IGF 2021 - Day 3 - DC-ISSS DC-ISSS: Making the Internet more secure and safer

The following are the outputs of the captioning taken during an IGF virtual intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> WOUT DE NARIS: The clock is running so I think we can start.  Welcome to this workshop of the DC on Internet Standards, Security, and Safety.  It is our first anniversary, sorry, that we established last year at the virtual IGF.

     Obviously in Poland, but it was on the internet.  And in that year, we progressed tremendously which we will be presenting on here later.  For those not familiar with this Dynamic Coalition, let me go through the topics we were working on and will work on in 2022.  This Dynamic Coalition has a clear goal to make the internet more secure and safer.

     We went through the process from a very specific angle.  The deployment of currently existing security-related internet standards and ICT best practices. 

     To give a few examples of what we are talking about, when there is a domain name system you get a domain name, but if you do not sign it, it is insecure.  So DNS security is an example.  When you have a website, it is usually created insecure.  You can secure software principles or not test anything and have insecure with a lot of flaws in them.  And with the Internet of Things you can create with the secured designed inside or without. 

     This topic and not just countries but also organizations.  And I put one question to them.  Do you want to be hacked?  And I think that for 100% no matter who you are on this world and live in this world the answer is no.  Nobody wants to be hacked. 

     So we have a common feature in common with each other that we want to be secure and safe from attack from the outside.  Now in and around the internet it is usual to work with mitigation.  There is an incident and people start running around it and solve it and then it is fixed, the perpetrator is outside, or we have thrown away the computer. 

     What was the cause of that?  What was the cause of that incident?  And that is something which is not always looked into enough.  So what we are moving towards with our Dynamic Coalition is to look more at the prevention. 

     So if all of these services and these devices and internet tools come better prepped to work security wise to the end user and to the people creating these tools, it would mean that we would be much more secure with perhaps 70 to 80% of all attack factors closed for the bad guys.

     In other words, that would be working towards prevention.  And at that current moment there is a huge gap between the theory of cybersecurity and the daily practice which is quite often insecure.  And that is the gap that this Dynamic Coalition is trying to close as much as possible.

     That will mean leaving silos but already said with the DNSSEC that is the domain name world.  When you go to the internet resource organizations they will be talking about secure routing and making sure that the transport is more secure.

     With websites they will only be talking about that. But when I'm buying the product, when I'm buying a new laptop, only the Lord I hope knows whether the thing is secure and whether everything works as it is supposed to work security wise.  As a normal consumer, there is no way of going there. 

     And when you are a procurement officer in a large organization, it is not just DNSSEC or RPKI, you're faced -- you're perhaps faced with a million different standards and where do you start? 

     That's something we have to get our brain around, how do we help these people that actually procure this software, this hardware, these devices to buy them more secure for their organizations? 

     And we have to do that because the effect of insecurity on our societies is devastating.  If you count up all the numbers and the loss in money from not only the bad guys and losses to the bad guys, but also the losses in much societal Broadway are basically devastating and seem to be getting worse. 

     There is a time for action, and we think that the time has been way past this hour. 

     So where are we with the Dynamic Coalition?  And my colleagues here around me and on the internet will give you a presentation.  We established three working groups last year.  The first is on security by design and the subgroup on Internet of Things so there could be other topics in the future. 

     The second is on education and skills and is about the gap between the students leaving with the vocational training or university classic courses and the demand that the society and industry has.  And there seems to be a huge gap between them and we have plans how to address the gap in the future. 

     The third is on procurement, supply chain management and the business case for security.  And a fourth working group since two months on professionalizing the communication, which is a bit different from the other topics because that is more on the procedure of our Dynamic Coalition. 

     And we will be changing our name we decided on and that will be announced by the chair of the working group.  A bit of a cliff-hanger here as well.

     We have done a lot of internal governance where we will be talking about in a little bit about the outreach that we have done.  After that, there is an opportunity for questions from online and here in the room.

     And after that, I will wrap up and tell a little bit about what we will be trying to do in 2022 working towards the next IGF.  With this, I'm closing my introduction.  Nicely in time, I see.  So that's a good stimulus to the others speaking.

     I'm just going to you, Yurii is presenting.  I hope that you are there.  I can only see Mark.  Yurii, please present on the working group by design.  Thank you.

     >> YURII KARGAPOLOV: Thanks I'm Yurii Kargapolov and chairman of working group number one.  The talking point with our group was defined by the tasks of defining the decision-making and discussion rules.

     Key timeframes and subject area in which our working group will work.  These items are reflected in our mission statement. 

     One other starting point was we proposed a working which factors are the most problematic in solving security issues.  Mainly the gaps.  The second one with competing protocols.  And the protocols, three points.  Third point, sorry, specifications and lack of ITT manager or manager of identity manager and the need of the basic trust model. 

     In any case, the main working paradigm was defined as security by design.  And we saw some of assessing an existing situation that would have given the opportunity to assess the degree of readiness of technological strategy and other solutions affecting the decision to design the system with built-in security by default. 

     What is this building security by default that important?  This is important for our work to understand what the experience of analyzing and processing a way protection resolves of both systems and single digital entities.

     Is it experience of reactive character?  We must find a way to place mechanism as close as possible to the digital entity to be protected.  Not only to ensure security and safety but also define solutions for new threats.

     And vision to face the challenge of getting safety and security within the internet with the -- with the increasing role of Internet of Things, the working group on IT, security by design has the aim of announcing and researching between the theory and the practice of cybersecurity standards and best practices regarding the design and maintenance of IoT system. 

     This workshop include both scenarios, updating existing solution and creating from scratch.  This sense, working group called attention of university experts in the area in different area and were a member in the first year. 

     And the working group established working relationship with other stakeholder communities where we can mention the expertise exchanged between the other activities of our working group and the IoT and security within America and Caribbean working group, for example, developing relevant work regarding certification, harmonization and innovation over digitalization in both region.

     Another we are building where the ISOC and importantly of national and regional IGF.  The mission statement was also developed in June based on the open consultations.  So is government summarize the working group problem, challenges, the possible solutions and outcomes and finally can be used as a reference for new members. 

     And the reference book likely manual of members and the future.  During the first semester of 2022 -- is 2021, sorry, working group had a few things we worked related to the analysis of in proceeding to preparation of final documents including recommendations and guidelines in addition where hypothesis where stakeholders can perceive the architecture and importance. 

     For example, many circles may have many when user or even suppliers, user or groups may also have different preferences regarding three protections.  As a result it was proposed to develop and conduct a survey for various group of stakeholders and obtain additional information. 

     In fact, worked directly with the different stakeholders of the markets of different countries that are involved in the design and the operations of IoT system and basic security issues.  Our community serve during the month of October continuing with information around the terms regarding IoT security by design. 

     The preferred type of policies to solve issues and asking about their successful initiatives.  The survey collected 67 responses where most came from academia, 25%.  technical community, 25%, and private sector 16%.

     Just to be clear about American and Caribbean and representations.  The details will be presented in the general DC report summary and resolve the challenges that were mentioned in our survey answer. 

     For example, lack of proper security and the legacy devices.  The lack of regulation for example for laboratory and lacking data security and awareness or education.  Lack of standards.  Missing institutional capacity building. 

     Working group decided by the process do we use and therefore we processed in the three general step is concerned.  Related to standards and related best practice and related and documents from many countries, many systems from regarding IoT security. 

     Step one is collected base information from the documents by answering these points first.  Provide the brief summary of initiatives including the scope and goals.

     Which are best practice standards or opportunities proposed.  Challenges were mentioned by the documents.  Specify the scope of the initiatives.  Are there further comments that were valid to step.  Second, it is getting right the document's output.  It is our future work and our structure of future work on the set of document.

     And analyze -- step three is analyze, compile and organize the collected information in the discussed documents. 

     Step four, use learning from step number three to build a document how to that addresses domain concern addresses in the communities served.

     And our future road map on 2022.  The '22 year working group efforts focused on how to get more members and related communities.  As mentioned before, we still have university in aspects of -- I missed this focus. 

     But it is really diversity, and we are inviting more women to our group.  It is one of the main focus for next year.  Organizational focus for next year and grow enrollment and membership size.  I try.  I finished.  Thank you.

     >> WOUT DE NATRIS: Okay.  Exactly in time, Yurii.  Thank you very much.  Yurii is calling in from the Ukraine and his Vice-Chair is next to me in Brazil. 

     And the next lady who is going to present on working two group education and skills is Janice Richardson.  She is from Australia living all over Europe basically I understand almost.  It shows the diversity that we do have as Mallory Knodel will present on working group three from the U.S. and the chair of working group two and four is from Africa. 

     Janice, please, the floor is yours.  The work group on education and skills and their plans and what they produced this year.

     >> JANICE RICHARDSON: Good afternoon, everyone.  I have a very long background in education but also in working on cybersecurity with a little bit of global and many others. 

     Our working group focuses on education and very rapidly we saw that there is a huge gap with the skills, the knowledge that young people are coming out of their vocational training with and the expectations of industry.

     And therefore we decided to detect that and figure out what is missing in order to try and close the gap between supply and demand.

     We have begun this with interviews.  We have already interviewed almost two dozen people.  But mainly across Europe.  And this is why we are reaching out to you in the hope that you will help us with these interviews. We feel that interviews with companies is important first to see what the demand is.  But at each step we are going back to tertiary education and validating the points that we are picking up.

     So basically what is our work plan for the year?  Well, scoping the challenge, as I have just said.  We set up the interview protocol.  We are liaising with industry on the education, and we are gathering data on the gaps, and we will start working on a survey. 

     We know that we have interviewed in industry and tertiary establishments and then we need to create a survey so we can start getting qualitative data on top of the -- sorry, quantitative on top of the qualitative that we have already.

     But, we have realized that this is a huge undertaking.  And we can't keep working on a voluntary basis.  So one of our next steps will be to reach out to try and find funding to do a really in-depth study on this.  And, once again, if any of you are university students and would like to help us take this on, we would be most grateful.  I think probably what interests you, what sort of gaps are we finding?

     I will give you a little glimpse so you will be eager to come and look at our website and find out more. 

     First of all, we are very surprised to see it is actually the soft skills that are missing.  The soft skills that kids should be learning in schools.  Amongst them -- analysis, synthesis, alerting and convincing.  What we do know is in companies, it is employees who are often the weak chain.  And also those people looking after the security are able to go back and show them the importance of what they are doing that weak chain will continue.  But the next is thinking.

     And this really needs to be developed from a very early age.  Critical thinking is missing.  Holistic thinking.  Problem solving.  Being able to join the dots and see the connections between things.  Also, being able to focus and visualize results. 

     And handling complexity because those who are involved in the area of cybersecurity know that it is extremely complex.  Many different parts that need to be joined together to see the overall picture. These, in fact, are very important skills in monitoring, and it seems that monitoring is really one of the areas where simply there are not enough employees. 

     But approach is also very important.  Companies find that young people lack initiative.  They lack agility.  Flexibility.  Open mindedness.  Respect of diversity.  And I know that Yurii already spoke about this.  One person that we interviewed in the Netherlands in charge of the very complex health system of the government pointed out that women see the granularity and yet when they go into meetings the men scoff and make fun of them so it is pushing women out of this area where the granularity that a woman can bring is very important. 

     On terms -- in terms of hard skills.  And, once again, interesting.  Young people are missing the system logic.  They are missing an understanding of cloud technology.  Operating systems.  Network protocol.  Also the internet backbone. 

     And this is why some of the companies we have interviewed are actually turning to hackers because they feel that they have this basic understanding that young people don't have when they believe they are qualified and come out of the tertiary education system and try and get a job.

     System architecture but also business and project management.  In terms of skills, even the scripting, coding and transversal skills are missing.  And companies are looking for strategic constructivist approach.  They are looking for young people who are actually able to break down those silos and able to build bridges.  But they also need young people who have a really great ethical understanding and who can join the dots between the political, the technical and the legal mindset. 

     So what have we discovered so far?  Because I think this is what is interesting.  What are those good practices around Europe that could be replicated?  We know that building bridges is important.  And Denmark, for example, has created a national cyber hub where they bring in the tertiary sector or the vocational training.  They bring in companies where they compare the results.

     Strategy development forums is another tactic being used in Belgium.  One country has a cyber academy to have on-the-job but not like we know so far.  Actually on-the-job training where the young people are doing concrete things and bringing that very important innovation into the world of cybersecurity. 

     And another company is using social engineering to make sure that they can very quickly see who these young candidates are and if they can be trained.

     So what are we planning to do next?  Well, as I said, we want to do an in-depth study.  Therefore we need to do more interviews.  We need more people ready to carry out these interviews for us. 

     The survey.  We need your context so that it can really be an effective qualitative survey.  We will be then comparing findings with work group one and work group three and we hope by around May next year we will bring out a report which clearly shows what is missing, what we can do about it, and what are some of those good practices that could actually be replicated so that this talent pipeline that we should be getting from universities and vocational training establishments really can jump start into industry and start making the difference that we want.

     I will hand it back to you, Wout.  And I look forward to your questions.

     >> WOUT DE NATRIS: Thank you very much, Janice.  I forgot to introduce myself as usual. 

     My name is Wout De Natris.  I always forget saying that.  Because I think the topic is more important than I am.  That is basically the reason I think. 

     To take one minute, I was having lunch coincidentally with an American professor and he said he just started two years ago cybersecurity education training in Atlanta and that he has a course in three levels. 

     Not just the cybersecurity as we understand in a regular way.  A second layer which is national cybersecurity.  They learn to look beyond the work they are doing.  And a third level, internet governance, so the whole internet architecture and internet governance organizations are all part of their training. 

     I think that would be very interesting to talk with Milton Muner soon, Janice.  I will introduce the two of you, I already promised.  That was my half minute in between.

     I will introduce Mallory Knodel to you.  She is the chair of working group three.  Do you have a microphone?

     >> MALLORY KNODEL: Thanks for the intro.  I will talk more about my work so you can put it in context.  And I'm the Chief Technologist for the Center for Technology and Democracy based in Washington, DC and I'm active in the technical community.  We engage in the worldwide web consortium and the internet engineering task force.

     So I can certainly give you a firsthand view that it is not that there are large gaps in considerations about security at the technical level.  We are trying to bridge the gap between where the standards are being set and then how that gets actually to the end user.

     So there are my colleagues have also talked about how they are filling gaps.  I think the one that we are trying to fill in the procurement working group is more around implementation.

     So you will often hear at least I hear it often in technical community that standard setting is not going to police.  They are not the standards police.  They are not going to set standards and then absolutely make sure that they get into products. 

     There is a sort of -- there are other incentives that have to be put into place to make sure the products reach people and implementations are good and that is driven by companies and furthermore another abstraction layer driven by demand for those. 

     So we have to take into account the whole ecosystem.  And we are the Internet Governance Forum.  Like we are essentially managing the internet from a very high level.

     So when we think about what kinds of inputs or influence this Dynamic Coalition can have, I think about that  a lot.  Thinking about how can we have some really specific impacts at a high enough level that that makes the biggest difference for the most people.

     And so with that in mind, really this year we have not done much more than come up with a research plan for this piece of work.  And I would just take a pause here and make it all very clear that I want as many of you that are interested in the topic as possible to participate in the research as it moves forward. 

     Even to some degree taking leadership positions because as Dynamic Coalitions go, it is not just about outputs, it is also about building, you know, a group that works together, that practices together, that researches together.  And that goes out and has influence in making sure that research lands in the right place. 

     So that's sort of been also top of mind is this year we have very carefully laid out a plan for what that -- for what this work looks like and would be open to your thoughts even today on if you think this plan is a good idea or not to try to fill this gap in procurement. 

     Without further ado, I want to try to get into the theory -- I talked a little bit about the theory of change that if we can sort of understand what are the gaps, then I think we can better fill them.

     And so it is -- let me just go through.  I think how we are going to build this out.  Sorry, I made this plan long enough ago I have to check my notes.  So right, our main outcome is we are trying to meet the global internet security standards in a ubiquitous baseline requirement for any public or private sector procurement and supply chain management policy. 

     That is pretty narrow in scope in terms of making the internet safer.  Trying to get specific here.  But it's also achievable, I think that's nice thing about having a really clear outcome.

     The objectives then within that are to fully scope the security standards and procurement challenges and opportunities.  So that's the first step is to know what is already happening, who is working on that.  And also the nice thing about a very thorough scope is that we find out who we might invite to join the Dynamic Coalition and essentially come along with us as we try to solve the problem together.

     The second objective is to figure out then obviously what is relevant and actionable guidance that would require security standards in procurement and supply chain management policies. 

     So making sure that whatever we suggest is actually going to be useful.  And then, of course, the last objective is that those -- that guidance, those suggestions actually influence public and private sector procurement supply chain management.  Those are three separate objectives that take a concerted amount of effort, but they are interrelated and for the most part fairly linear. 

     I don't think I have really been talking that much or for that long, but I also don't want to just read you the different activities.  I think within each of the objectives we laid out a series of activities.

     We have the benefit of being part of the Internet Governance Forum where much of the work is discussed and brought forward. 

     If you are working on an intergovernmental strategy for improving cybersecurity, you will probably end up talking about it at the Internet Governance Forum, we will meet you probably at some point and talk with you. 

     There is no shortage of experts in this group.  My goal is to make the work as relevant as possible because that is how you get the most people involved if you are doing good interesting work that fills a gap, then your audience makes itself.

     So that is the main part -- that's -- that's the essence essentially of our first objective to do is scoping and mapping.  It shouldn't take the entire year.  We sort of burned the year already thinking about how to get this done.  I'm satisfied with the way we laid it out.  Then I think we ought to set a goal of getting that scoping wrapped up in the first half of the year. 

     Intersessional work in the IGF can be deceptively open and breezy, but then December of 2022 is just around the corner.  I have learned, right?  Once we have the scoping and mapping, it will be a sort of mixed methods doing desk research but also conducting qualitative and getting really to the heart of the second objective which is what would be relevant and actionable? 

     What does the Internet Governance Forum provide in terms of value proposition for folks to take the guidance, to listen to the guidance and what kinds of guidance would that be?  Could be we also extend some surveys.

     We could develop a variety of things.  Is it going to be a checklist document?  Even issue papers that we then take into other bodies doing the work like the OAS or ISO?  You know, and could -- could wind up being many, many different things. 

     But overall I would like us to be somewhere between the second objective and the third objective by the time we get to the IGF next year so that the guidance is somewhat well formed, and we are starting to socialize it and getting it into the right hands.

     I would just finish up by saying I think that there is no stakeholder group in the IGF that shouldn't really care about this.  I thought about it quite a great deal.  We are all sort of procurers of technology as Wout pointed out.  Some are more high stakes than others if you are procuring a lot for government you might pay more attention than you would if you are just shopping on Amazon for your own personal equipment or for all of the schools in Europe or setting standards at that level, right.  There are different levels. 

     Governments should certainly care.  Private sector has I think a real stake in this where they are making good products and they want the uptake of those products to be at a wider more widespread level.

     The technical community then has a great deal of stake in this because they are setting good standards and they want them implemented.  While perhaps they are not the protocol police, right, they consider they should be paying attention to how demand side is driving the adoption of good protocols especially when a lot of standards have competing standards that are also standardized. 

     So which standards are effectively winning matters a lot when you can bring in the consumer side use case.  And civil society has a lot at stake here where we can get a little bit closer to the end user with the research. 

     I feel like sometimes in the Internet Governance Forum we have a good idea of some public interest considerations and end user harms in mind, but it is not very often that we are able to take these like very high level norm setting principles and so on and actually reach end users. 

     Like I said, I don't think we will be influencing the way people buy their own personal equipment, but I think we get a lot closer to, say, workers right in a secure employment and things like that. 

     Trying to close the gap between theory and actual demand for the products.  Academics as well are doing research on this.  That is part of the process is to bring in learnings from academia and measurement and practice into the space, so it allows for better decision making.  That my pitch to all of you, irrespective of where you sit in the internet governance, this is a place to manage real outcomes.  And I just really hope you will join us in this work.  So thanks.

     >> WOUT DE NATRIS: Thank you, Mallory, for the three pitches on the potential work in the future and certainly an invitation to join.

     We come to the cliff-hanger because I'm going to hand off to Raymond Mamattah who is chair of two working groups actually. 

     The first is education and skills, which Janice presented on.  But also the chair of working group four on communication. 

     And Raymond, the floor is yours to present on what you have been doing in the past two months.

     >> RAYMOND MAMATTAH: Thank you, I hope my screen is shown.

     >> WOUT DE NATRIS: We see it, Raymond.

     >> RAYMOND MAMATTAH: So working group four is composed of a team of those who have passion to ensure that our DC is well presented and in terms of digital presence and has a professional outlook in the work we do. 

     In this regard we are looking at having a professional e-mail address that we will be using for our communication.  We also are looking at getting a website for ourselves and also get our presence felt on our social media handle.

     We also need to create a very good logo.  Now, our name.  Our name as a DC because we belong to the DC is the Dynamic Coalition on Internet Standards, Security and Safety.  But we have taken consideration, concerns of our various stakeholders and members and we are converting from the Dynamic Coalition On Internet Standards Security and Safety to Internet Standards Security and Safety Coalition.  That will be shortened as IS3C so this will be the new name to be effective from today.

     Our logo.  This is our logo.  We never had a logo, so we are unveiling our logo today.  This is how it looks.  To give an overview of the logo, the first option has a globe.  Next to the globe is a lock.  The globe represents the internet, and the lock represents security.

     The globe also represents our presence throughout the world.  And we have our full name on the logo which is the Internet Standards Security and Safety Coalition.

     But the Logo also has the acronym, the IS3C and our slogan which is making the internet more secure and safer.  This is the logo that we are unveiling today.

     So the way forward.  The way forward for us as a working group four on behalf of the DC is to create social media handles so that we can have our presence and create our own website so that when you land on the IGF website separate that has been given to us. 

     And also we will have the official email addresses for all of the leaders so they will stop using their own e-mail to have our own professional e-mail addresses for our leaders. 

     And we also want to get people who have skills in graphic design and social media and passion for this to join the working group and the DC

     So to join the DC, you just go to the address here.  It will be posted in the chat.  Just click on, then you can join the mailing list.  You just have to provide your e-mail addresses and you click.

     If you want to get more information on what we do and the various activities so far, you can go to the other link down there to get that information on the work this DC is all about.

     Then this communication team is based on the e-governance and Internet Governance Foundation for Africa which I am the founder.  Thank you very much.  If there are questions, we are open for them.

     >> WOUT DE NATRIS: Thank you very much, Raymond, and also for your excellent work on sharing the working group and making sure that we all agreed on what is just being because we have a new name and a logo and we will have our own website, et cetera very soon from now. 

     Now I give the floor to my partner in crime, Mark Carvell.  He is the Senior Policy Advisor for the Dynamic Coalition which I should now say the Internet Standards Security and Safety Coalition. 

     And he will tell a little bit about the governance of this Dynamic Coalition and ask about the outreach that we have been doing in the past 12 months and the governance we like to report on. 

     When we started, we got questions about decision making and Mark will explain what we did to answer the questions.  So Mark, the floor is yours.  Thank you.

     >> MARK CARVELL: Thank you.  And greetings, everybody.  Just to enhance the geography here.  I'm in the UK so in Europe.  Not in the EU anymore.  But anyway.  That's another issue which I don't want to go anywhere near.

     My background is I was with the UK government for 10 years leading on internet governance policy and represented the UK and Council of Europe on the Information Society at ICANN and the UKC on the government advisory committee and led negotiations on the digital and G7 for two years in Japan and Italy.

     So I left the government service and I joined IS3C in the early days with Wout really to set it up.  And as Wout said, it is our anniversary.  It's great.  We have come a long way from the conceptualization and launch a year ago at the Internet Governance last year and we had lots of support and our launch we had support from the Swiss government. 

     So you have seen the architecture of the coalition shown here with three working groups on focused issues and the first phase of work.  And Raymond's work in the fourth working group on communication strategy and how we are presenting our profile and so on.  And so we have got an architecture pretty well established now in our first year and three working groups actively up and running. 

     In the early days we had to think about well, we are ambitious and want to be an outcome orientated Dynamic Coalition very much in the spirit of the reform of the IGF, the IGF plus proposals that have come out of the roadmap on digital cooperation. 

     And we thought in the early days well, you know, for the coalition to achieve the kind of impacts that Mallory was describing, we have got to ensure that we have a coherent robust process that will ensure that our outcomes are authoritative and respected.

     So we turned to the issue of how do we provide that in establishing a governance framework for the coalition?  So we consulted with the people who were with us in those early stages of the coalition and decided to come up with a governance framework and specifically a document that would set out some key principles of working and mechanisms in particular with regard to reaching decisions. 

     And of the process of taking those decisions forward to endorse outcomes before we go out to the whole world with our guidelines, our policy recommendations to governments and to private sector leaders, decision makers in the private sector, our toolkits or whatever it is. 

     The kind of things that Murray was envisioning as a roster of outcomes and how do we get to those points of delivery.  And so we drew up a governance document.  It is on the website.  Following a lot of discussion and consultation and checking practice elsewhere and so on.

     But we started with pretty much with a blank sheet.  And it covers some key aspects.  First of all, membership.  Who is a member of this coalition.  And we decided that basically it was pretty difficult to define it other than who was actively subscribing to our mailing list.  Because people would quite often follow our work as subscribers to the mail list but not actually engage in the working group. 

     But then again they might be.  And they would have that option and maybe they are sort of assessing the progress, the work before deciding to commit time as volunteers in a working group so we decided to designate membership to anybody who is on the subscription list for the mail list.

     And then how do we reach decisions?  Based on -- we decided to form, follow really practice elsewhere, I know this from my work at ICANN, of basis of consensus where there is no objection.  And we set that out clearly in the governance document.  And then the process for reaching decisions.  It is bottom up.  It is multi-stakeholder.  This is very much in line with principles of endorsed by the WSIS for the IGF and so on.

     So the process would come up from the working groups and then go to the leadership, the coordinator ultimately, Wout De Natris.  And then the proposals would be put to the full membership for agreement before then going out to a wider totally open consultation for any stakeholder anywhere to give their views.

     So we set this out in a kind of clearly set process.  And also how to deal with, well, what happens if not everybody agrees, how do we resolve that.  And the kind of process for revising a proposal or in the worst case and hopefully would never happen we just say we couldn't reach agreement.  That's in the governance document.

     And this is not a document that's set in stone.  We envisage reviewing it and seeing how effective it is as we gain experience after our first year.  And it is a kind of iterative process, if you like, for sustaining and effective governance framework for the working group, the work of the coalition that, as I say, would command respect and from the wider stakeholder community, from people in government, from ministers, whoever we want to get engaged on our outcomes.  That is the key objective. 

     It is fully transparent.  All of our work is transparent, and people can follow us, and our documentation is transparent and all of that is clearly stated in the governance framework as well.  I will stop there.  I hope I kept to my precious five minutes.  I don't know, I haven't been following the clock.

     >> WOUT DE NATRIS: You went over 40 secs Mark.  Thank you.  I'm giving back to you right away because you were going to do a little bit on the outreach and do an update there.  So four and a half minutes.

     >> MARK CARVELL: Tough coordinator you are.

     >> WOUT DE NATRIS:  Moderator.

     >> MARK CARVELL: Yeah, to have discipline and be robust.  Outreach.  What are the goals of our outreach. 

     It is important for us as a multi-stakeholder process to promote awareness and get people to join us.  We need experts.  We need their input, and we need their input.  Awareness raising is a key thing.  Getting the participation of experts, stakeholders to join us is a key goal for the outreach objectives. 

     Thirdly, to engage people who would help us with our strategic thinking.  We are in it for the long-term.  We are not going to be in the complex area of cybersecurity and then out again quickly.  We are phasing our work, so we need insights how to strategize. 

     We have three working groups now.  We may well set up further ones next year and then as we progress of standards and addressing the gap between development and deployment of standards.  Fundraising, that is another key objective for the outreach.

     As the working group chairs have described, we have got interview processes, research projects being formulated.  That is going to need funding.  And we need to cover some of the essential administrative costs.  So outreach to source funding requirements. 

     I spoke in the session earlier this week about Dynamic Coalition.  And we are going to talk to Jason Muyeen about others facing the same challenge.  And a final aspect of outreach is that we are conscious we can contribute to capacity building and talking to the people about what our coalition can do in terms of providing inputs into capacity building initiatives.  And we have got discussions coming up about that. 

     So who are we talking it to?  Well, within the IGF community, of course, we have got the session here today.  And we have contributed to our digital future program, the first session on that back in September about cybersecurity alongside the best practices on cybersecurity. 

     That is how we are complementing the work we do with the best practice forum on cybersecurity.  And we are talking to UNTECT Envoy Office and the European Union, DG Connect and other international multi-stakeholder organizations like the OAS, the African Union.  And standards platforms like the EU one on standards. 

     We have spoken in providing public presentations, if you like, at the Asia-Pacific regional IGF for the steering committee of the APR IGF. Thank you for affording us time at their last big event. 

     And also we have an opportunity coming up next week with the open-ended working group of the UN.  We have secured a slot in that as has the best practice forum I note as well.

     So the IGF work on cybersecurity we will be there explaining what we are doing to the UN process of the OEWG which is opening up for now to stakeholder participation which is good news.  And we are talking to the national IGFs on Saturday actually.  Wout and I are speaking at the Taiwan IGF and looking for other opportunities.

     And next year, we need to geographically spread out a lot more.  It was great that India has now launched its IGF, the IIGF just held.  Hopefully next year we can get a slot there because south Asia is so important and Africa, the African summit and AFRINIC. 

     So our approach and we need to reach out to all regions.  We have a networking session tomorrow at 11:30 to 12:30 UTC.  Talk to us there.  We need feedback from everybody and help us to spread the word and connect into more and more -- it is like the internet.  A network of networks.  The IGF affords that. 

     We need to connect into other networks of stakeholders.  Back to you, Wout.  I don't know if that was four and a half minutes.

     >> WOUT DE NATRIS: It is relevant information, Mark, so thank you very much for that.  I think it is time to open the floor.  I saw the chat appearing in front of me, but I could not read it.  They are small letters. 

     Could you look at it, Mark, if there are any questions there?  And from this I will turn to the room if there are any questions.  Let's give the people online, this is a hybrid IGF, a chance to ask a question first.  Can you hear me, Mark?

     >> MARK CARVELL: I'm just going through the chat.

     >> WOUT DE NATRIS: No worry, but we were seeing a dark screen all of a sudden.

     >> MARK CARVELL: I'm still here.  I don't see any questions jump out.  Aaron Butler was asking about the link that I think Janice referred to which I think is the main website page for the coalition.

     So we have provided that.  I'm just scrolling down.

     >> WOUT DE NATRIS:  Otherwise, I will look in the room.

     >> MARK CARVELL: Other than congratulations, and our new name is being well received and the acronym, IS3C.  So much easier to say.

     >> WOUT DE NATRIS: I'm looking at the room.  Any questions?  Yes.  And first, introduce yourself please.  There is a mic there.

     >> AUDIENCE: My introduction will be a little bigger than usual.  Hello, my name is I'm Raul Falcom.  I work with cybersecurity meaning that I am a white hot hat hacker.  In here I am representing my company Intelliway. 

     My commentary will be directed to Janice.  First, thank you for your work.  We need more people joining forces in this subject.  I would like to state that my company agrees with you and understands that there is a huge lack of knowledge on what cybersecurity professional needs to know. 

     We believe that the knowledge about cybersecurity isn't properly integrated in formal education, so my company decided to create a partnership with one Brazilian university.  I'm from Brazil.  With this partnership we are creating a program to professionalize students with the classes, tutoring and internships directed to cybersecurity and artificial intelligence.

     So our idea is to teach hard skills at the same time we strengthen the soft skills needed to do the job.

     So my question is with this kind of partnership are being considered in the cybersecurity in your work?  Thank you.

     >> JANICE RICHARDSON: Yes, definitely.  We need these partnerships.  We have a partnership with a university in Poland, but until we get partnerships with organizations like your own we don't have that glue that is going to bring all of the knowledge together.

     I myself am working with Morocco also.  We are looking for your partnership.  Please come and join us and we can show you what we want with the interviews and get you to conduct interviews.  This has to be a collegial job and it is great work you are doing obviously so thank you.

     >> WOUT DE NATRIS: And then next question -- and, Mark, if there are any questions online, of course, the floor is theirs.  And being outside of this room.  Please introduce yourself first.

     >> AUDIENCE: I'm Martina, a post-doctoral researcher at the European University Institute.  And I spent six years during my free time teaching skills for kids and teenagers to try to make them creative thinkers. 

     You were focusing on tertiary education and focusing on soft skills.  If you look at like pedagogy research, a lot of the soft skills have to be taught in secondary or primary school.  Take into account the fact that a lot of the skills can be and like knowledge and competences can be taught in university, but if you really want to change and make sure that like the next generation is empowered to take part in the digital revolution, we have to start much earlier. 

     And this is much harder of course but requires collaboration with the local authorities and national authorities but can be done. 

     We are doing a big, randomized control trial to try to start the impact of certain types of courses on 3D printing and coding in school and see how they impact the creativity grid and the new type of competences which are required for young people to engage in STEM subjects and cybersecurity comes after.  Thanks.

     >> JANICE RICHARDSON: Thank you very much for bringing this up.  I do wear a number of hats, and I did begin my career many years ago as a primary school teacher.  I fully agree with you.

     I'm working with the Council of Europe and I'm also in the process of writing for UNESCO the teaching training curriculum on global citizenship and I fully agree.  Some of these skills that I mentioned simply you can't jump until you are 17 years old and say I'm going to be developing that holistic thinking, that critical thinking, the ability to focus, for example.

     They need to start very early.  That is why I didn't speak about it because we are more focusing at the vocational level right now, but we would be very happy to work with you if you could please give me your details so that we can stay in contact. 

     And you're definitely right, we need to work together, and we need to make sure that young people emerge from the school education ready to take on this vocational education.

     >> WOUT DE NATRIS:  Excellent comment.  And we had serious discussions about the scoping of the of working group and decided to limit it at first, but that's, as I said, there are these little open boxes for the future.  More or less this is taken care of, can we add to it.  Something as Mark said, 2022-2023 we will be opening new workshops.  Is there a comment online?  I see the chat moving.

     >> MARK CARVELL: No.  That was just really comments about access to recording.  There was a problem following us.  It is on YouTube.

     >> WOUT DE NATRIS: And there will be a link online soon after the session is over and when it is processed.

     >> MARK CARVELL: Right.  And then of course, as I say we have the networking tomorrow so please if anybody is thinking, think of your questions and grill us tomorrow.  This is your chance to say you're focusing on the right things or maybe if you are thinking we should be prioritizing on other things.  This is what we all need to know. 

     And also ask questions about everything that we are doing now as we are progressing through the work plan now as you have heard from the working group chairs.

     >> WOUT DE NATRIS: So if you are online, please put up your hands because Mark moderated for us so you can ask your questions just like people in the room. 

     Now I have Vittorio.  I was going to ask you a question because you work in the industry and perhaps on the question or comment you can also maybe comment on do you think we are working the right direction as Mark was saying.  Please, Vittorio.  That is also the question. 

     Do you think we are working in the right direction? 

     >> VITTORIO:  First, with no offense to anyone, but just to point out how hard this is.  Let me point out the realness of being here and talking about secure and safer internet in a conference that has just been Zoom bombed one hour ago in a simple way that it was just the average meeting of people that never used Zoom in their life. 

     It is easy in the field to say that we need more security and should do this and that.  It is very hard to do it.  Because then when you -- I mean you have to give up stuff to be secure.  You have to be uncomfortable and do something which is inconvenient. 

     It would be convenient to share the Zoom links on the website but then you get Zoom bombed.  Of course, the discussion is at a high level inevitably.  But as you have seen in the field you need something specific.  As a company we are a big e-mail vendor and we have been for years sponsoring a project which I was going around the world and telling the ISPs around the world that they need to deploy the technologies and making it secure. 

     And we were cosponsored by the e-mail vendors.  Five years later we still cannot, one still has not implemented in the platform and has not clearly delivered.  And the basic issue is there is no demand for this.  In the room we agree this is necessary, but the end customers don't buy into the products because of the deployment of encryption. 

     There are very few specialized providers that give you encryption.  People choose the price and branding and marketing channel.  They go to the supermarket and find a box and they buy it.  I wonder whether we could agree.  The market is noting with to do it because it is not a priority industry demand, then maybe we need to force to do it by regulation or the industry itself to maybe just by educating.

     My experience there is not going to work very well.  There is few companies that really care.  Or maybe it is the users.  I also think it is not.  I don't know through the discussions you come to consensus and advice what we can do maybe targeted by sector, by topical even efforts.  Some parts of the industry would be willing to fund and work on it, but we need to agree what is the real point to make this happen.

     >> WOUT DE NATRIS: Thank you.  The thing that we started with basically is that we identified in the record that was the basis for this Dynamic Coalition, where are the pressure points in society on creating a safer environment.

     And yes, the first one that came out, simply was regulated.  And also nearly 100 -- nearly 100% said really the baddest thing you can think of do because people have different regulations in the world. 

     We will look at the positive pressure points and negative.  The positive if we can convince governments and large corporations to buy secure by design, then you create a business case because the rest will not get accepted. 

     There are more negative pressure points, and you have to think about consumer regulation perhaps that already exists or consumer testing, efficacy agencies that test the products.  It could well be that we have to look at testing the products themselves.  The bad guys are testing 24 hours a day so why aren't the good guys? 

     So why don't we organize a mechanism around the world that we pay people to actually hack products on that and when we put that on the doorstep of the manufacturer that is going to be the moment that he is going to feel extremely uncomfortable because everybody will know at some point that it is insecure products. 

     So that is a positive way, a stimulus incentive by procurement.  The blank spaces are talking with privacy and security authorities and what are the things we are starting to discuss and hopefully go into a new working group where they will research. 

     Not going to go into action but hopefully research it themselves and have a working group on it.  Is that the answer?  I will go down to the easy outcome for this year and the end of the summary at the meeting.  Do you still have your microphone?

     >> MALLORY KNODEL: Does it work?  This is not representing the hats I wear.  This is my own personal opinion.  I derive a great deal of joy from disrupting snake oil. 

     And I think something that companies and governments and a lot of us have to spend money on is sort of this cybersecurity industry right like you go to the big convention and they are selling antivirus and they have controversial advertising with a scantily dressed woman on top of a car. 

     I think this is the opportunity potentially to get in the way of that.  Rather than spending loads of money on the sort of damage control products and insurance and all that.  Maybe just harm reduction?  Maybe harm reduction. 

     This is a more measured approach to like when maybe when you buy things or when you are implementing technology, you just check a couple of boxes before you sign like a really big contract.  That is it. 

     And then potentially that will save you money in the long-term because you are not having to invest in the sort of, you know, sexy looking solutions that really just are very expensive and they don't really do much other than like they promise to protect you, right?

     I think that we have an opportunity to maybe be that.  You know, which it is kind of boring, but actually it could be really fun because I think there are a lot of us that are in the industry that really despise the glitzy approach to cybersecurity. 

     I like to think this is making a case for just like do it right the first time.  We'll see.  Maybe that will work, maybe it won't.

     >> WOUT DE NATRIS: I think that moved from mitigation to prevention.  I think that that is a good second slogan.  Thank you for your question, Vittorio, it is spot on. 

     Janice, did you want to respond to some comments made?

     >> JANICE RICHARDSON: I did because I think one very important pressure point is employment.  And as we have seen over the past year or two, with the parroting the hacks in national systems -- the pirating and the hacks in national systems everyone is aware that we need to increase cybersecurity. 

     When I was doing work with Gasperski and we realized there was an attack they came in contact with the local government in Dublin and set a whole training course which is running well, but it has been replicated in several countries.  For me, the fact that this is a growing area of employment, it is a very important pressure point that we need to use.

     >> WOUT DE NATRIS: Yes, and Vittorio, you are one of the members on the list.  Perhaps we should just have a one-on-one with a few of us as well to see how we could progress in the direction that you are suggesting because it is a sound suggestion and one we want to work on.  Thank you. 

     Back to Mark.  Questions on your end?  Because we are running towards the end of our session.

     >> MARK CARVELL: Nothing in the chat.  I don't see any hands raised, no.  I think we have covered a lot of ground and maybe people are digesting what we presented.  As I said in the chat, actually come back to us tomorrow at the networking session which is a very open opportunity.

     >> WOUT DE NATRIS: Thank you very much.  I will ask the final comments from you, Nicolas, because I know you have ideas on how we could go forward. 

     The mic is there, and you can have a couple of minutes what you would like to do in working group two. 

     >> I'm the cofounder of the OIT cybersecurity in Latin America and the Caribbean.  From my point of view or our point of view, we think that the work of the DC is very enormous, and it is a big challenge for every one of us to be involved in this kind because we know that the industry is behind the security protocols of several parties. 

     So at the end, I just have a little comment related with the -- with the question from Vittorio, I think as the electronic devices has this sticker for the energy efficiency, maybe you could have at your home these -- or the air conditioners, they also have for example, A plus for stickers to say that it is energy efficient in some manner.  There exists some standardization from the other framework, for example.  That could tell you that the device is secure in some manner.  That when the data is going and which type of data so the consumer from the consumer protection point of view could know also which device that he is buying.

     So this is another leg that was not mentioned in this workshop, and I think it is another part of the thing that we need to look at.

     And from the IoT I would say in Latin America and Caribbean, we started activity in April in 2021 this year in trying to do a mapping of public policies around the world and focusing on Latin America and Caribbean and what the regulators are doing in each of the country. 

     I think it could be interesting to find some patterns or common patterns in countries to look at the -- patterns in countries to look at the better way that they need to be followed.

     And also we are trying to do like a survey of the different protocols in terms of the IoT security in particular from different standardization bodies.

     So we are now trying to reach out more with the work of the DC.  So very glad to be here and to try to help for the same that we all have.  Thank you.

     >> WOUT DE NATRIS: Fabio, the floor is yours.

     >> Thank you.  Adding more about the work of working group one. 

     I would think more specifically one point of statement for us is also doing other things.  Taking advantage of the phrase for the EU summit.  We need more -- less conversation and more actions.  We have people saying things everywhere. 

     We have ICANN saying things about DNS and IOT and ITF having new standards.  We have OS talking about best practice.  But there is no -- we still need someone to glue the thing up.  So this is the action that we are doing in the working group one like get all of these things that is saying about IoT security and understand the needs of everyone and glue the thing up to have practical actions for a safer and more secure Internet of Things.

     >> WOUT DE NATRIS: Thank you.  We are running under five minutes, so we are wrapping up.  Yes, Yurii?  Yes?

     >> YURII KARGAPOLOV: I wanted to very strange and paradoxical fact, but we must find the answer and the question.

     Where does safety begins?  And what determine that, the security and safety?  Is it relation between user and services?  Is it relations between gadget and users?  Gadget and services?

     I think that answers on this question is open.  And we should find the answer on these questions.

     >> WOUT DE NATRIS: Thank you.  I think you put a giant challenge in front of us, but it's almost philosophical, I think.  I think the question is --

     >> YURII KARGAPOLOV: Not philosophical.

     >> WOUT DE NATRIS: It sounds philosophical.  I know --

     >> YURII KARGAPOLOV: It is basic point of our research.

     >> WOUT DE NATRIS: Yes.  And -- yes, Mark.

     >> MARK CARVELL: Olivier has raised his hand.

     >> WOUT DE NATRIS: You have the final word from the floor.

     >> OLIVIER: Thank you very much for having this discussion.  And some may not be aware but in recent times I have been involved in the mobile venture side and venture capital. 

     And one thing that horrified me is being part of pitch contests and pitch discussions and so on hearing the pitches that never actually touch about the societal component of what their product is going to on, you know, the people design things and companies come up with new services and so on.  They're not interested in whether it is real or not real or whether there is regulation around it or will be.  They are just thinking they need to make money. 

     The next thing is also just a sidetrack.  More interest in how much return can we make in the next two years.  Five times or 10 times the initial investment and that is it.  This is a real problem.  Innovation doesn't look at issues of cybersecurity and issues of stability and of the impact that it will have. 

     And I think that we have got a lot of work to do on this one.  Because unless this is done this is where things are moving always.  Innovation and the edge.  Unless we deal with that from the beginning we have a real problem.

     >> WOUT DE NATRIS: I think your observation is right, Olivier.  Thank you for that.  I think it was the same with cars and at some point it changed and airplanes it changed as well. 

     We maybe have to look at the development of all sort of applications in the near future in the same sort of way.  The screen is turning orange now.  So I'm going to close the mics and just go into my few final summary.

     >> WOUT DE NATRIS: To sum up, I think we heard the ambition that this Dynamic Coalition has and the way we want to progress.  And I want to thank the presenters for stating very clearly where they want to go in 2022.

     And I think that we could also perhaps produce two overall sort of goals.  What I call my top 20.  And that is not necessarily 20 different standards but what are the most urgent standards that if governments and organizations started deploying them would already secure the world significantly and that they -- because they are limited makes them more comprehensible that people have to learn to work with them. 

     Most are not technical educated.  They are financially or sales educated, et cetera, and they will really need to learn that it is two components of their work, the cybersecurity because our society depends on it.

     Another could be an inventory of what is out there.  What sort of standards do we have.  What has it meant or does.  And what is addressed and who is the organization needing to take action?  Because an inventory like that would make a major impact because you could refer to it.  People could not say any longer we didn't know this exists.  This is a list that is presented everywhere.

     I think that we, as Mark already explained that we need supporters at the Dynamic Coalition in several ways.  We need support from experts willing to work with us.  Look at the research that we are doing or to the research but look at the research.  Is this the right direction?  Is this exactly the answers that we as a stakeholder community need?

     So that is sort of experts that we are looking for.  We need experts and people who are willing to open doors for us and are in a position to say I can introduce you to this stakeholder community or I'm willing to present or let you present or let you write something in our newsletters or introduce us to people. 

     And we need financial support.  And with that, I can thank a few organizations today already.  As Mark mentioned, the Swiss Foreign Office helped us establish last year and we got substantial funding from SNDL in Netherlands.  We had funding from Microsoft to do some preliminary research in working group one.

     We have been funded by the platform Internet Standards in the Netherlands who helped us give presentations around the world.  And we will be assisted which has not been mentioned yet by ECP, the organization behind the Dutch IGF who is going to run the financial side.  Not money made to me as a consultant but to an organization which everybody gets invoices from or can send their invoice to. 

     And finally, we have support from AGICFA.  They will be financing our domain name, our website, e-mail system et cetera.  And they are from Ghana.  And finally, the IGF secretariat helped us with all of the things around the session, of course.

     So that is -- thank you for the support.  We have changed our name as you can see.  We no longer are known as the Dynamic Coalition but as Internet Standards Security and Safety Coalition.  And that is to set us a little bit more apart from the IGF but, of course, we will be functioning within the IGF system as a Dynamic Coalition.  So that definitely does not change.

     And finally, is that as Mark said, we have been reaching out to a lot of organizations and that is what I have been using the past four day days and for tomorrow as well.  We will have numerous meetings with organizations who are able to open doors and perhaps finance us in the future.

     And some of them indicated that we can please send a proposal to them.  That is the strength of the IGF.  Because people come together here and they are -- and not everybody was able to come due to the pandemic or due to fears of getting COVID or for other reasons, but the fact is that we are here and that made me extremely happy because we were able to come face to face and discuss all of the important topics with each other. 

     Not just this one, but all of the others and I think we are showing the strength of the IGF once again.  With that, I'm going to close.  Four minutes out of time, but it is all Mark's fault as you saw because he went over time in his presentation, Mark.  I want to thank you all who were online present and for your input in the chat and your congratulations on our work.  And on the new name.

     Thank you, again, for presenting.  Yurii also for presenting from Ukraine.  Thank you for your questions.  And I wish you a pleasant evening and a good final day of the IGF and hope that we meet again soon.