IGF 2021 – Day 2 – WS #228 Supply Chain Governance and Security for IoT Resilience

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> MADELINE CARR:  Great, good morning and welcome, everyone.  Thank you for joining this morning and, ah, helping us to work through this very, very complex and challenging issue that we've brought to the IGF this year.  My name is Madeline Carr.  I'm the professor of IoT.  Together with my colleagues Pablo Hinojosa, Louis Hurel and Duncan Hollis, we feel are of relevance to Internet Governance, but perhaps haven't yet been picked up in this forum.  This year, we wanted to look at governance of the supply chain in will Internet of things for cyber physical systems particularly in this case, connected autonomous vehicles which have, of course, a safety critical element.  And we brought together an amazing line up of people who really have a tremendous amount to contribute to this discussion, but also people who represent sectors that haven't necessarily participated fully in the IGF in the past which we feel is really essential to the conversation.  So we have quite a tight schedule and, um, we want to leave time this morning for input from other participants as well.  So we're going to work hard to stick to our plan and hopefully capture a wide range of views.  We see governance at the supply chain for all sectors, but particularly for connected autonomous vehicles as a key challenge that will require many views and perspectives taken into account from an industrial perspective sector leaders really need an understanding of what vulnerabilities are emerging, how these congregate and what steps they must take to mitigate against them in a sponge ethical manner.  And insuring supply chain security and critical infrastructure like transport will be certainly to promoting sustainable cities and communities in which people can take full advantage of in emerging technologies with the confidence that there's safety and rights will be respected and upheld.  I guess essentially we chose connected autonomous vehicles as a very, very complex case, very complex supply chain and a supply chain that ends in a safety critical function with real implications for not only data breaches or, um, or other more contentional vulnerabilities, but also, you know, potentially loss of life.  So something we really need to take very, very seriously.

And in a sense, we're asking questions about whether the Internet that we have is really ready to connect these kind of systems.  And I guess the short answer is no.

[Laughter]

So what needs to happen in terms of internet governance to prepare us for what's already happening which is we've connecting these systems and utilizing this infrastructure.  At the same time, we recognize that Internet governance has been a very flexible and adaptable model.  Perhaps there are lessons that we can take from how Internet Governance has adapted over the years to accommodate different systems, processes, practices and bring those lessons into the thinking about how to govern the infrastructure upon which the critical safety systems will rely.

So we have a lineup of speakers and we have sort of set times that we'd like to bring in the community as well to comment and so there will be opportunities for that and we really encourage you to do that.  To say time in our 90 minutes, we'll keep our introductions short.  We have a PDF, which will be posted in the chat with the full ‑‑ thank you, Lisa ‑‑ with full biographies of all participants so you can see who's speaking and where they come from.

In the first instance, I'd like to hand over to my colleague Louis Marie Hurel who will take us through industry perspective.

>> LOUISE MARIE HUREL:  Thanks so much, Madeline.  Yes.  I am Louis Marie Hurel.  I am working on cybersecurity and incident response more specifically and I have the immense pleasure of just kicking off our discussion here from the industry perspective.  And I have three ‑‑ well, one person unfortunately could not join us, but I will make my best to reflect his notes and points that we discussed previously.  So together with me, we have Jennifer Tisdale.  She leads the cyber physical work at GRIMM.  We have Martin Emely, which is the European ‑‑ I will be sharing some of his thoughts and points.  And we also have Mitra.  I hope I ‑‑ Mitra Mirhasannie.  We do have some very brilliant minds here and just to kick us off, I just would like to reflect on some of the things that Madeline already started talking about.  She mentioned, you know, that we're dealing with a very complex environment in terms of what's connected to the Internet.  We're dealing with safety of critical issues.  We're asking questions of whether the Internet we have is already ready to connect these systems and I think we can agree as she already said that no, we're not ready, but they're very good people working to insure that we do have standards, procedures, regulations as we'll talk later on to make sure that we have goods risk management practices in place, that we do have spaces for dialogue within industry and outside industry as well.  But I just wanted to bring some tough questions here for us to start thinking, right?  So been thinking about this discussion within the context of the internet governance forum.  We really need to dive deep into who needs to be brought up within the table and outside when we talk about connected autonomous vehicles.  How to insure that standards being developed or regulations or sector specific practices that they are actually not only a reflection of one specific silo, but that we're talking across different stakeholder groups.  What are the concrete changes that we're aiming at?  We go from talking to talk to walking the walk.  Just to start out with the points that Martin has already sent out.  So as I said, mastin works with automotive ISOC.  For those of you not familiar, auto ISOC is the automotive information sharing and analysis center.  And those working cybersecurity, you might have been appointed somehow to other ISACs such as security which works with swift network and all of that protect the familiar sector, but ‑‑ familiar sector other but here we're talking about dedicate the to the automotive.  The main goal establishing in 2015 which was kind of surprising for me.  In 2015, it is particularly receipt is a global information sharing community that seeks to increase the resilience by sharing potential vulnerabilities within members of the automotive industry along with a whole supply chain before they manifest themselves.  So really trying to insure you have a previous information so that you can respond more proactively whenever something else comes up.  And also, I mean, different industry partners, they are engaged in mapping different kinds of vulnerabilities depending on which one you are investing more in terms of security.  He knows that companies really need to establish a vulnerability sharing plan over the whole life cycle.  It cannot be a piece meal approach because it does provide a myo-perspective threat.  You can have a clear perspective of how threats operate, but you do need to think about the supply chain as part of all of that.  And this is our attempt to go beyond the cybersecurity discussions around solar winds.  There are many critical systems such as the automotive sector that really require our attention more deeply and carefully if we think of innovation in a secure way.  And he notes that while the life cycle security of information share is desirable, the complexity of implementing cybersecurity processees for the automotive sector is really difficult.  One case he brings is the ISOA 21433 and I will share the link after I speak.  It's a standard that was published in 2021 August and it specifies engineer requirements for cybersecurity risk management.  Another example that he also brings is a new regulation which is the R155, which I will also share later on, which was approved by the United Nations economic commission for Europe, which is very, very interesting.  On the ISO, it specifies best practices in terms of cyber risk management for that particular sector.  So that includes product development, production operation, maintenance and decommissioning of electrical and electronic systems for road vehicles.  And this regulation from the united nations, which has also translated to different countries regulations all right.  So for example, it established and requires a cybersecurity management system and countries such as Japan has already indicated plans to apply the regulations.  It should be applied up until July 2022, which is kind of an interesting timeframe.  So the Republic of Korea, for example, has also adopted a step wise approach, introduce the provisions of the cybersecurity and national guidelines until the half of next year and the European union as I said also passed a new regulation on cybersecurity that will make mandatory for all new vehicle types from July 2022 and it will become mandatory for all vehicles produced from July 2024.  So as we see, we're here in the industry discussion, but already hinting towards that Duncan will moderate the regulatory parts.  So these are the points that Martin brought, but now I will leave it to Jen to continue this conversation.  Jen, over to you?

>> JEN TISDALE:  Thank you.  My name is Jennifer Tisdale.  So all modalities of advanced transportation and the on topic of automotive is near and dear from my heart.  I am here from Detroit, Michigan.  ISAC has been around since 2015.  That is also the length of time we paid any real attention to the totality of automotive security.  There are a lot of things changing at a very quick pace.  32 are three areas I wanted to highlight for the audience today.  First and foremost, the topic of supply chain and securing the supply chain in relation to connected and automated vehicles.  One day soon, autonomous vehicles as well.  There are areas we need to consider that fall within the vehicle including technologies, entertainment systems, else.  All the technologies we are introducing within the system of systems of the SOC.  But in addition to that, the non‑technical pieces of the vehicle are being produced.  The IT and OT environments that converge together for the production are also in secure.  That is an area that we are analyzing and researching today about what type of impact it can have on the operation of the vehicle.  And not to overcomplicate the topic of supply chain, but I will I suppose, to take a wholistic view is the environment which they are operating.  So we are introducing increasingly by a government and via sector.  They kept in which the vehicles are operating in their day to day.  We're looking at intelligent transportation system, smart city infrastructure.  Depending on how you would like to define the term supply chain, the complete automotive eco system for connectivity is increasing year over year.  And hence with that increase and connectivity comes an increase in cybersecurity vulnerability and the potential thereof.  So for the first point, identifying and properly defining what the supply chain is for the purposes of this conversation, I think is it becomes a very large topic when we're talking about policy because not only do the systems need to be interoperable, but the policy that impacts the supply chain must also be interoperable and wholistic and approach.

With that, that leads us into the second point.  Of smart policy.  It is one of the changes and we know it is an international problem.  It is how to have cohesive and consistent policy for connected automated vehicles that cross‑borders.  In large part, in relation to the connected infrastructure that needs to be integrated into cities and roads for the vehicles to operate, policy for those systems which are generally government oriented in terms of the integration of those technologies versus the Private Sector and then, of course, working with the Private Sector for the vehicle production to make sure that the technologies are secure.  So there will be a need to be nimble in our policy making much like there is a need for us to be nimble and flexible in the immigration of the technology in relation to cybersecurity as the threat landscape is evolving and ever changing and the methodology to breach the systems are also evolving and changing.  So the only thing that I can think of and I hope nobody is offended anyway this statement, the only thing that moves slower in terms of changing academia or changing how we manufacture goods, the practices, the RND, the process implemented, the only thing slower is the policy making.  Typically at least in the states by the time we get policy approved, something has changed in the technology that now needs to impact how we view the policy.  One of the examples I will give to you for that in the U.S. is the right to repair act.  And the Right to Repair Act let the consumers repair their own vehicles, to have their ownership.  They couldn't be holding to car dealerships and also having their vehicles repaired.  They could do it themselves by enabling mom and pop shops to have local mechanics that can repair vehicles.  The troubling thing now is that there is a need to look at all electronic components that are integrated into the system and so where does the consumers right begin and end versus how the automotive industry is to secure the vehicle?  We don't have a lot of systems where you can go to your corner store, buy a vehicle and then manipulate the electronics in it for whatever the reason might be.  Maybe you want to turn off your navigation system or things of that nature.  Do you have the right to do that if it impacts the functionality of the vehicle and ultimately your safety or the safety of others?  So that brings us to the final point which is ‑‑

>> LOUISE MARIE HUREL:  30 seconds.  Sorry.

>> JEN TISDALE:  30 seconds we'll talk about liability.  When we have this ecosystem where we have government, academia, industry and consumers coming together into this one ecosystem of the car, who is responsible if the consumer is able to adjust the technology within the vehicle, is the OEM responsible?  That's really the teaser today is where do the rights begin and end and how do we keep people safe?

>> LOUISE MARIE HUREL:  Excellent.  Excellent.  Thank you so much, Jennifer.  I think that is a very good transition already for Mitra.  Mitra, over to you.

>> MLTRA MIRHASSANI:  Thank you.  We are right across from Jennifer in wind sore Ontario, Canada.  As a result of our close proximity to Detroit, there are many, you know, industries that are dependent on providing parts and supplies for the automotive industry are housed in Windsor, Ontario.  The one ‑‑

So I decided to talk and take you guys to the micro nanometer dimensions and provide a little bit of (?) that is coming and put a little bit of life and shine a little bit of light on it.  So we ‑‑ Jennifer talked about the consumers who might be able to change the setting of their cars.  My example is coming from manufacturing and integrity of the parts that you receive.  When you, for example, when we want to create a complex system which is composed of many, many electronic parts, what we generally do is that we trust a manufacturer that is doing the cheap manufacturing and we go ‑‑ we are kind of buy those parts and these parts are not anything specifically, you know, dangerous looking.  They are the ICs, the integrate the circuits that are there from your toaster ovens these days, smart ones all the way to critical infrastructure in power plants and so on  different very sensitive parts of the, you know, the applications.  So when they buy these parts, they trust that the manufacturer has done or actually has created the schematics, the circuitry, the designs exactly as its promised or exactly as they ordered it.  So we did a little bit of tests, now it's about a year which pandemic days are kind of all blending into each other.  We did a little bit of tests.  We bought a hundred parts, a hundred of these electronic parts of the Internet from reliable vendor.  Not from black market, gray market or anywhere else and we brought them home to our labs and started looking at them removing layer by layer the surfaces of the devices and just checked them out.  To make sure what we bought is exactly what we want it to be.  Well, right away most of them kind of yelling the parts basically they were literally yelling that we are not the exact parts that you wanted to from very small modifications in how the numbers or serial numbers kind of created all the way to the nano dimensions where we saw some irregularities that are not supposed to be there.  The results were worrisome because only 22 were true parts that we were supposed to buy.  The rest were either counterfeits, either made by someone else and/or they had extra components in them that were not supposed to be in those hard ware.

So what's the danger here?  The danger here is that those extra parts that are there that are not supposed to be there and we called them Trojan hardware, they can take away the control from the consumer, from the manufacturer, from whoever is driving a car or operating those devices, again, all the way from airplanes to power plants to automotive, those parts can basically have a mind of their own, operate the way they want, they can also sit in a stop clocking the system, raising the memory, changing values or kind of leak information or they can also be causes of worms into the network and create a little bit more headache for everyone.  Is it easy to find them?  No.  Most of our approaches are destructive.  We have to take the part, remove layer by layer of material and kind of do a destructive test and find them out.  Is there any solutions?  Well, there are, but they're all expensive.  It means when we do design the circuitry, we have to integrate the solutions right away into the IC, into the circuitry, which means that the hardware is going to be bulkier, more expensive.  It needs more testing.  Hours and hours and different configurations in order to spoke these things out of their heated locations.  They do not get activated easy into ‑‑

>> LOUISE MARIE HUREL:  30 seconds.

>> MLTRA MIRHASSANI:  Just wrapping up.  To cause it to change the policy of supply chain, we have to insure and we have to tighten our regulations around where we buy how the manufacturers are generating or manufacturing the parts and that's the part that the policymakers are coming in and basically creating certified trusted manufacturing line for us.

>> LOUISE MARIE HUREL:  That's great.  Thanks so much, Jerken and Mitra for raising very important points.  We're going through a very interesting flow.  We started the discussion with kind of the big governance questions.  What does it mean in terms of Internet government to think about the governance of security and more specifically the security of the automotive sector, which is InterConnected to the way in which devices have populated both our everyday lives to industrial systems, right?  So I guess, you know, we went that discussion.  We then transition to what has ‑‑ what kinds of let's say broader standards or regulatory frameworks have been developed so far even though that's going to be delve deep in the other section.  And then we transition to Jen's point about the environment of complexity, how we insure that policy is connected to the industry solution, how do we make sure policy is responsive and adaptable given that environment and thinking about consumers at the end of the day as well.  And you, Mitra, brought that other dimension.  What does it mean when we look deep into those components?  What happens when we sandbox all of this and try to see whether it is counterfeit and that is where we get at least one of the very nitty gritty dimensions of what security is.  I think sometimes we make it so abstract, but I think there are many layers that we're peeling over from this discussion.  Now I would really like to just open up for questions.  We have approximately 7 minutes for us to do that, but maybe I will kick off with a very short question for each of you and then we'll ‑‑ please keep it coming.  Please use the chat function to all participants.  But the question that I have for Jen really quick question, though challenging perhaps.  What can we do about this policy into interoperability?  You talked about the systems and policy interoperability and you talked about this right to repair.  Could you talk more about what could this be like this policy interoperability?  How can industry engage more in that debate or what does it mean in practice from your experience and I guess to Mitra's point, I would be interested in hearing about the problem of subcontracting.  If you can expand more and insuring the hardware security.  So yeah.  Over to you while we wait also for other folks in the audience to speak up.

>> JEN TISDALE:  I'll start.  One of the very first things to do is not make decisions in a bubble.  We really need to have more public‑private partnerships when it comes to policy making decisions.  And the reason why I say that is there are so many moving pieces in this technology in the integration of the technology and associated policy making.  In the example of the right to repair act, it certainly takes the voice of government, the voice of the automotive industry and the supply base as well as the voice of the cybersecurity researchers.  So whether it comes from a company like mine or a university or what have you, having the 80 to understand where the vulnerabilities live within the technology and how to make smart policy that can be nimble enough to change overtime to change at the pace of technology as well.  So having those formal discussions much like today, this is valuable and exciting.  It is to bring all thought leaders together so that we can have a discussion about what next steps might look like.  So that would be the very first and foremost thing to continue to do.

>> MLTRA MIRHASSANI:  To answer your question, this is the time that policymakers have to start moving fast because the parts are already here.  When I talk about this Trojan hard war, most people say no one knew about it before you brought up it.  But sorry.  It's been ‑‑ we published papers left and right.  It's the hot topic of research and I'm sure the automotive industry is well aware.  Those that aren't know how to do that.  The voice is that these parts are already in some of our critical infrastructure in our automotive.  For example, when you buy a truck or a bus for public transit, you're not doing to change it in two years.  You're investing for 40 plus hopefully years of to use that.  And the approximately with the things are is they're very expensive to repair.  You have to go in, physically remove the part and place and put a real trusted part.  So my warning to the policymakers is that it starts moving.  The problems exist.  They're going to only show up more and more and as in academia or startups or companies, we're not at a position of control and to create this ‑‑ to create this trust in the supply chain.  It's all in our government to start acting.

>> LOUISE MARIE HUREL:  Amazing.  Thanks so much.  I guess we have set the landscape for the industry perspective, but I would like to already ‑‑ I hinted ‑‑ we hinted a lot to the regulation discussion and I will pass it over to Duncan so we can go deep into that.  Duncan?

>> DUNCAN HOLLIS:  Thanks, Louise.  I think as I see, we have been thinking about the problems of taking not just devices, but systems, complex systems and integrating information technology within them.  And on top of it, the systems will operate with humans, if not out of the loop increasing on the periphery of the loops.  So obviously doing so has security implications as we just heard whether it's in the supply chain, in interoperability or what have you.  I think the question for us at the IGF is how do we think about the bridge between the security concerns and Internet Governance.  It is worth noting that we've hosted a number of these sessions in the past.  We have been talking about a slightly different set of cybersecurity issues.  We talk much more traditional concerns about confidentiality losses.  And those are clearly here in this environment.  But I think it's important to flag on top of all this that there's a physical security concern.  What are we really concerned about?  We're concerned about autonomous vehicles crashing.  The step is to step back and ask.  Once we bring these autonomic vehicles into an Internet governance environment, how is the existing Internet Governance environment suited to handle this problem set?  I think Madeline put it.  Is the Internet the one we build for this situation?  And apropos of our setting.  I think where we often think about multi‑stakeholders and in terms of thinking about governance, I think it's important to think about where existing responsibilities and regulatory tools lie that is what's the existing governance structure and who is doing it.  Where's the capacity?  Do we have the right actors and the right regulatory tools set up to regulate this environment or we missing some clear and obvious potential tools that we have yet to take advantage of given the alignment of the security threats and the need to regulate them.  So what we have tried to do in the next 25 minutes or so is bring in two true and true mechanisms.  Law and insurance, which we have dealt with for Eons and other context to provide a governance function and think about how they layer or connect with this autonomous vehicle setting.  Really briefly, we have Rebecca Crootof to talk about the law.  Has a long history and thinking about cyber torts where she's a real expert and other forms of regulation and has done so with autonomous systems and content.  And we have a cybersecurity specialist there where he works on how to build cybersecurity products for the insurance and reinsurance industry.  So I will as a non‑expert, quickly get out of the way and, Rebecca, I will hand it over to you.

>> REBECCA CROOTOF:  Thank you so much to be part of this incredible collaboration.  My relationship law and technology and how autonomous weapon systems and autonomous vehicles raise different recurring legal challenges and issues.  Now, of course, autonomous weapon systems are intended to kill certain people while as professor Hollis mentioned that we don't want them to kill or hurt any people.  But both of these systems raise the question of who should be held accountable when an auto mom August system acts unpredictably in a way and something goes wrong.  People have float all sorts of different entities that are relevant here.  Only the designers, programmers and manufacturers, commercial sellers.  The users, third party adversaries.  And then there's also the question of how much should like depend on whether or not the harm was due to an internal issue?  Issues within the hardware or software or malicious third‑party act.  Some form of adversarial action.  There is consensus if something goes wrong with an autonomous vehicle, regardless of the harm, the existing legal analogies suggests that the manufacturer should be held, manufacturers and commercial sellers should be held strictly viable for those harms.

Folks talk about policy and there is this pervasive idea that law request not queen up with certain technological developments.  In some cases, that is thank you particularly when new technology is raised and not all the legal woes.  But in focusing on those particular situations, it's easy to overlook how there's a host of exiting background laws and norms that guide and governor technological government.  Under U.S. products like law, the difficulty of identifying different sources of harm this year of relevant actors, the diffusion of responsibility that's associated with a tenure supply chains and including issues that Ms. Dasani discussed argues in favor of district like.  But, of course, nobody in the industry wants liability for accidents let alone adversarial third‑party acts or issues arising from consumers engaging in the right to repair.  So this existing legal back drop that's already there will encourage those producing autonomous vehicles to retain humans in the loop, even symbolic ones to absorb liability for accidental harms to shield the systems themselves and the different actors in the extended supply chain from like.  Of course, this might not be the best legal structure for what we want to incentivize as we look at the pocket of developing and employing autonomous vehicles.  More and more environmental transportation or the best cybersecurity practice.  So this is the time. 

[Laughter]

Arguably, belatedly to step back and determine which structures will incentivize achieving our goals.  It fires thinking through hardware and software vulnerabilities.  They're different sorted supply chain, they're different potentials for different magnitudes and types of harm.  Actors have the capacity to minimize different sources of risk.  Obviously a lot of different actors, different countries and different industry s and con super representatives need to be at the table to identify these different concerns, discuss respective capabilities and suggest willing corrections.  Particularly folks in the city think of law as annoying, limiting prohibition, something that needs to be worked around.  Law is effective when it changes.  At the international level, law can be incredibly useful in developing norms around when states are responsible for harms associated with transboundary harms.  Let's call then ‑‑ at the domestic level, this I can encourage innovation by developing (inaudible) to encourage reporting and evidence gathering, which is we need that information for oversight and system improvement and law can be used to set requirements for insurance coverage.  It can impact industry practice.  I am not going to elaborate on that because our next speaker can must better address the power of, should.  Thank you.

>> DUNCAN HOLLIS:  Quickly I will move over to Tim.  One of the things we're doing that's innovative, they're not waiting for X&A.  We had some folks to get folks in on that.  You want to let over the legal and insurance perspective, but first, most to you.

>> TIM DAVY:  Thank you for the invitation and also thanks for the great talks.  So much learning and so much insight.  I'm going to spend 5 minutes one talking about the industry changes that we're facing from an insurance per spirit I in terms of cyber insurance.  And as I go through this, I will favor this with it most specifically and IoT because I really think it has ‑‑ hopefully this sheds some more color to it.  As an industry, cyber insurance is relatively new comparing to say automatic.  There has been no major catastrophe losses.  But we do see the biggest change facing us today is that rising ransom ware over the last couple years.  That's where most of the lases we have seen.  And that's where most of the industry has changed its direction of focus in terms of how the policies are worded, what is covered and what's not and how the industry in turn reacts.  I think it is fair to say the insurance industry is fairly reactive to the willing aspects and technology.  Nature has made a very good point and Jen has made ‑‑ I think that is true from the cyber insurance industry.  There are some leads, but I think there's also a lot of reaction in the space.

Comes to the second challenge we're facing is the insure ant challenge.  What should be insured and what shouldn't.  We have an obvious excuse around cyber warfare, but then we connected weekends and those likes lie and Rebecca made a very good summary of the lint chain of subcomponents in a system.  A connected car is a large computer on wheels which is I will translate that into the other industries.  We're quite comfortable with what we're supposed to.  So that really means that us as an industry has to mature and you have to ‑‑ we're able to define the right policies, the right wordings, the right legal aspects to make sure we cannot insure cyber in order to come to continuous.

One of the ways we can do that and we have a big driving industry around data.  Short term we look at it from a risk selection.  Data can we understand from an organization that we're insuring the risk that we're insuring.  How do we know what good looks like?  What data are we seeing from an organizational level?  That can get quite complex and deep.  All those impacts the insurability of the solution and certainly one thing we'll have to look at short term to medium term if we have a long‑term future and market, this concept of trusted components or trusted computing where as an insurer insuring an entity, we can look at that supply chain and look at where there is trust in the components and look where there is best practice and hopefully starts to take away some of that complexity as a whole system as a mole and all the risks there to return that down into subsections.  With IoT and with automated, we'll start to see some very expensive products which we wouldn't be acceptable in the market.  As a reflection on today, we're automotive.  There are now automotive policies.  So they take elements of mainly around system failure over the connected elements of the vehicle and they start to incorporate into the automate the policies for fleets and for individual personal.  It is starting to become quite prominent in the states and to be part of this group and this industry, insurance has a piece to pay A from experience and trying to understand and support the element of connectiveness.  We put insurance products in place that enable the commercialization of the adoption.  And some of the deployment changes that we face.  Hopefully that's a an overview in the challenges.

>> DUNCAN HOLLIS:  Not only are we dealing with a complex system, but the number of not just stakeholders, necessarily requires to Zoom along at 30,000 feet.  Happily people have responded to my invitation and I don't see any hands raised, but I may call out to things I see in the chat.  How do we set up safe harbor information sharing seems to address concerns.  I think about not so much the cybersecurity, but the sharing information problem in terms of the IP or data protection and I wonder both from a regular or insurance perspective if either of you have any thoughts on that.  Rebecca, I invite you first.

>> REBECCA CROOTOF:  I want to reach back out and say

[Laughter]

Where do you see information sharing about most important?  But I can say in terms of legal strategies, what you want to focus on is what's going to be most useful to have information about ‑‑ are we most concerned about gathering information, about problematic actors in the supply chain?  So it's going to be a bit of a slice and dice question about the different types of information that we're interested in ax choiring are going to require different (inaudible) for figuring out how to encourage reporting about them, possibly safe harbor is the idea that you minimize liability for harms sorted with that thing if you share information that otherwise you would be incentivize not to share.  But the fact you were sent to an attack or data breach and that legal protection that sharing of information.

>> DUNCAN HOLLIS:  Safe harbor is a tool and one wondering if we can see it all here.  I want to take the same question to you, Tim.  In hearing the answer about, you know, your emphasis on data and the idea of you collecting data for insurance purposes, I wonder if you see that at some point a mandatory part of the insurance system.  If you want to be insured, this is the data you will need to provide to us which leads to Daphne's question.  What other things might you see the insurance industry through policies ending up, incentive icing the automotive industry and not do.  Do in terms of more cybersecurity, not do, pay we welcome your thoughts.

>> TIM DAVY:  I think absolutely.  I think there's a couple of ways in which data sharing is very useful.  The expert data, so, you know, we're ‑‑ understanding the threats and vulnerabilities they see on a database.  For us to be able to understand and model that helps us to define what the products and pricing and accumulation risks are.  It helps us fig out now.  Shames information and risk information around ‑‑ not every cyber instant is a claim.  That kind of information is all useful.  It helps shape the industry.  It helps shape policies.  It helps shape again answering that question of what is insure automobile and what doesn't.  We have seen data sharing.

In terms of second question, do we see more requirements coming in from insurance?  I think the answer is yes.  We're in a market now where it is increasingly hard to get cyber insurance coverage for the costs that you may have got last year.  Renewals are tough.  The risk landscape is tough and so we're trying to do everything we can to certainly from the small and micro businesses.  We're trying to join the board industry in education and enforcement of good cyber hygiene and cyber practices because they go a long way.  As we move into complex risks, we will have to start seeing some more compound controls or some more sharing of information.  Because otherwise, we don't necessarily know the depth of the risk we're undertaking especially well it comes to the supply chains.  I don't know if we get the complete pick, but certainly we do a lot of work.  We had our clients and insurance clients as well around how we help the end insured manage and understand their risk from a financial tab.  They're even having a conversation between CSO and the CFO.

>> DUNCAN HOLLIS:  Thanks.  Let me insert his question now, but now before I actually since he gets a chance to speak, let me give you the floor.

>> Yes.  Thank you.  I have a question about information sharing.  How much and where is the company based and the geo political dimension of it and sharing information and what impact it has geo politically because we know many components of advantages produced for example in China.  So how do you see the impact of this?

>> DUNCAN HOLLIS:  I think I copied Rebecca and (inaudible).  See I think both questions involve what we might regard as a fragmented government space.  Instead of thinking there being a single top down structure reg where in some multiple ‑‑ Rebecca, any thoughts?

>> REBECCA CROOTOF:  The nature of this chain of problems is international.  And fragmented.  So we need to think about and design systems that address that issue.  That's where having international norms can be important and sort of guide international guidance and best practices can be incredibly useful and at least creating baseline standardization of some of these legal approaches.

>> DUNCAN HOLLIS:  Right.  It can be standardization.  Here are the sorts of things we know are appropriate to be done at that national level and here are the things we should be left for a more say the government space.  I am cognizant of our time because I do want to hand off to Pablo.  I thought with two or three minutes remaining, I wanted to give you both the low hanging fruit question which is you talked about all this complexity, the rising need for data and the like.  And I wonder as the lawyer and insurer, what's the best leverage point for something we have done differently to navigate that king between security threats.  So maybe I'm go to you first, Tim.  If you well is the one take away and then back to you.

>> TIM DAVY:  That's a piece of tough low hanging fruit.  I think the take away for me on this BASIS is we talked about data and what are we going to do?  In we can breakdown ‑‑ I am emphasizing my point of basic hygiene throughout the industry of people cybersecurity conscious all through the design cycle.  And hopefully that makes the life a lot easier because we have more trust in the supply that and more trust in the components.

>> DUNCAN HOLLIS:  That's two things, but ‑‑ I hear you also saying mapping the environment better.  Let's get some mapping to simplify and narrow things down and then the hygiene point is cannot emphasize enough.  What about you, Rebecca?

>> REBECCA CROOTOF:  Most mischaracterized question.

[Laughter]

>> DUNCAN HOLLIS:  Just a simple question.

>> REBECCA CROOTOF:  I think because of the ointment of uncertainty where the risks are coming from, the most useful thing is having more information and I think because industry is so concerned about liability and sort of being left holding the back, they would be left with liability.  That actually having baseline requirements to be insured is a quick intervention on the domestic law level that would ration a sort of baseline standard across the board.  At the international level, I would like to see more conversation around state responsibility for transboundary harms.

>> DUNCAN HOLLIS:  I think those are both great points.  I think for having cover the regulatory/roll and insurance base, that's a perfect time and the lense further shift to you, Pablo, to talk about evidence.

>> PABLO HINOJOSA:  This is a very new thing.  I've never seen industry players in the automotive industry or insurance experts or an approach about risk mitigation and the complex of Internet governance.  I think what we're bringing and putting in a way their own silos.  They have those questions from a long time and it's a good time to have this.  Many have talked about the needs to call with others.  I think that's the motivation to bring this discussion to the IGF in 2021.  I would like to invite Peter Davies and INA to ground this discussion to the Internet Governance wonder.  Let me start with Peter David and we have been discussing a lot about complex systems.  You really work in this convenience do ‑‑ help us out to practice.  What does this have to do with Internet governance and why is it important?

>> PETER DAVIES:  Thank you, Pablo.  I think it's a really important thing.  If you look at the Internet, it's been a best efforts fine of thing.  It's grown immeasurably, but what you have been having is a completely different set of things.  You have been talking about safety and timing not just from the point of view of safety critical systems but the fact these things have to feel safe and the fact you have to do updates.  So I know you were on and there was a division about 5555.  The Internet is a past of achieving the right of what you think you might need to do updates and vehicles on a global BASIS, buts the so this joint between caking and you heard about discussions about peep are concerned.  They are fitting into areas which as a supplier, I have availability.  I still have a liability to get one out.  I think that's a really important part for governance.  Going back in the other directions, we all know that being able to diagnose problems is a real something.  It's not that we didn't it at design zones.  It's emerging properties and threats that you see in these things that I think is a really big problem there.  So what you're looking for is what extent can the Internet and we're going to be able to govern that so we can get the right typing information and right things to attribute and be able to attend.  I know industry is looking for that to be something that can be achieved.  What's been the BASIS behind it?  I think there's a thing there where we step on step out from.  Period of timely to the question and I asked yet.  Everybody said you should check cybersecurity, but and that's pretty differently.  The idea that government and policymakers had a really big say we're not allowed to affect your liables or ‑‑ you have to enable those on a much blower global scale, I think.  And that has to then fit with national regulations.  Some of the attacks we looked at our global, but the only organizational, the only play that lying to be hinting.  You can't hold that in a company.  It's too big.  You can't insure that.  It's too big.  So this crossover and I heard when we talked about insurance, this aspect about cyber war fare and things of that nature, it's not obvious what cyber war fare is.  I think that's still a lot.  The how you establish proof and what evidence looks like are all elements that I think are really fundamental things that must fit with the discussions we've had so far.  But you need to fit into some of the governance regions which including crossed initiate net.  That's my five minutes.  So those would be my instinct.  That's how we have to be not just the internet, but the roll regulations.

>> PABLO HINOJOSA:  Peter, thank you.  We have lecturing futures at the university college of London and following up from what Peter said, the first person I would like to ask you in ‑‑ ask decisions need to be made are the right people on the table to make those present and future decisions around topics we have been discussing?

>> INE:  I will do my best to get responses.  I will offer some reflexes on what we heard.  So total coming from a point of sector point of view.  My work generally I work with and research on the teams.  See these are people who work in policy in strategy.  Will it be down.  That due ‑‑ I got really it keeps in sync and there's a need for action on the policy side.  When the nature is changing, what is it about those systems that tell us go new or different types of knowledge needed, how that is brought into a collaborative space, what kinds of methods, processes, approaches we use to generate evidence from that and how we use that in informing decision making.  The first is that it's incredible and we're all agree there's a great call for a need for policy to take a role in enabling this information sharing, but very struck by going beyond information sharing and produce evidence and it has a shared information sharing of low it is changing.  So yes one part is mapping, new types of threat, wanting where they arise from, associated harms and losses on.  Really translate that into an wanting of multiple stakeholders and what does that mean?  Different types of liability or the weight that is going to change by different actors and stakeholder groups.  You have the valley that's really supported and this conversation that explores rather than where the pressure is to identify specific threats and do risk identification.  So something like this on multi‑stakeholder forum, we have free to think openly and not be criticized for not being accurate in what we perceive, but be credited for openness and ideas.  That's one observation.

The second is thinking broad and lateral, but the type horizon like Mitra was saying, they're built in terms of how the different changes will go across multiple sectors.  The second from the policy access is really asking what we have in terms of processes, methodologies to do long term cross sector.  Now we expect there to be technology but there report that many dedicated to that very long‑term asking of those questions.  That's the second requirement we hear here.  Information sharing to think about how we do an activity like that, but making it into formats that can be reused by others.  My third point is about stakeholders and how diverse we all are.  We're going to share and that will help recognize that we do have different languages meanings and approaches by which we contribute to pull.  Playing around with new methods.  You have to support people as policymakers to explore the interconnections between that.  So those three thinking broad, thinking long and exploring interconnections have really practical implications that I think are amazing recommendations to make to a policy working community.  Thank you.

>> PABLO HINOJOSA:  This is amazing.  I am starting to be conscious about the time and the first thing I would like is to see if there are any questions from the audience.  I would love to see ‑‑ oh, yes.  I can see the small camera with a lot to be there.  It's very important, but I can see many people in the room.  Anyone would like to have a quick comment or question to the great panelists that we have?  All right.  This must be so new and I think that's back to the idea of this workshop to bring something that hasn't anyone brought before to the ‑‑ hasn't been brought before to the IGF and leave you the audience with questions that we can continue to collaborate in future IGFs.

So we went very much from Detroit, domestic manufacturer.  We talked about the nano dimension of the different parts included in this manufacturing process.  So we went a little bit from hardware to software, to risk, to legal, to liability, to insurance.  When have we heard the voice of the insurance companies in content of the IGF?  It's quite an important aspect of things.  You left me thinking about how the insurance companies can actually put pressure on resolving cybersecurity issues, which is an interesting incentive to continue to discuss in the content of internet governance.  And we continue to Zoom out into complex systems as speakers said and then sort of the tools for policy making that Ina brought.  So I'm quite in favor of trying to bring all of this together.  For that perhaps, Madeline, we can come back to the beginning.  You were the first one to ask these questions and frame these workshop proposals.  How did you find your initial questions and now after this session?  How did it go?  What did you learn and what is next?

>> MADELINE CARR:  Thanks, Pablo and thanks to all the speakers and those who have raised issues in the chat as well.  I just feel really energized by this.  I think this is a huge, huge problem that in some ways, it's the elephant in the room.  We have ‑‑ we have somehow been SKU region around for cyber physical systems that we're looking at connecting these systems to an Internet infrastructure that isn't necessarily governed in a way that's suitable for them.  We need to bring these two worlds together.  I think what we have done today and the people that we heard from are just really highlighted a whole lot of challenges.  We knew coming into this session that we would not go anywhere near resolving this.  But I think what we have done is pull out a whole lot of the challenges and put them on the table.  I think other challenges were raised as well.  This request about whether we should have representatives in the conversation.  I think that would be a good step for income year.

There are two big points that came out for me.  One is this question of liability, point and rights and how we can begin to unpack that and understand that in this complex content.  And the other is repeated (inaudible) for policy interventions to help manage this and I think Ina has done a great job of kind of highlighting and also Rebecca did as well when you talk about the legal contributions that are in placing, but how we might step into this in a way that gets us out from behind the curve.  Critical to that will be this conversation of the I. net governance community about what is possible here.  What is the art of the possible in terms of Internet Governance and up these very divergent worlds.  As Peter Davies highlighted, testing, testing, testing.  And the other which is about ‑‑ you know, open exchange of information, open standards, consensus based governance.  How do we bring these two worlds into meet.

>> PABLO HINOJOSA:  You have a wonderful array of panelists I would like to see one of them or two of them would like to add some closing remarks.  Your take aways.  Louise, what are your views?  We cannot hear you.  Duncan.

>> LOUISE MARIE HUREL:  I think we all leave this session deeply enriched by the discussion that we had here.  And I'm thinking as we did in previous kind of panels, Pablo, of this connection from like the very micro level of thinking certification and the hardware up until what are the governance structures that need to be in place and will governance questions that we need to think about when designing an inclusive policy development environment, right?  And I guess we leave this conversation ‑‑ I think of what do we need to do going forward is in terms of designing the bridging across different groups.  And I think at the interactive environment is very specific.  We get triggered what can we do?  How can we design, but invented wheel kind of in that way.

>> DUNCAN HOLLIS:  For my part, I was impressed both by Rebecca and Tim both the stepping back and serving the landscape and the need for data and doing so.  It seems we're very good content mapping.  Who are the relevant stakeholders and what authority do they have to speak to certain ‑‑ what responsibilities do neigh have, relative responsibilities.  I think they're going to be very different mapping.  I think that's one of the big take aways we have from this session and I think the most kind of interesting is to take the two maps and try and create a meta map, if you will.  As Louise says, look for not just a bridge, but bridges.  The connection points at the national level whether in terms of, you know, the policies, the information sharing networks, the ISACs and the like where the national lay is on competition or products like, information sharing, safe harbor and in doing so.  They equipment across the boundaries.  When once we bring in the supply chain, as important as Detroit it from my own countries perspective to these questions, not auto just about Detroit, the hard ware, each sensor, it's each light and each connection point that's being inserted into the vehicles, where is that brig made and it spins down from there.  I think Tim's call for simplicity is a great one and the question is how do you use (inaudible) to simplify it and doing that sort of thing it might lead us to some interesting insights if we're able to create something coherent.  That's my own thoughts.

>> PABLO HINOJOSA:  Peter?

>> PETER DAVIES:  I think the other one if you look at cybersecurity and particularly in complex supply chains, one person's fix is another person's problem.  And where these are happening.  If you look at the spectrum meltdown, classes of things and you look at the context of automotive, the fix to those.  That took 25%.  So one person fixing it often ends up being another person's problems, but these are happening in other territories.  The data element, so certainly looking at where the data training traits exist.  These are not all on one area.  So I think there are huge elements with supply they know and cyber security that don't manifest that simpler systems often do.

>> PABLO HINOJOSA:  Fabulous.  So we have 7 minutes.  Perhaps a very quick round table with all panelists.  The challenge.  One sentence you have to include the Internet and your key take away for future proposal.  Jennifer?

>> JEN TISDALE:  I knew I was going to be first.  The very primary issue that we have here when it comes to cybersecurity is the data.  And taking a look at the future of month on modalities, data is king.  It's going to be the new, model.  In terms of the interpret.  It is protecting life and limb of the partials of the victim.  So there will not be a language.

>> PABLO HINOJOSA:  Mitra.

>> MLTRA MIRHASSANI:  One sentence.  It taking a lot to convince the people even in the alternate motive industry that Internet security and auto mobility security are two very different concepts.  You data sharing, new policies, new law, new, should, everything has to be thought differently when we talk about the auto mobility and the internet.  

>> PABLO HINOJOSA:  Rebecca?

>> REBECCA CROOTOF:  Right.  Major take away.  It's not that we don't have a lot of autonomous vehicles right now.  We have existing legal regimes that are producing these outcomes that we don't like.  So we need to think about what I. interventions are needed to incentivize the different aims that we have discussed.

>> PABLO HINOJOSA:  What about you, Tim?

>> TIM DAVY:  Everybody from policymakers to lawyers to engineering to even just general people.  And with things using the internet more and more these days, that win is so key and bringing different members of communities.  We talked a lot about that.  One thing we didn't talk about the different lenses and people see.  Those are two completely different perspectives around the same data point.  We understand that if we all are working together like that village analogy.

>> PABLO HINOJOSA:  You did included word Internet.

>> TIM DAVY:  Everyone is using internet.  It's in there somewhere.

>> PABLO HINOJOSA:  Before Peter, Ini?

>> INI:  I know I am almost last and I should have the best sentence.  One critical practical challenge for the policy practice community is that it's not only the mapping that needs to have information sharing, but the challenges for the policy community draw the boundary about where it should comply truth the meeting pout.

>> PABLO HINOJOSA:  Awesome.  Madeline, your last words to round up the workshop?

>> MADELINE CARR:  Don't we have Jen?  Did Jen give her one liner?  Sorry.  Sorry.  I'm getting mic'd up.  Okay.  I don't have a single sentence, Pablo.  I'm sorry.  I didn't think I was going to be down for this.  But I think what I would say in summary is that this is a discussion we need to pick up at the IGF and continue because I think there's a lot to explore.  I think the stakeholders that we brought together in this session are really valuable to this conversation and they're probably more.  But I think bringing people together into the conversation we had has been really powerful.  I have learned a lot today and over the receipt months of pulling this together.  And I also think going back to the point that you made a few weeks ago, we have to think about what model and flexibility and adaptability.  That will be the work for us going forward this year I think is to know in those directions and I hope we'll convene again by this time next year and hopefully ‑‑

>> PABLO HINOJOSA:  That brings us to the end of the workshop until the next IGF and hi to everyone around the world. 

>> MADELINE CARR:  Thanks, everyone, for participating.

>> Bye, everyone.

>> Bye.

>> Bye.

>> Bye.