.  This operator just under this line, they work to get this baseline.  It is a very important it tool so we were confirming, and it is continuing the donations and it is a challenge to keep up with the evolution of the use of this here in Brazil. 

That is my short presentation.  We are ready for any questions if you have. 

>> OLAF KOLKMAN: Thank you, Flavio Kenji Yana.  Is that a question? 

>> ATTENDEE: (Off mic)

>> OLAF KOLKMAN: Thank you for this Gilberto Zorello.  Happy to have you with us.  We are exactly on the dot on time.  It is ter to 3:00.  Are there any questions? 

I'm looking around and online.  There was a question earlier whether the sessions are being recorded.  And they are recorded.  Will be made available on the IGF website later.

I do have a substantive question, though.  I'm not quite sure who on the panel could answer that, maybe somebody in the audience? 

Takes a little bit of introduction.  In Europe, we have a regulation.  It is quite involved.  Regulation 1025‑2012.  This is a regulation from 2012.  Which allows the identification of technical specifications that are illegible for public procurement.  There is a whole procurement law in Europe, which I am not a specialist on.  The idea was that specifications not made by formal standards organizations, like ETSI, ISO, ITU, and national standards bodies, would need to be white listed, identified to be used in European procurement and perhaps in the Member States.  I don't know exactly.

The standards from Fora and consortia are not on the list by default.  The for and consortia is IEEE, ITF, W3C, all of those type things.

When the Forum was set up, we went through quite an extensive process to white list a number of standards DSEC and others are in there.  There are a couple of them.  That process halted.  This is not to comment on the practice.  More on the question, if you do procurement do you run into the situation that the public authorities can only refer to standards made by formal standards bodies?  That was a long‑winded question.  I think the final question said it all.  Yeah. 

>> Wout de Natris: What I can share here, is that when we started the Dynamic Coalition, the Commission pointed us to a person involved in the process with the Member States.  When I talked to them, basically it came down to we're not doing very much because it took more than one and a half years before we could talk about an open standard, let alone it was validated by the Commission.  That is the last news I have two from years ago.  I don't know what it is now.  They never came back online to me since.  Maybe you know more Alissa.  It was not an encouraging answer I got from these people.  That is what I know.  The question is how did the Netherlands come up with the comply and complain list? 
(Chuckling), I'm sorry.  I'm tired.  Explain list where they validated or decide it makes common sense to have this on?  Do you know? 

>> Annemiek Toersen: I don't know ‑‑ I don't finish it is on the list. 

>> Wout de Natris: Have they been whitelisted by the Dutch Government or just decide we have to have them on the list.  Because in Europe they're not validated in the European Commission. 

>> Annemiek Toersen: I'm not sure, if it is IETF or who is doing it.  IETF.  A lot of organizations like NCUC.  This is important standard.  We adjust it.  If more organizations, you want the proven experience that it is practiced.  So that is one of the criteria.

In order to come in compliance.  Explain this. 

>> OLAF KOLKMAN: I think we have a research question here, looking at Mallory. 

>> Mallory Knodel: To say, this doesn't come up in our research because we weren't looking for it.  It could be maybe a separate question that could be done.  I think the source material for this is different as well.  It is ‑‑ maybe you are actually asking in practice how does it work.  It could be qualitatively done.  Anecdotally, there are U.S. companies when they consider going for a contract with the Government in Europe or tendering.  They will initiate the standardization then.  It could be the workflow, if I have a technology and I would like procurement in the EU, then I need to demonstrate I'm using for this are either in existing bodies listed, or you can initiate the white listing at that point.  Or technology that is not standardized at all.  You should start doing in ETSI because that is the quickest track.  I know companies have that calculus in their head for contracts.  It is not always a predetermined, oh, I know the standard is important on the European market.  It might come when the market trends actually happens. 

>> OLAF KOLKMAN: Are there other questions from the audience or ‑‑ oh, go ahead. 

>> Wout de Natris: Thank you, Olaf.  Is Kevin still online? 

>> Yes.

>> Wout de Natris: I have a question for you.  The Internet.NL, the standards there is often ‑‑ something is added to it.  What is the next you are thinking of?  How did you come to the decision to have add that standard?  What is the next phase.

>> Gerben Klein Baltink: It is the same as explained on the Mica.  Participants in the Dutch Internet standards Forum can contribute by asking if you agree with universal acceptance as one of the standards to be considered, it should be added to the test environment.  The process is simple, if everybody agrees that it is a good standard to dive into, the next step will be that we look into available tests already.  From the international community open source.  If they are available how will they will combine.  Can we implement them in the test tool?  If not available we will create our owns, and sometimes it works as well as finding stuff already open source online.

Sometimes you have to conclude, another, in relation to the sustainability standards.  They don't integrate too well in the current test environment.  We decide to promote them.  Have a new featuring universal acceptance and the acceptability standards. 

We will keep them more or less as spares for the future when we have the resources or technology available to include them.  That is more or less the process.

>> OLAF KOLKMAN: As we learned from the other session, sometimes there was another session on Internet this week.  Sometimes it is impartial to measure Lao something, route validation, we were talking about security in that session.

Looking around once more.  Going ... going ... gone! 

That ends this panel.  I think what we learned here is that there are tools to increase the visibility of the standards that are needed to secure our Global environment.  Name and shame in the form of Internet.NL.  More name than shame.  Granted.  But also procurement methodologies, making sure that the initiative is felt where it is felt most, namely in the wallet.

I think those are great initiatives, I think the next thing that needs to happen is more guaranties or environments or Regions start using tools like this. 

So we have another deployment issue we need to tackle.  With that, I leave that in the good hands of the Dynamic Coalition.  And would like to all thank you for being here.  Have safely travels home.  Have a good sleep.

(Chuckling)
Consultation, yes.  Yes.  The consultation, maybe that slide can be reprojected quickly.

>> Wout DE NATRIS: Let me just tell it. We have a website, www.is3coaltion.org. The reports that I mentioned can be found there.  The consultation is there.  And the Google Doc.  Everyone with the link can make remarks.  It is closed November 5.  Thank you for the opportunity again, Olaf. 

(Applause)