IGF 2023 - Day 0 - Event #23 On how to procure/purchase secure by design ICT

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> MODERATOR WOUT de NATRIS: Welcome. It's working. The other room the light was on. Now it's on. Welcome to the session on IS3C on "On How to Procure/Purchase Secure by Design ICT". What you saw online almost doesn't exist anymore in the invitation because the people there aren't here and not able to be present online.

So we changed it around a little bit but not a lot. My name is Wout I'm the coordinator of the Dynamic Coalition Internet Standards, Security and Safety Coalition, IS3C. We have been around since the virtual IGF of 2020. We launched an ID and we had to find people, funding et cetera to start working.

On my left side is our Senior Policy Advisor, Mark Carvell and the Chair and Vice Chair of our Working Group of RDIDI Deployment and why that is relevant we will explain in a little while.

When we got to 2021 we were able to present a real plan. We introduced three Working Groups one on IOT Security by Design, Procurement and Supply Chain Management and one on Education and Skills.

In 2022, we presented our first report Education and Skills Working Group. Which is having their session right now which I had to run out of to moderate two sessions at the same time, which as you see is impossible. Luckily the Chair of Education and Skills took over.

As you see, what IS3C does, we don't just try to produce a report or idea, we want to translate it into actions and something tangible. That is in line with what the Secretary-General of the UN is striving for to have the IGF come up with tangible outcomes.

In that room, Room E, the idea of a security hub is introduced. The idea is still in that hub, translate outcomes of the Education Skills Working Group into something that universities and industry together could start working onto make sure that the knowledge gap between supply and demand in education is somehow solved.

So that is what is happening today here as well at the IGF.

We are here for different reason, I will put on my glasses to be able to read a little bit.

This is on procurement. And why procurement?

In the first place, because in our opinion when we talk about cybersecurity you always see it's about mitigation. It's always about having to buy anti-virus something, to have a firewall installed, to have a cybersecurity institute, C-CERT or CERT of a government or big organisation but that's after you got into trouble.

The internet runs on internet standards created by the technical community. These standards were created somewhere in the late 1960s up until, let's say, 2000.

In that time period it wasn't necessary to think about security, that's basically what Vint Cerf says these days if we had known where this beast would go to based on something they created in 1972, then we would have done it differently but we discussed it for about two seconds and thought we know everybody who is connected so why do we need security.

Twenty years later, slowly but surely, the whole world started to come on line and the problems we run into. David can tell you more about that more eloquently than I could in English, with the knowledge he has compared to what I have.

Why procurement? If governments would start securing procure by design they would demand these internet standards to be in place. When they buy software that it is tested software and not something that just comes off a shelf without knowing what it is.

When you create a website, you build it according to the latest standards of security and not something that has holes in it all over.

So, on procurement we started this Working Group in 2020. To my surprise we found there was very little interest. We couldn't find funding or people. Except one person said I want to Chair this. She wrote a whole programme and we had to wait two years until we find funding from the RIPE organisation, and community fund. They met in January and February, we are able to present our report. Mallory Knodel and Elizabeth Orembo are supposed to be here but they are traveling.

They are online, I think they found 11 from 11 countries. Asked around we found three more. We couldn't find anything in the public sector. We asked thousands of people, could you share, even if its anonymized something with us so we can do a global study.

If it's not there, that's the caveat we have to make, is it because there's nothing or is it behind bars somewhere where no one is allowed to look at? The ones we could study shows an awful lot. Most of them don't mention security in any way. When they mention security its not cybersecurity. And if it's cybersecurity, that is not about these sort of standards but on the mitigation side, and not on the prevention side. We have one exception we found in the room. That is on the Mica there, the Dutch government has standards that are all but mandatory to deploy. That's the only one we could find in the whole world. The Dutch government also developed internet.nl which allows you to check if your organisation or any other organisation has security in place for the domain name, for routing, et cetera.

So that is what the situation is. The report will be presented on Tuesday in our own Dynamic Coalition session and open forum again with the forum standardization from the Netherlands on Thursday.

So we have found very little documents on government procurement and none from the private sector. So can we draw very firm conclusions? The answer is no. Because perhaps there is a lot more in the world. Just we're not able to access it.

Can we draw some conclusions anyway? I think the answer is yes, we can.

Because it's quite obvious, as I said, that internet standards are not recognised. And I think that is something that is important to understand.

The internet runs on internet standards. And if we talk about the public core of the internet and defending the public core of the internet, that is not only about the physical cables but also on the standards that make that internet run.

And if they are allowed to be attacked 24 hours a day by anyone who feels like attacking and abusing and misusing it, it's a question why are governments not recognising these open standards in one way or another?

So I think that is an important conclusion that, despite discussions on defending the public core, the public core is not recognised for what it is. So how do we make sure that happens?

I think that there is, in other words a world of security to win for everybody. But we have to stop talking about prevention only  --  sorry, about mitigation only, we have to start talking about prevention. The fastest way to do that in our opinion is procurement.

Then the next step is how do we convince people in decision-taking positions to do secure by design and renegotiate a contract, that you bring in these sort of standards?

And that is one of the Working Groups that we are starting this year. And it's called DRNSK Deployment.

We took two examples. But we don't start talking about it in the way that's been spoken about for about 20 years. We are going to try to change the narrative. I will give the microphone to David in a few minutes.

What we would like from this session, I said about everything I wanted to say about this topic. We would like to learn from you, what is your experience? What are your ideas? What could you contribute to this discussion? And from there seeing what we can go home with. As I said we are introducing this concept of a cybersecurity hub. How can we activate it and make sure the right people start working together from the different stakeholder groups and come up with tangible idea that's are translatable either in direct programmes or in capacity-building programmes or whatever we like to call it. The fact is something needs to change. The discussion is running in the same direction for a long, long time without very noticeable changes.

So how to convince decision takers by design? I think that's the starting group. So David, I will hand over to you right now to explain what your plans are.

>> DAVID HUBERMAN: Thank you, Al. Good afternoon, my name is David Huberman. I'm with ICANN. One of the things we are trying to get people to understand is when they pick up their device and they watch a Tik Tok video, or they send an email or even if they are involved in a chat, a group chat or on WhatsApp or line or just SMS, a lot of people think, well, that's the internet. But it's not. Those are applications on the internet.

In fact, they run on a whole system of routers and servers and switches and firewalls, all of which are the underlying framework we use these applications.

This system, a framework however, is built on common protocols and there are two protocols that stand as the foundation for almost all of the modern internet. One of them is called BGP border gateway protocol, it's this system of routing, how networks talk to each other.

The other is the DNS. The domain name system, which is used as backbone of communication so we can use semantic names that we as humans understand to translate into the IP addresses that computers understand.

Now as Wout noted in his conversation with Vint Cerf, BGP and DNS are very old protocols. It was standardized in 1995 and DNS is even older than that, it comes from November 1983. It's going to turn 40 years old next month.

When we developed these protocols the intention was to get them to work. We want to push packets to and from networks? Did you get it? Did it come back? Yaay, it worked! What's nice about these protocols is they scale. The reason we are using them 30-40 years later is they scale infinitely. But as Wout noted they weren't built with security in mind what so offer.

So over the last 20 years what the internet task force has been doing, for BGP one of the primary ways of routing security is a new system, RPKI. Routing public key infrastructure. Essentially, it allows providers to talk to each other, but authenticate the origins of routing information.

This has a lot of benefits. It benefits us against malicious hijacks of routes. It benefits against accidental misconfigurations and hopefully it can help prevent IP spoofing and other things that attackers use to do bad things.

DNS has a similar suite of security tools that we call. That's very important because when you go to a website, when you go to www.UN.org, we want to make sure the data you get back is the data the people who run un.org want you to have.

These security enhancements, to these two fundamental protocols can significantly increase the security posture of the entire internet ecosystem for all users in the world.

But yet, the adoption of DNSSEC is about 25% of all the domain names. And RPKI while it enjoys much fuller deployment especially in the ISPs around the world, we are still working on increasing the deployment to all the networks that participate in the global routing system to get them to digitally sign their routes so everybody else can validate them.

So how do we increase penetration? How do we increase this deployment? This is what one of the newest Working Groups of IS3C is working on. We put together a panel of world class experts. And we are developing a new narrative that we are going to test against decision makers at ISPs, decision makers in public policy, and decision makers in network operations to help motivate them to increase the deployment of these very secure protocols that in 2023 ought to be a baseline standard that everybody adopts.

>> WOUT de NATRIS: Thank you, David. Annemieke?

>> ANNEMIEKE TOERSEN: (Off microphone)

I will start again. The Dutch government is using “Comply or Explain” list for ICT services. And on that list there are about 40 standards, open standards, including general standards, but also specific 15, for instance, internet safety standards. They should be used in ICT services.

We have a process of organising that. That means maintainers can tell which standards should be on that list. And we organise with experts from all over Netherlands to see which standards should be on that list.

And those open standards are amended, they are amended. And we suggest them. So we cannot, how do you say that, give penalties, if they don't use them. But we just suggest those standards. And if they use them in their services we name them. So we are not shaming them, but we are naming them. In order to adopt standards more positively, more increasingly. Besides that comply or explain list, we monitor.

So we are monitoring those standards, especially in procurements. So all the tenders in Holland, in the Netherlands we do for ICT services by the government. We research, we have researched and if there are no standards used in the procurement, in the tender, then yeah, they should explain it in their annual report.

Monitoring is very positive for adoption of open standards. Because twice a year we monitor the internet safety standards. And we offer that to the parliament, actually. First it goes to ministry of internal affairs. We say are you doing well, or not so well, you have to increase. We use the tool Wout mentioned, internet.nl which is very sufficient to measure this.

We publish the figures. So it's more like naming and a little bit of shaming. And in addition, we have community, we encourage community. We use this internet.nl tool in order to get in discussion with large suppliers. For instance, Microsoft using the open standard Dane. And the Netherlands, turns out it's not used, as you might know. And in discussion with Microsoft, we, for instance have one of the suppliers, we found out that they are open for discussion and they will change their email server with Dane and that is a very nice announcement.

Coming year they will do the fully Dane and execution, I understood. So therefore, we use internet.Nl for community. And getting cooperation with other suppliers. And it's very nice to have. So those are the three points. Mandates, monitoring and community. Thank you.

>> WOUT de NATRIS: Thank you, Annemieke. Sorry for putting you on the spot. I think that's a nice explanation. If you are on line and you go to internet.nl, just type in any domain name that you can think of and you will see the results popping up within a few seconds.

David wants to respond first.

>> DAVID HUBERMAN: Thank you. What the Dutch government is doing with this is exemplar of a really nice way for government and public policy to integrate with the world of internet standards, which is primarily an engineering-based endeavor.

It's interesting, we are here today, those of us in the room are here in Kyoto. And for those of us who aren't from this beautiful country, there's something we all have in common right now. We all have brought along with us these little travel adapters we use when we want to charge our devices. Why? Because the shape and the voltages of the plugs in Japan are not the same as the shape or the volt ages that we use in our home countries. Why is that? We have a set of standards for some countries and other standards for other countries, we have lots of standards but no global standard.

In my wallet right now you will find Japanese yen, you will find Euros and you will find American dollars. It's funny because they all do the same thing. I hand them over to someone when I want to buy something from them. The purpose of currency in 2023 is very straight forward. I give, you sell, I give.

It's the same purpose around the world, but we use different currency.

In Japan we drive on the left side of the road and steering wheel is on the right side of the car, other parts of the country we drive on the right side of the road with steering wheel on the left side. It's not only challenging for us as drivers but challenging for manufacturers, they have to have whole different set of standards for safety and operation when the steering wheel is on a different side of the car.

Internet standards don't work like that. Internet standards, from the beginning, from 1969, with RFC1 through today in 2023 we have almost 10,000 published standards. Internet standards are intended to be fully interoperable all around the world, whether you are in China, Kenya, whether in Paraguay, Iceland.

No matter where you are in the world, if you are on line on the internet, we are all using the same standards. And that's really important. Because it allows for a fully interoperable, fully global internet that itself enables innovation. It's because it works everywhere that people are able to develop applications and platforms and do amazing things. Because it works the same way no matter where you are.

And this is where the Dutch government and other governments can really show leadership. Because in the development of those standards it's 2023, the internet is everywhere in the world. It's not 1969 any more. We can't develop these in a vacuum. We can't as pure engineering exercises. We have to think of real world implications of new technologies. The implications of new protocol and protocol development.

So strongly here at IGF this week, strongly encouraging governments, parliamentarians, public policy, Civil Society to become involved in internet standards development to offer your expertise to the development's process.

While at the same time understanding and respecting that so much of what we have created is due to it being an engineering-driven endeavor, and the engineers are the true experts in how to do this.

It's a real commendation, it speaks of the Dutch government, internet.Nl does a good job showing where you sit with standards. That's about all I wanted to say.

>> WOUT de NATRIS: Thank you, David. I will pause a second. From this side of the table, that's what we wanted to share with you. I think you now understand what the IS3C is about. What we try to achieve. But also what we try to achieve in the near future.

From now we would like to learn from you, how does this concept come across? Does it make sense? We would like to know also, do you know about any of the procurement schemes in your country of your organisation? But also to discuss a little the plans that David, together with Bastiaan has to change the narrative of how to convince people in leadership to really think about cybersecurity up front and not as an issue that pops up after you bought something.

So the mic is there in the middle of the room. I can also pass a mic around.

I think the first question is, what you have heard this, how does it come across? What did you think of this plan? Does it make sense? Would you do it different yourself? Anything you would like to share of us we can learn from. The microphone is there. Just introduce yourself first, please. And then just share your thoughts with us.

Please?

>> Hi, okay, it's on. Perfect.

Viet Vu from Toronto Metropolitan University, Canada. This is actually opportune timing, literally two weeks ago I published a paper on Canadian government's digital adoption. And a couple of things about how that lands. What we have discussed so far, the first thing is that the incredible thing about the Canadian government is not only is there no standard in procurement, there isn't a single set of standards that the same government department uses.

And the problem even becomes more complex when you go down to the provincial, which is the second level of governance. It goes Federal and Provincial. Think of US States or Prefectures in Japan. Each has their own legislation that governs privacy and digital communications. And so that creates a challenge. Now in terms of what we think might work, or the keeper that has prevented, say the conversation of digital to surface to the top, it is very much just the fact there really isn't anyone who is actually empowered to raise those issues. The Canadian government recently created Canadian Additional Services, this out of government group that deliver government services in-house. They are the first time the government has done so. But at the assistant deputy minister level, that's assistant deputy minister or deputy minister. Where you need the people who are kind of empowered to raise the issue of digital. And there just isn't any.

If in terms of Canadian context, one person you want to talk to, senator, Colin deacon, spearheading a lot of legislative framework. I can put you in contact after the session, if that's of interest.

>> WOUT de NATRIS: A follow-up question. How has your report landed? Have you got any response from the government side? Or is it still at University?

>> It's a great question that landed really well, actually. I did a couple radio literally before boarding the plan to Kyoto, 9:00 a.m. I was actually giving a panel talk on the topic and 3:00 p.m. I was on my flight here. Once I'm back in November, we are delivering a workshop to sort of high-level decision makers, we are talking deputy minister and assistant deputy minister and Director General in those three hierarchies. In Ottawa in November policy solution. We know the general topic lands well right now with them.

>> WOUT de NATRIS: Congratulations. I think your invitation to introduce us, I think that would be very much welcomed. Thank you.

Any other ideas in the room how this lands? Bastiaan? And the lady there. You can stand in line.

>> Hello. My name is Gunela Astbrink, chairing the Internet Society accessibility standing group. Accessibility in this respect talks about accessibility for persons with disability. And we know that there's a number of countries who have looked at public procurement for accessible digital goods and services.

And there are standards in the U.S. and in the E.U. and that have been adopted in countries like Australia and India and Kenya. And then it's of course, this common issue of implementation. So I was very interested in the Dutch initiative. We found in Australia, for example, when it comes to web accessibility and procurement by governments there was a monitoring system.

And then there wasn't funding enough to continue it. That's what we are hoping that other countries and systems will be able to continue that type of implementation of a policy.

I should also mention here in the E.U. there's an accessibility act, which is going to be in directive for all E.U. countries to ensure that any supplier to a European country should have accessibility built in to the digital products.

And that's supposed to be mandatory. So we will see how those sort of systems work and it will be very interesting to see how that intersects with what we are talking about here today. Thank you.

>> That's also interesting because in Netherlands, Holland we develop dashboards for accessibility purposes. Follow the Dutch government in that way and you might be using also the dashboard in the future.

Internet.Nl is integrated into the dashboard. So nice theory.

>> No problem at all. I have a question. Bastiaan Goslings  from the RIPE together with ICANN working in a new Working Group to improve, you know, to see to it that adoption of techniques like the DNSSEC and RPKI is moved forward. I'm really happy  --  I'm Dutch, maybe I'm prejudice but happy what they are doing here, kudos for the standardization.

Just wondering, and maybe Mika you can share more there. The reasons why you set the list to comply with or explain or mandating the usage of certain tools. Is there information with regard to the underlying policies available in English? And do you have experience talking with other governments or other agencies like yours? How do other people respond to this?

>> You mean other governments in Europe? Denmark is also using internet.nl for their own policy. And fortunately, also Australia and Brazil using internet.Nl in their policy. They have a different attitude to it, but yes.

You ask what kind of policies behind the comply or explain  --

>> As far as I know, it's open source and people can adopt their own language so that's great. I mean more in terms of the underlying policies, in terms of techniques, tools, standards. In this case Dutch public authorities need to comply with. Unless you think it's important for certain reasons. Your website needs to be available with IPv6, purchases cloud it needs to have RPKI implemented. Do you think it's necessary to demand that in terms of procuring services or having public authorities comply with these  --

>> You go very fast for me, but also for the audience.

Well, the Dutch government promotes also IPv6 and the policy, yeah. I don't know actually what you mean, the policy behind it. Because what we do is we stimulate the adoption of those standards to give practical experience in the field. To show that it works. So we have a carrot, let me say it like that. In order to use it. In the field the society has advantage over it. But I do not understand the policy behind  --

>> Maybe it makes, maybe it's so obvious you don't have a policy behind it, you just think it's a good thing to do. Other countries for instance are not doing it. Is there anything you can share to help them in terms of procuring services it would be good to set certain requirements with standards you would have to comply with?

>> Yes, well if tenders are executed they follow in Holland and special tender websites and there are CPV codes included in order to support procurement departments to request for open standards. And in addition, we explain what the standards are. Because most of the people in procurement, they are not technical.

So we suggest talk to your architecture or to your other colleagues in your company and get to know what technically involvement is for the execution because the procurements, the department doesn't know anything about ICT and the technical things. But they know the consequences of it, or the business knows.

So talk to the businesses, the consequences, then you know what kind of standards you need.

Lately I had a colleague of safety, space control. And he didn't understand actually what the consequence was of not using open standards for internet safety standards.

And I was amazed like huh? What are you doing? Yeah, but I don't want to tender them. Because then I don't have any suppliers who can offer these services. So the developers, yeah, we don't have offers. But I suggest get in touch with the suppliers in order to explain what open standards can do for you and for us. Because you are obliged to give services to civilians which are secured and safe. And he was like yeah, but that's difficult, too difficult. I was amazed. Because if you offer services as a government, you have to protect the services.

>> It's really great that you are here in order to explain and give people more insight into what the Dutch are doing here. So thanks for that.

>> We stimulate adoption as much as possible. Various organisations in contact with each other, that's what we do.

>> Okay, thank you very much.

>> You're welcome.

>> WOUT de NATRIS: Yes, thank you. I think it's a very good example. You heard about the space agency. A few years ago just before the whole pandemic started, I was invited to give a presentation to the marine officer club of the Netherlands on cybersecurity, together with a few other people. I asked a very simple question, have you ever done a cyber alert practice or something. They will do it for attacks, or fire onboard the ships or whatever. They all look at me like what are you talking about, cyber exercise?

Let's take the example of one ship. How many connections to the outside world will be on that ship without you probably ever being aware of them? Because in a car, there are over 100. I always say just like ET, if any of you saw the movie ET phone home, that car is phoning home all day to whatever is going on in the engine or the brakes or whatever is being monitored nowadays.

So in other words, these are very, very relevant questions to ask of your suppliers, am I actually secure, if not how are you going to make sure that I am. Excellent example, thank you for that. Anyone else who would like to respond on this plan? How does it come across?

Some people will have heard it for the first time now. So how do you think that this could work?

I see people deep in thought.

So, I think that we have exhausted that question. Thank you for the people that have responded.

The second question, and we had already one answer on Canada. From what country are you? Indonesia? And you? Japan?

>> (Off microphone)

>> WOUT de NATRIS: Yes, thank you.

The gentleman  --  those of you in the back, from what country are you? Japan, thank you. Australia, I think, yes? Japan?

>> U.S.

>> WOUT de NATRIS: The U.S.

Okay, so we have, from a few continents. Are any of you aware of any procurement action in your country? So either from government or industry that actually procures cybersecurity by design?

>> Way too tall now. There is one in Canada, right now. The background to this, Canada is an oligopolistic country, it's ran, the three main industry all have a couple really big companies that kind of work together. And within banking, where they have sort of created kind of a common standard, particularly in bank transfers that allows people to send monies through sending emails to each other. That system is called interact. They have created, a couple years ago they became a sign-in partner. So whenever a Canadian citizen or anyone interacting with the Canadian government is trying to log in for tax or immigration services, child services they can use their bank log-in.

What happened recently last year is InTrack formed a strategic partnership with Secure Key, I think is the name. That is the company, my understanding, does digital verification and the plan right now is to figure out working with the Canadian government and the Canadian government is basically in the form of procurement to introduce Secure Key to that silent partner system, so.

>> WOUT de NATRIS: Thank you. So that's going to be a very, very interesting company to attack if they can literally do security for everybody. Security by design will be tremendously important there. Thank you.

Any other examples?

Then thank you for that.

The other question that I have, you heard about David and Bastiaan leading the Working Group on the narrative.

So if you look at what has happened in the past years, all the presentations I saw on DNSSEC deployment IPv6 or RKPI deployment I've been over the last couple years, it was always about technical education. The people in a company or organisation have to know how to do this in a technical way. And then everybody goes home after they have had this technical training.

But the numbers adding up from the training to the actual deployment did not match. People follow a training, but it doesn't mean company deploys IPv6 or DNSSEC or RPKI. If you sign DNSSEC they said you will get a discount on your annual fee you have to pay to have that domain name.

And that actually led to a significant rise in DNSSEC in the Netherlands. So within a year about 50%, because they were offered a discount on their annual fee. If you have a lot of domain names it becomes a lot of money, not only if you have one domain name. That's an example how numbers were raised in the Netherlands.

But when you talk about decision takers they probably  --

But what would be argument that's are non-technical, while a senior person in a company or a government decides yes, this is a smart thing to do, we are going to deploy DNSSEC.

Would you have any ideas for us that we could use in our advisory panel to take forward when we produce our outcome early next year. Do you have any experience here?

Annemieke, I see you raised your hand?

>> ANNEMIEKE TOERSEN: Now it works. Well RIPE assisted us to give discounts on IPv6 courses. So what we did is form standardization is we requested policy makers in Holland to join courses of RIPE and they got discount from us, in order to follow these courses. Might be an interesting adoption. So a suggestion.

>> WOUT de NATRIS: David, Bastiaan, you decided to sponsor this Working Group as well, besides leading it. What makes it so different for you to actually try and come up with a different narrative?

>> DAVID HUBERMAN: That's a really good question. You touched on it a lot a few moments ago when you talked about the technical education and how we have worked really hard as an organisation to build capacity on the importance of DNSSEC and how to do it. My colleagues go around the world to speak to engineers and do DNSSEC signing online on their computers in the live environment and teach them the skills to maintain it. But that's not enough. Because it reaches a small group of operators. And while it helps them, it doesn't, it's so much more challenging to get that message out to the much larger world for all the domain owners, and for all the operators of recursive resolvers who have to do the DNSSEC validation.

So we are really looking at this initiative as we said a few times today to change the narrative. Find a new way of saying it and test it against decision makers and say how does this strike you? Does this persuade you? Based on the feedback we can iterate again and refine it even further. That's our interest why we want to fund this and why we are engaged and motivated here.

>> Yeah, thank you. We are a nonprofit organisation. It's part of our mission to increase the trust and reliability of the internet. Not only talking about topics like fragmentation that are detrimental and could have a serious effect. But the internet as is, referred to the DNS and the routing part, they are not directly visible. Maybe DNS names are familiar with, but the routing part is not something people need to be aware of. But these are fundamental through everything else that depends on it that runs on top of it. The security there it's almost unfortunate that they are not visible in terms of actual impact that people experience and that acts as a wake up call.

So at the end of the day, if we want to keep people's trust in the system, I think it's really great what the Dutch government is doing, right? Lead by example but there may come a point, especially in  if you see in the European Union, the amount of legislation affecting it is enormous. If the realisation this is a market failure and people aren't getting their act together it will be regulated.

We have all the tools available to do it ourselves, right? Technically the standards have been there for a long time, all the tools on the one hand to do the authorization part with us. Sign your IP addresses and associate with an autonomous number system that is allowed to origin certain prefix. That's an easy portal to use.

On the other hand the validating part, the software you use to check the announcements to see whether they are valid or not, that's actually you know at a very mature state. So everything is there. So why is it not being picked up? I think in terms of the originating part, like people signing resources. I think we are like 40% globally and it really differs per region or per country which is good. But we need to step up here. And people think it's either really, really technical, complex to implement. I understand if you have a huge network with huge amount of routers and others you depend on and customers you have. I'm not saying its trivial but for an average network engineer who takes his or her job seriously, it's not that much of a challenge.

People think it's really expensive to implement, certainly with a project there are costs involved but if it's about the underlying, what your service, how people experience your service, this is fundamental, right? That people need to know if I aim to contact someone or reach content I'm reaching it in the place I want to be at. It seems a given. But looking again, the protocols are ancient and this needs to be improved.

So I think we have work there to do to actually gain the stories, right and actually convince people this isn't so hard. And there are so much material available, like Amicha said, everything is available free on line. Annemieke said. Just go through the whole thing and have people sign resources. If you have one incumbent or two operators in a country, people start signing their resources; you see an enormous up take in adoption.

We see this for other things we organise. We have signing parties, get people in a room and show how trivial to sign the resources and look at the validation part. So we are actually doing a lot there. I hope in terms of audience and story line narrative we can also have an impact, combined with all the other stuff we are doing here at the IGF.

>> WOUT de NATRIS: Thank you, Bastiaan, David. The Internet works everything works, playing devil's advocate here, everything works, there's never really failure, so why should I invest in something? It works, right?

>> The real impact of incidents is not sufficiently visible but for individual networks I think the same goes for the Dutch government. What triggered the whole thing was IP address space of the Dutch ministry of foreign affairs being hijacked. That was a wake up call. Not a good one, obviously. But those type of stories we can demonstrate to people not wait for something to break, oh I will spend a lot of money and repair it now. You can implement this in reasonably simple fashion and be prepared, you know. Again your customers will benefit, you are going to benefit in the long run.

Maybe we need a bit more effort in terms of the shaming part or the incidents that really have an impact and have people share those stories and what led them then to implement this. I don't know if that answers your question or not.

>> WOUT de NATRIS: Yes, thank you. When you mention the Middle East, perhaps an explanation is in place the RIPE NCC is doing Iceland, Greenland to war stock and Middle East, they provide the IP addresses for that region. Like APNIC is doing here in Asia.

>> DAVID HUBERMAN: Just to build a little bit what Bastiaan has been talking about. There's been a C change in the United States. This summer, I'm going to be honest with you, I had a fairly surreal experience when I went into a government building for our communications ministry, our Federal Communication Commission. They regulate broadcast signals and also regulate mobile wireless signals. Quite powerful, all the wireless providers, the wire line, the cable companies a lot of internet to the United States to a lot of our homes is.

It was kind of surreal because the United States government is now taking the position that routing is a matter of national security. And all of these people from like the FBI and the Department of Justice and all these law enforcement bureaucrats were getting up and talking about how we absolutely must secure the routing infrastructure of the United States of America against attacks, against misconfigurations, against hijacks.

Not only were they talking about it in general terms, talking about the principles of security these are elected people who were talking. They were saying things like RPKI and URPF. They were using acronyms I didn't think a government bureaucrat knew how to spell. I was like what's going on here? But I loved it, it's great. It showed a country, a large country was taking seriously the need to adopt RPKI, the need to adopt validation of ROA's at a national level. And they were going to use the power of the government to force the regulated parties to do this.

And to answer your question, it's because for them it's national security. It's not just the mariners in their boats who are connected. It's the military. It's all of the government, federal, state, local. It's our schools. Everything is online now.

>> WOUT de NATRIS: Thank you. I think that's a good example of changing the narrative.

So and that's perhaps also what Bastiaan was saying, if people not voluntarily do it, the government will step in at some point. But will they literally regulate and write laws or will it still be a group discussion saying do we have it do this. Even five years from now nothing has happened then probably it will become legislation. And this is something that industry wants to avoid. Sometimes if I'm looking at it from a negative point of you, I get the idea they want to be regulated because there's finally a level playing field and that's what's missing with the deployment of the standards. If I deploy it costs me money, meaning I have to have a higher price, while the competition does not do it. In other words they may have more customers because of it.

That is one of the reasons that deployment on a voluntary basis may be hard. But if you don't want to regulate and procurement, I can't say that enough, may actually change that. But the idea what aren't most governments procuring secure by design. That's the question I don't have the answer to. But it doesn't happen as a standard.

What I would like to ask from the people present here and get your views anyway, going to hand the mic over, starting with you, but you can pass it through.

What do you actually take out yourself out of the session? And how could you change the discussion perhaps in your country? Where could you ask these sort of questions? Because then you get perhaps a little bit inspiration in your own country to change this discussion. So I'm going to ask Annemieke to ask. Of course, please introduce yourself first.

>> Samira (?). I've been living in Japan now for about 2-3 years. Just on the remark that made, I mean why would a country be hijacked? I mean that's what I would like, for example, targeted countries like U.S.

Maybe they have many enemies, I guess. So maybe, I'm not saying they have. I mean I'm just assuming. For example, Israel, maybe, I'm not sure.

But when it comes to internet, I mean we are going to the very core of the procurement, the routing and switching and all this standardization. At the beginning we said yeah, internet, it's similar for everyone. It's working well also. You said. But how we are going to regulate these regulations? When it comes to the countries where they don't feel the need. For example, normal country which is of course like for example, we will say Norway, very peaceful. They don't feel the need, I guess.

So it, I think it is not that it must be regulated but how well we can force them to use these standards. If they don't feel the need. I mean, one way we can creep in is by educating them, right? So I feel that we need to think like in a way that people, for example, if you say that you are posting on something on social media. This could be a threat to your life, because they will listen to that, right? So it's similar. So I would think it's a need of the  --  U.S. knows they have hijackers. They have people who wants to creep into their network, so I think.

>> DAVID HUBERMAN: It's a good point. The thing it's not just about geopolitics. A lot of this is about people who want to exploit vulnerabilities to make money. And some are to create chaos. Again, not for geopolitical reasons. One of the things we have to do is ensure everybody in the world, in all countries, big and small, peaceful and not peaceful understand that vulnerabilities create opportunities. And there will always be people who want to fill that opportunity for their own purposes.

>> WOUT de NATRIS: Yes, thank you. I think that is a very good example of what we try to close IS3C. We can't do that ourselves but we can hand over knowledge and tools to actually do that. But then it's up to countries to deploy.

So my question to you was to share with what you got out of this session and what could you do in your country to plant a little seed of knowledge on this topic. So, startup front and then go around. Please introduce yourself.

>> Hello? I'm Ryan, I'm from Indonesia. It's a bit hard, I think for my country. When decision come, I just take three sampling e-commerce in my country. And one decision through the internet.Nl, not all sign up but e-commerce sign it on the RPIC, I think e-commerce understand the cybersecurity threat on them.

Actually in my country, today I met our finance minister, he give a speech in the main hall. I just don’t have access to that high level. I hope in nether land we have a long history, right. Can you please suggest something to our country to try to implement this. Because many of the decision makers doesn't even aware about this thing. Procurement, the tender is always about money, not about security, not about the people. The always about the money.

>> WOUT de NATRIS: (Off microphone)

>> I hope I can, but I think he doesn't know me.

But if possible, I hope my country will be getting better because next year we will have our presidential election. There's a lot of issue with IT security. All the flight information from generative teams, I cannot say but many of them is doing anything to get into the position. So I hope everyone can help my country.

>> WOUT de NATRIS: Thank you, that's a quite clear call. Thank you for sharing.

>> Hi, I'm (?) from Japan. I'm (?) this area. About  --  the level is low in Japan. But the one issue is open servers in English, we have to transfer to Japanese and we have to make more easier to read to the decision maker. So that's our problem. And my colleagues trying hard and I'm not in that position, but if I have a chance to get, I will try to make the thing better, thank you.

>> Thank you very much. It was eye opening. I guess it's not that just targeting countries also. But just making solutions for the vulnerability. I think it's a wonderful point. So I guess the keys through education --  I would like to put myself forth and research more into these areas. I have of course my area is RRP systems.

I would think much more learning into this. There was a lot of input here. So I guess that education will drive into the countries who are not aware of it, as we all know that internet is working. But underneath there can be catastrophic events. Because when we just keep things open. So when you can close the door, why don't we just close it and lock it. So that's what I got from this session. Thank you very much.

>> Hello, thank you, everyone. I'm Santos from Nepal. Activity Director of Digital Rights, Nepal. I join the session in between, but I liked it very much. It has opened a lot of questions. In Nepal we recently in August adopted necessary cybersecurity policy. Before that we have electronic transact act but now the government wants to bring a new cybersecurity law. One of the problematic aspects of the cybersecurity policy, actually two problematic area, in the consultation period in the draft there was no mention about the internet gateway. Now talking about installing an internet gateway without defining it. This is targeted for, they are saying for the secondary internet. They are also talking about the government internet. And the third, which is also related to the procurement part, it was not in the draft rule, but now they are proposing laws relating was security or ICT and  --  will be defined by the government and that could be out of the bound of the public procurement policy.

So I think procurement here comes, this is a serious issue where the government wants to kind of put it behind the curtain or procurement process, what kind are being procured. In the least developed countries like Nepal and others, the stakeholders are not very much aware about the repercussion or the possible impact on other areas because of such kind of laws and policies. Especially Civil Society and media, they are also not aware about it. And it is evident from the kind of reports the Civil Society or the media, the public discourse we are having at the point in Nepal.

So I think it's very important that we take these issues into the public discourse and Civil Society Organisation has a kind of very important rule to make stakeholders have a kind of informed discourse about the policy proposed, its impact on utility of internet. At the same time other human rights. I think this is a very important and I have gained a lot of insights which can be used for public policy. Thank you.

>> Okay, thank you so much for this very useful session. I'm from a career in Japan, in communications, we are ISP. So we need to implement many, many (?) but (?) costs to improve, it's not possible but I would like to, (?) my company this discussion and try to improve such kind of new technologies. Thank you.

>> Hi, I'm (?) from Japan, I'm just jumping in the middle of the session, so I'm not sure about the whole discussion. But in my humble opinion to secure ISP services, maybe the subscriptions will help it. Sending out product, depending for the manufacturer, it's hard for the long period it's too heavy. But if it was subscription services, they get their money to get services, so they can have a chance to comply. That's my opinion, yeah.

>> I'm Daisuke Kotani from Kyoto University. I'm a researcher but involved in procurement of the university infrastructure. So the budget costs and engineers.

Unfortunately, if we use outside company to support RPKI or DNSSEC, such companies doesn't have enough engineer to do supports, so we cannot implement in our campus infrastructure. So education to engineers, I think it's important issue. Thank you.

>> I literally thought I could skip it. Well, as I explained in two weeks time I will be in Ottawa talking to a group of sort of high-level decision makers in the federal government. Certainly I think this conversation is going to help. We haven't designed a workshop yet. That is a task one of my co-authors when I'm back from Kyoto. So this does give a really good set of ideas to do it, so thank you.

>> Finally, thank you for your stories and input. I would like to invite you to control, to check your website or email address to internet.nl, if you score 100%, we give you a position on the hall of fame. And we always give t-shirt which say collector's item in Holland. Can you also sleep in it. Can you tell. And then you get a T-shirt, that's the way we do it in Holland, in the Netherlands. Tempting organisations to use those open standards and get, you can collect if you would like to try, afterwards, the session you can check online. Thank you.

>> WOUT de NATRIS: Thank you. And thank you all for sharing your ideas with us. And we are getting close to the end of this session. We have a few minutes left.

But what I would like to say is that it seems like from also what you have said there is literally a world to win. If you are able to convince the people you work with that this is an important topic and use the right arguments than probably things will change. And that is what we are going to strive for. What can you expect from IS3C? I think first thing I would like to do is to invite you to come to our session on Tuesday at 10:30 in Working Group J, the one next to here. What we will do there is present three reports. The first is a global comparison on national policy, on internet of things security. Just a very little hint, there isn't very much in regulatory way to find. It's all voluntary. So that is one. The second that we will be presenting is on procurement, as we under understood from this session today. It's a global policy comparison showing what the level of procurements by governments is at this point in time. The third report is I'm not sure if we will be able to present it because the lady who was supposed to give the presentation cancelled at the last moment and the report isn't available yet. We made that together with the United Nations with UNDESA. It's not online yet but we will try to say something about it. We are also going to present a tool. Comply and explain list is having a global translation, as you could call it. That a team of experts has come together and made a choice on three topics. One is on the categories of standards. The other is on the scope of the list. And the third one is the individual standards that go underneath this list. What will be announced is an open consultation, so anyone in the world who has an opinion on the scope, categories, standards is allowed to share their comments in a Google Doc so we can make a better informed decision what will be in this list. Next we will have the presentation that David more or less gave to announce the Working Group on the narrative. And finally we will be announcing a Working Group on emerging technologies. So the idea in the coming here we will do a global policy comparison on artificial intelligence and later on quantum computing and the metaverse.

We try to see our relevance to the Sustainable Development Goals. So how is the work that we are actually developing at this point in time able to make the world better as a whole and not just the topic of internet standards and what was happening in the other room stopping at this point also almost is that we have a synopsis of the cybersecurity hub and the plan that we have there. In other words we will be presenting a lot of work we have been doing in the last year.

If you are interested in learning more of what we do, you can join through the IGF website. If you go to the Dynamic Coalitions and look at internet standards security coalition, you can sign up for the email list and you will not get a million emails every day but when we have a Working Group starting or has its own meeting you can get an invitation to join. If you are interested to work with us, that's also an option we look at people who voluntarily are willing to chip in a little bit in this work.

We have our own website, IS3coalition.org, that's where we published all our reports and the 10th of the reports will be able to be downloaded from there. That's all I want to say. I'm looking at the panel, Mark, have you made any observations you would like to share with us?

>> (Off microphone)

>> MODERATOR CARVELL: Thank you, I've been following on the Zoom link online, no comments or questions have come through in the chat room in the Zoom link. But I think the key message from this session, I think, is very important that procurement and supply chain management really do have major contributions to make in driving the adoption of critical secure United States-related standards. And routine protocols and so on. So that's a very important message and I really appreciate from me personally the comments here that this is, a lot of valuable information that the coalition IS3C is collating and we need to build on that with more contributions and more experiences from other countries. I'm thinking in particular from my own country, the U.K.

When I was working for the U.K. government, the procurement of network services and equipment never really came up as an internal policy issue. But every now and again there were these massive security failures online. Which did get a lot of media coverage. But then again you never hear the consequences of those data breaches, whether they affect the police forces as well as recently the case in northern Ireland, or financial services. You hear about these headline-grabbing incidents but you never hear what the follow on from them was, in terms of ensuring these things don't happen again. But I think this coalition does provide a channel for distributing that kind of important information. Those are my reflections. Back to you.

>> WOUT de NATRIS: Thank you, Mark. David, any last words? No. With that, we will let you go and we will be well in time for the people who come next to prepare. Thank you very much for your contributions and insights. That is something we are going to take home.

Thank you for all the technical work. Thank you, Mark for the online moderation. And with that, wish you a very good IGF and hope to see you again soon. Bye-bye.

[ Applause ]