The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> WOUT de NATRIS: Hello. Is this working?
>> JANICE RICHARDSON: Hello. Yes, I can hear you. I hear you. Do you hear me?
>> WOUT de NATRIS: Yes. Okay.
>> KRISTINA MIKOLIUNIENE: Hello.
>> WOUT de NATRIS: Thank you, and welcome to this IS3C workshop on empowering consumers towards secure by design ICTs. But I have to admit that this flag does not cover all the topics we are about to share with you. Things change over time.
But my name is Wout de Natris. And I'm the coordinator of the Internet Governance Forum Dynamic Coalition on Internet Standards, Security and Safety for IS3C, and I am your moderator today.
IS3C has an overarching theme, to make online activity and interaction more secure and safer by achieving more widespread and rapid deployment of existing security related Internet standards and ICT best practices. (?) security education and skills and government procurement. We have also published two tools in the first by presenting a list of covering the most important interested standards aimed at operability plus how to secure websites, and the second we present to you today in a few moments. You can find our work on our website, www.IS3coalition.org or on the IGF website.
In this session we will present our upcoming work and our plan to create a hub. You will be among the first to see a video on this topic, so stick around.
IS3C ended the first phase of our priorities. It is time to move forward by putting theory into project. ICUs strives to create capacity building programmes so that our guidelines, recommendations and tools will be implemented around the globe in the coming years, leading to more harmonized and not isolated security actions. But that is the future, let's turn to now.
So we will first learn about the hub by Janice Richardson. Next Bastiaan Goslings will present the IS3C latest tools, our outcome 42024 and this is followed by a panel on consumer protection. And we end with our plans for 2025 and beyond. But first I have, Janice, I think you are online and I would like to present to you. Janice Richardson CEO of Insight Luxembourg and the working group 2 on skills. The floor is yours.
>> JANICE RICHARDSON: Thank you. And good afternoon, everybody. I am sure you are all aware that we have gone through a tectonic switch in the security landscape in the last couple of years, speed of viscosity of cyberattacks are coming faster and faster and no one is really prepared for this. The rise of generative AI also has made it much easier to cyberattack many of the applications that we use daily. Organizations have increasingly moved their business to the cloud, and once again, this is a point of fragility.
Also, identity based attacks are growing considerably through social engineering. This raises a question, what can we do because the traditional way of cyberattacks is no longer valid. We need to educate. Educate at all levels. We learned a couple of years ago when we did a study that, in fact, young people are coming out of tertiary education, they are really not prepared to kick start that career in industry. Industry is decrying this lack, decrying the gap and asking for better tertiary education.
But I'd like to go back even further. Because cybersecurity depends on every single one of us. We are all the weak link in the chain. And therefore, I think we all need to be much more aware of what cybersecurity means for us.
And this goes right back to the first classes of elementary school. Over the last couple of weeks, I have done a quick scan of what's available to help young people know how to use computers, technology safely and securely. And what I realize is that we are really not getting to the heart of cybersecurity. We teach about passwords, but we are not teaching the fundamentals. And this is actually what we learned from the study that we did and that we published at the IGF two years ago.
Industry considers we need to get back to basics. Young people need to understand the architecture of the Internet, the architecture of the cloud, if they are really going to help find innovative solutions.
Improving education and training, I have already mentioned that, but every single person must be aware of how we can very easily be victim of social engineering, even people like ourselves who consider ourselves experts in the field.
We need to improve collaboration. In tertiary education, professors are lecturing with their own resources and yet industry has some fabulous resources available. If only they would share these resources, if they would improve the collaboration, there is a real gap. Industry doesn't know what's being taught, but just knows that not the right things are being taught. And education is struggling to find the answers.
We also need to boost diversity. I don't know how many people are in this room right now, but usually I'm one of the few women talking about cybersecurity. If we don't have women, if we don't have different races, if we don't have a broad overview of the population working in cybersecurity, we really cannot fully understand where the breaches are and how to improve them.
And, of course, we need to upgrade recruitment procedures. These in service trainings are really not working for anyone. Young people are there making the coffee when they should be there really understand how cybersecurity needs to work and how they can be part of a team.
This hads led us to push for a hub. What is a hub? It's a place where people from all walks of life interested and involved in the cybersecurity system would meet, would exchange ideas. It's a place where there would be room for the general public, room for youth, room for everyone to discuss and find the best ways ahead.
Cybersecurity is not going to lessen. Every day we are learning about new AI tools. This morning I was listening to intuitive AI, which adds further burdens to the system.
So, my call for action here is join us. Join us to create a hub, create a hub where we can all work together and start finding solutions and making the public aware that they also are the weakest link in the chain.
And when I talk about young people, I would like to say that they very often have a lot of solutions. If only we know how to work with them, how to guide them, but not put ideas into their mouth.
We have worked with young people, thanks to Buchanan Cole and Tony Grillo, Pixel Blue was the company, we have actually worked with young people in Canada. They have created a video, and I really think this brings together the ideas of how we need a hub, how to make that hub and maybe a glimpse of the future.
So, I'm calling on you, join us, we will be running meetings in January. Join us to help the hub become a reality. Back to you, Selby, to play the video.
(Music)
>> It is the dawn of the Internet, the world is suddenly connected like never before. The free flow of information reveals a global community brimming with innovation. Welcome to the Worldwide Web. But there are those who seek to subvert the web, to poison its promise for ill gotten profit.
(muffled audio)
(Silence)
¶[ MUSIC ]¶
>> It is the dawn of the Internet, the world is suddenly it is the dawn of the Internet. The world is suddenly connected like never before. The free flow of information reveals a global
It is the dawn of the Internet. The world is suddenly connected like never before. The free flow of information reveals a global community brimming with innovation. Welcome to the Worldwide Web.
>> Trying to find out how to get the movie on screen.
>> JANICE RICHARDSON: Okay. Are there any questions for me whilst you are getting the movie on screen? I'm very happy to answer questions.
>> Is there a question in the room? Sorry about that.
>> WOUT de NATRIS: I don't see any fingers.
>> JANICE RICHARDSON: Let's watch this video.
>> WOUT de NATRIS: Selby is trying to figure it out for the guys at the technical session.
>> JANICE RICHARDSON: I think I explained that this is really done by university students and to my mind it's one of the most impactful videos that I have actually seen on this topic.
(Silence)
>> WOUT de NATRIS: Yes, I think we have it. So, Selby is getting back here is our video on the hub.
¶[ MUSIC ]¶
>> It is the dawn of the Internet, the world is suddenly connected like never before. The free flow of information reveals a global community brimming with innovation. Welcome to the Worldwide Web. Subvert the web. To poison its promise for ill gotten profit. Necessary and existing security measures are not built in by design. Cybercrime becomes big business. Exploiting the cracks in our defenses. Taking advantage of our trust. Taxing our resources. Leaving countless victims.
Our leadership struggles to develop a coordinated response. Our defenses disorganized and outdated. We are left to fend for ourselves. To protect our global connection, experts around the world come together to form the vanguard of cybersecurity, the hub. Populated with the smartest people on the planet, using the most effective solutions available. With adequate funding and collaboration, the hub grows. Schools are empowered to provide state of the art training. A new generation of cyber warriors enters the battlefield. Citizens of the web have open access to protection, ensuring the security of every link in the system.
Put an end to cybercrime. Once and for all. Support the Internet Standards, Security and Safety Coalition. Let's build the hub.
>> WOUT de NATRIS: Yes, I think that's in place. This is made by a good friend of mine called Tony Grillo. And he works with the university in Canada where the department is called Pixel Blue. And their students make this as a graduation assignment, and then it was finished by the head of the departments to get the finishing touches together. But I think it's a very powerful video, as Janice said.
Are there any questions on the idea of the hub or what it could do or what it could do for you?
Janice, final question from my side. How do you envision the next step for early in 2025? What are your plans?
>> JANICE RICHARDSON: First, I think that all of those interested need to sign up. We will inform you when we will be conducting a meeting in January to see concretely how we can put this together. So, first step, call for action. Sign up, please, to the IS3C. Keep an eye on the date that we will announce. And then come with your ideas on how we can put this together and the road ahead.
>> WOUT de NATRIS: Janice, thank you very much. And we will be looking forward to the dates that will be announced on the IS3C website and beyond very soon. Thank you very much.
The next is that Bastiaan Goslings is in the room. Bastiaan works for the DNL registry at SIDN, but when we started this project on working aid in Ireland (no audio).
>> WOUT de NATRIS: One of the two sponsors of this project. The result is some guidelines that we produced on arguments and Bastiaan believes through his presentation to show what this work is and how it came about and what the recommendations are. Bastiaan.
>> BASTIAAN GOSLINGS: Thank you. You can understand me in thank you, Wout, for the introduction. And I think (no audio) that's being announced, I think that emphasizes, you know, the urgency of security standards having to be deployed. And I am proud, you know, that I can be here to share an overview of an endeavor, an IS3C endeavor that was recently finalized and in this particular on deployment of standards DNSEC and RPKI. So I have 10 minutes to go through this and I also want to give you an opportunity to reflect on and give statements or questions. I'm not going to be able to go into details. The report is publicly available in IS3C website. But I think it's good to take the opportunity here to give you an overview what we have been doing.
So, in a nutshell, the problem statement, probably you're all aware but the Domain Name System as well as the global Internet system for Internet routing are both fundamentally important when it comes to the functioning of the Internet overall, everything else depends on it, the functioning of naming, numbering and the combination of that and the way that Internet routing works. If there is an issue there, then any content or any communication that relies on it is affected.
So, that leads to the conclusion that if there are standards available that can improve those fundamental technologies, the security of them and increase trust in online services provided and in online presence of entities and individuals, then that would at least give you an occasion, this is something that you need to implement or if you purchase services from someone else, but that particular vendor has taken this into account.
These technologies have been available for quite a long time in Internet terms. But deployment, it's different across operators, it's different across regions and we have seen growth but it's still lacking. So, in order to be have a real impact, this deployment needs to be increased. But what's the reason for that?
So, this was something, you know, that fed into this effort, Wout also mentioned the fact that RPKI DNSEC supported this kindly, there is a lot of technical documentation available. Many reports available over the years looking at these techniques and when I worked for the ripe DNA SEC and RPKI, in terms of routing all the knowledge is there. And there has been rights on we thought maybe there's a different narrative necessary and that's what the working group aimed at.
So, again, you know, the deployment of these standards is fundamental, I think it's really important to to emphasize that, you know, that routing and the way the DNS works, everything else depends on it. So whether it's for organization, whether it's for public entities, public services for business as well as individuals to maintain trust in terms of Internet content consumed, Internet services used, Internet presence, it's fundamental that those technologies work properly and are secure.
So, then at least when it comes to these technologies, it sounds like a no brainer, but at least consider, looking at them. So either when it comes to your own network, your own devices you have you have control over, which you can configure, you know, think about implementing them there, or otherwise, if you purchase services, whether it's from a transit provider or cloud operator or other infrastructure services, then make it part of your procurement process to include these types of criteria because, again, everything else depends on a secure Internet route and a security DNS.
So, why is deployment lacking and I will not go into the numbers in details. There's more in the report so please gold, the URL, the links are included later on. But there are a number of points that were raised by the working group of experts that were involved in this.
On the one hand, you know, there's the perception of cost and resource constraints, right, like it takes additional knowledge, additional software, maybe additional hardware control of this to manage all of this. People consider this to be quite technically complex. And not only the fact, you know, that you need to have the knowledge to actually use these type of standards, but also if anything goes wrong, because these technologies, the underlying technologies is fundamental, there's a risk, if anything goes wrong with implementation, that the provision of online services might be affected.
And also, the working group considered, you know, that for quite a few entities, they are just involved in their business, commercial reasons to do so or on reasons to do so and they are not aware of the risk. This is very much under the hood of these type of technologies and how this works. People are not really aware of it and then you come to the lack of awareness and maybe lack of education. Also even when it comes to the engineers and the ICT people that are employed.
And the last but not least, and then we can get more, you know, towards the target group that the report is aiming at, it's not part of priorities, right, even an ICT strategy and everything that comes along with it, quite a few organizations don't have that. It is not part of the strategic considerations and priorities.
So, as I mentioned, you know, the technical reports are there, many analyses have taken place before. But the working group felt there was a reason for a new narrative. And a number of elements fed into that. On one hand, you know, national cybersecurity resilience. The risks or the availabilities of online services, they are so huge, if all of this breaks, if your Internet doesn't work, if you cannot communicate with your public authorities because everything is done online, then do you have a serious problem.
And we see in many countries, especially I'm from the Netherlands, looking more at that part of the world, the western part of the European Union specifically, more and more are sector, the Internet sector, is being regulated and I think to some extent rightly so because of the risks and the because of the risks involved. So, that's more and more regulatory pressure. So, if you include these type of standards as a best practice in the way, you know, that you approach your ICT strategy, then I think you are already a step ahead. And then, of course, for commercial organizations, ICT and digital presence and online services, it's part of your core business. It doesn't really matter which business you are in, it's so important. So, you have to consider at least these type of standards.
And then maybe from a more perspective, it's not only about you as an individual, it's not only about you as an organization, it's about us as a society, as a whole, the Internet as a global phenomenon is all I think.
So again go back to the report, all the details are there. But take some of the main takeaways from the conclusion. It's about safeguarding an organization's rep taking, it's protecting critical services, vital information, related infrastructure. The integrity and authenticity of online services can be improved by technologies like RPKI and implementing DNSSEC and I mentioned a couple of times this has to be part of your core business. Everything is online nowadays, it doesn't matter which line of business you are in.
Then we would argue please, decisionmakers, take this on board and include it in your strategic plans in order to promote trust in online services and also your own online presence.
These are the experts that contributed to the document, our gratitude goes out to them. Especially shout out to our chair, David Huberman from ICANN. He put a lot of time and effort in this, in herding cats, this group of people. Unfortunately he cannot here but I do want to mention his specifically and we are grateful for all the time and effort he put into this together with the other experts. And, of course, Wout as a Secretariat.
And I mentioned, you know, this could not have been possible without the financial support of both ICANN and the RIPE NCC.
Those are the websites of the IS3C itself, and then the working groups and working group 8 is there and you can find the report. This ends my summary. If there is anyone who has remarks, comments, questions, I am happy to make an effort to answer them. Thank you.
>> WOUT de NATRIS: Thank you, Bastiaan, and thank you, everybody who worked on this project, because we really had really excellent comments from all people, from all over the world, who worked to get this together.
You can find the document by scanning the QR code. And what I can add is that I have heard from both organizations that they are really, really happy with this outcome. And the RIPE NCC will actually share it as of today, now that it's officially released with all their members but also their colleagues, the RIRs, the Internet registries around the world. If that's the sort of impact our work has that means we are changing, perhaps, a little bit how people will have to convince their bosses do so. So let's hope that that will happen in the coming year.
Working group 8 will be closed this Wednesday officially because then we have our internal meeting. But also for me, David, also Bastiaan, thank you very much for getting this together. And it is very much appreciated by IS3C memberships. Thank you.
And a small applause for the work is certainly in place.
(Applause)
>> WOUT de NATRIS: Is there a question? Bastiaan there it is. It worked when we were at home.
So you take a look whether this is the right code because it is not working, they say, but it worked yesterday. (audio difficulty).
Change it so that the right code will come up. Sorry for that.
The next up is (audio difficulty) okay. I can't hear myself anymore for some reason. Oh, yes, that's it. Put you into something, then the sound disappears.
The next topic is on consumers. And what we have we have is that we try to get working group together in 2022 with (?) organizations, the finance did not work and then especially stepped away, so never really got off the ground. We talked to people at the IGF in Kyoto last year and that started to revive it and we hope to start some work on this topic of consumer protection in the next year and on the panel today we have two organizations, (?) organizations, (?) Council member of the communications regulatory our team the Republic of Lithuania and we have Steven Tan and he's Assistant Director of the cybersecurity agency of Singapore and he currently leads the safer Internet mobile ICT security team under the cybersecurity engineering centre and his work focuses on assessing cyber risk and Internet mobile (muffled audio).
They are both in line so hopefully we can see them on the screen soon. Welcome, Kristina and Steven. I think that first you have two minutes to introduce your organization and what exactly is that that it does. And (?) start so, Kristina, you go first.
>> KRISTINA MIKOLIUNIENE: Thank you. Hello everybody in the room. Me, I'm Kristina Mikoliuniene. I am Council member at RTT, Lithuaniaian communication regulatory authority. And we are a small country in the eastern part of Europe. Going forward our institution RTT started at the beginning as a pure technical organization. It was national radiofrequency agency many years ago and evolved to the big hub of regulation, starting from electronic communications when (?) sectors and going forward to the big bunch of digital services as electronic signature, as electronic stamp or safer Internet or hotline in general. So, me, I am over 20 years at this organization and in beginning I have worked with electronic in electronic communication field, more with technical and economical aspects, also with consumer disputes going forward to postal and railway issues, and currently as a Council member, I see strategic decision making across all these sectors, and working I am working deeply with digital services including safer Internet and measures to combat child sexual abuse online or filtering measures and mechanisms to protect minors.
So, shortly about me and my organization. Thank you.
>> WOUT de NATRIS: Thank you, Kristina. Steven.
>> STEVEN TAN: Hi there. Right. Firstly thanks for the introduction. Maybe a quick one. I think as we all know, right, online protections used to be very pretty straightforward you click a button and then you make a purchase, right, but services evolved and become interconnected things got more complex. And while this connectivity brings convenience also introduce a range of cyber risks that we can't ignore. Scammers and psychosocial criminals are constantly finding ways to exploit vulnerabilities. (?) and online scams yes become something none of us can ignore anymore, right. This makes digital trust more important than ever, it's about making people feel safe when they are online, when they are shopping, banking or just browsing the Internet. But digital trust isn't just about users being careful. It's about building secure systems that people can rely on without having to think twice, right.
So, in the cybersecurity agency of Singapore it's a national agency dedicated to protecting Singapore expire assistive technology. At CSA we are about co creating a safer cyberspace, work closely with the industry partners, raise public awareness and, of course, promote secure technology adoption.
But (?) we are also think that developers and service providers have a primary responsibility, right, they need to build security into their products, right from the start, ensuring that there is privacy, data protection and also security development process and nonnegotiable.
And importantly, on the flip side, we also realized that consumers also need to play a role. They should better demand for security from the products and services they use, this is where certifications, security labels and standards come into play and that's one of the core businesses that we have in CSA, by providing transparency and giving companies competitive edge when they prioritize security.
So, essentially that's what CSA does, right.
>> WOUT de NATRIS: (muffled audio) safe Internet for the country. I think you gave some excellent examples. In Lithuania, Kristina, how does your organization contribute to more secure and safer Internet for people living in Lithuania?
>> KRISTINA MIKOLIUNIENE: You know, so as a National Regulatory Authority, we are also helping and promoting Internet as such. So we do market analysis to enhance competition in the market. We do any proposals for giving the frequencies or numbering to resources to the market participants. But at the same time, we see them, how the Internet in general impacts end users, consumers, and that we have to see and help them to not be lost in the Internet space in general. So, first of all, thank you for helping for making Internet safer; IS3C, so it's really helpful to know to each other the possibilities in the market.
And, you know, Internet knows no borders. So, if one press person looks for some information online, the information can go from any countries abroad. So, it's really important for us to act together, I think.
And in Lithuania, we have the holistic approach. We being half of regulation, we can impact market participants beginning from the operators for market participants, so in the level of interconnection, then we can go forward to different problems occurring the numbering resources, that numbering resources wouldn't be used for fraud or any forbidden actions in general. And also we see that bullying or scam or child sexual abuse materials, they are also online, and we as a hotline, we do some not some, but many actions or not only also active, active clearing the Internet against children prohibited information.
We also have some requirements for fixing mobile networks. We also have, as I said, numbering resources. We acting as independent auditor for trust services or electronic identification services, that these services will not be not so secure in especially where the state is giving the security level, high security level for consumers.
We also (?) for consumer (?) resolution. It means you as a consumer end user, you can go to us if some operators acts not according the requirements that you are somehow not you feel not so safe or secure according your agreement.
And also we have very special attitude to minors. We have a special law already from 2011 and implemented in the level of state, the hotline. We also have international cooperation, we are part of in home (?) projects. We also have agreement with interpole to make Internet safer. So we are also trust in different platforms, as Google, YouTube, TikTok or Discord. We are also trying to raise awareness in different layers so the holistic approach and being a regulatory hub helps us to be or to try to be everywhere on time.
Because in Internet, every second matters, because if you push a button, the same time, the same second, it makes an impact to consumer or any or any Internet user or not always the very positive impact.
And, of course I think the priorities, very important knowing that Internet is so huge and interact in all different layers. It's very important to set the right priorities. For example, in the world, in the whole world, there are over 200 countries, but hotlines implemented on the state level are only 10, and only five of them are in European countries. So, and we are one of them.
So, actually, I am proud to be part of a system which makes Internet safer for anybody, especially for minors, which who do not have a possibility to be safer because they cannot protect themselves. Thank you.
>> WOUT de NATRIS: Thank you, Kristina. I think that I heard from your answer three topics of (muffled audio). One is that we have heard from Steven where there's responsibility of the end user themselves but we also heard about the industry and the role that industry plays and that includes international component that makes it extremely hard to actually do something as organization from one specific country.
But to look at the industry itself, to start with, because they are often the organization that puts put forward solution towards more security like we heard from ASEAN at Internet standards and deployment. That there are some something (?) that IS3C, ICT industry could have is it something that you ever thought about (muffled audio) where security of the Internet is concerned and, for example, with the deployment of security related Internet standards that would make every end user far more safer than currently it is? Is that something that you discussed among yourself? And let me start with you first, Steven.
>> STEVEN TAN: I think firstly that the short answer would be absolutely, right. Why so? I think firstly, the (?) can push ICT providers to adopt stronger security measures. When regulatory framework set minimum security expectations, providers out there, developers out there have no choice but to comply. This helps make security a standard practice and not just a competitive edge. In Singapore we have ruled out initiative like the Internet hygiene (?) and publicly recognizing those through Internet hygiene rating.
Similarly in Singapore we have also launched our safer standard as far as a cybersecurity living scheme for IoT products as well. This shows how expectations can offer developers and providers some face be recognition and drive compliance and even giving business a business niche or market advantage, right.
This balance of our regulation and industry recognition is important. It helps motivate companies to go beyond the bare minimum, right. We understand that many times regulation isn't just everything. It works best when you pair it with incentives like certifications, security labels, or even industry recognition itself, right. This creates clear differentiation and give businesses the competitive edge encouraging they themselves do not only meet, but exceed minimum security requirements and what we really intend to do is that we hope this actually motivates continuous improvements and, of course, (?) in cybersecurity for the various enterprises and business out there, right.
So, when we are looking at the duty to care, we thought it is important that some rules will be useful but it should be a good mix between regulations as well as incentives, right, to actually help to march in the industry to move on forward.
>> WOUT de NATRIS: Creating a level playing field as I also understand from your words. I think that is a very encouraging answer that you gave, that it's not just about regulation and the hard side of the law, but that the sort side of the law is just as important.
How is that in Lithuania, Kristina?
>> KRISTINA MIKOLIUNIENE: As I mentioned before, yes, we have rules. We have in each level of Internet interaction in the field of interaction, we have some particular part, some amount of rules. But I totally agree with Steven, that is not rules are not everything. Rules are only too many rules brings market participants to the insecurity feelings, and they do not want to invest, especially in the levels in the areas where investments are not so profitable. So, actually, as a representer of regulator, I would suggest to be on the good balance between regulation and between motivation, maybe some if you want to have some requirements for market participants, you have to give the regulatory quality or something like that, not to not convince very strictly in every point where you need to have more security, Internet security. Because, you know, at the end of the day, everything costs money. And if you will require, only require all the investments will will be paid by the consumers. And are consumers ready for it? Are consumers ready to pay for every security implementation on the market? I'm not I am not so sure.
So, I think that broad balance is the best idea.
>> WOUT de NATRIS: Thank you. You were also talking about the internal component, in what way could citizens of your countries profit from international cooperation that would ensure a secure a more secure and safer Internet? Steven
>> STEVEN TAN: I think when it comes down to international cooperation, right, we must firstly understand that global cooperation would potentially or, you know, be seen as intelligence, common security standards and, of course, faster responses to incidents, you know, at times we do understand that that's not why it's really happening. But if we were to do it carefully, intricately, this is actually what we foresee, governments play a crucial role by sharing cyber track information, coordinating responses, and even collaborating on joint initiatives, right. This transparency would help to build collective resilience and ensure that no country is left vulnerable due to isolated cybersecurity efforts, right.
So in CSA, some of the things that we have done is we have built strong partnership with key industrial players, Microsoft, Google, APNIC and even in the Internet Society, right. This collaborations coupled with government led information sharing efforts would enhance our cybersecurity comparabilities through joint Intel sharing, training and even research initiatives. Such collaborations would also allow us to enhance our cybersecurity capabilities, for example, by working together on securing IoT devices will be be able to align on common security baselines, ensuring that consumes will have access to safer products. These partnerships will also help address cross border cyber tracks more effectively, making it harder for attackers, even scammers to exploit gaps between different regions.
In the long run, having international cooperation would mean better protection, enhance trust, and more resilient digital services for everyone. We identify and even we not dead, right. Cross boards have (?). International partnerships building countries to countries even between from government to the industry will create a united front, making it harder for attackers to exploit gaps between different regions and at the end of it, I really hope that, you know, true international cooperation, this will actually help to enhance the protection and at some point in time we will actually gain back the digital trust for everybody. Over to you, Kristina.
>> WOUT de NATRIS: In terms of comments on making the world secure and safer, Kristina, what is your thought about the international cooperation and if that will make solutions more secure and safe.
>> KRISTINA MIKOLIUNIENE: Yeah. So, Internet, as I mentioned before, Internet has no borders so it's very important to be part of big family. So, we almost everybody knows that sometimes synergy affect the one gives not one plus one equal two, but one plus one equal three or even four.
So, I think this is the result of international cooperation, and this is the reason why we are part of Aronic or home projects which are going global to make our children and in general consumers safer on Internet.
And, you know, we have even the pro verb that the fool learns from their own mistakes, but the wise person learns from other mistakes. So, I think it's very good sign to learn from other mistakes and not repeat the same mistakes in every country because of separately views or attitudes to the same issues.
And it's, I think so, you know, every time we do the market analysis, we search for experience in other countries. And collecting the experience from other countries, we do the obligations, which suits for Lithuania, for small country in eastern European part, but still are valid in the whole all around the globe. And I think the Internet being such international thing, must be treated also internationally, because if we agree on values we share, we do the best in terms of all of us. So, I think we have to cooperate and work together in order to have a best results. And then everybody will win from it.
>> WOUT de NATRIS: Thank you, Kristina. You are totally right, that in the end of challenge is for everybody in every country, every organization, the Internet are about the same because the threat has gone from the same sources most likely.
As IS3C we hope that we can start working on this to create some sort of a blueprint on this topic, whatever you would like to call it, so that the same sort of information goes out to the alliance organization. Take the first step to try and get this international cooperation going. What would be your advice as to
>> STEVEN TAN: When it comes down to the getting the international cooperation, I think it can start and begin by forming multilateral working groups such as those that we are seeing turning in IS3C. But it will be always a good mix if we could actually involve the government, industry leaders and standard setting bodies at times, right, and last but not least, consumer groups as well to actually coming together, to collaborate on global frameworks for the Internet and application security, ensuring that solutions would work across borders while reducing fragmentation in cybersecurity (?)
The last thing we really want to do is when we each country coming up with different cybersecurity practices and in the end, we get the various fragmentation and bulkization is something that we are trying to avoid and this is something that I believe, right, as part of our IS3C is something we really want everybody to have a common Internet working together.
And a step would be to establish regional forms at international workshops where experts can discuss security challenges by mitigating cross border cybercrime, such events would make roadmaps and foster balance that will offer long time improvements.
I also feel as government we will also take the lead in (?) to trusted global networks. Transfer communication in realtime data sharing would enable faster and more coordinated responses emerging trends, strengthening collective defenses against global cyberattacks.
And last but not least, I think it's important that we could advance capacity building initiatives, I think just now when Janice was actually bringing up about the hotline, I didn't previous heard about it before. I mean, through this platform, I actually I have very excited itself to have experts from all around the place to work together. Hopefully we could share best practices and support technology transfers and perhaps even for our nationswise we have to uplift each other cybersecurity and sharing that no country or region is left behind in the fight for a safer Internet.
>> WOUT de NATRIS: I couldn't have said that better myself. Thank you, Steven.
Kristina, what are your thoughts about the internal cooperation and what would be the first good step started.
>> KRISTINA MIKOLIUNIENE: Was this a question for me?
>> WOUT de NATRIS: It's a question for you, Kristina.
>> KRISTINA MIKOLIUNIENE: Yeah, sorry because it's very difficult to hear you.
Yeah, so from my point of view, it's very important to clear the problem first of all. Because Internet has so many different layers, and in every layer there are some different problems. So, first of all, I think it's necessary to find the quite narrow description of the problem you would like to solve. And then it's important to have to find the active people, because active people, the right people that are of critical importance.
The third thing, I think, is to have necessary tool for it, as Internet.NL and similar. To really to convince your partners that you have something which is really suitable for them.
Going forward, the voluntary participation, as we do in arachnid or Interpol programmes are very important also, and as a good example, because example motivates, I think it's IE convention started to sign in (?) this year and on 5th of September, which is there was the point where every country in the world agrees. And now the creator of that convention, they started to find the people who are agreeing on that convention and now they are trying to find the signing parties. So, I think it's like some similar, like, lobbying, lobbying activities, yes, then you have a problem, you have the people around you. You can convince regulators to implement some obligations necessary, some part of obligations. You have convinced maybe some market participants to be more active and more social responsible in the Internet. Maybe there are some end users where awareness, raising awareness could help to act more safe, in more safe way on Internet.
So, I think all the related parties must be implemented in that work because, as I said before, you are encompassing the whole world. So, thank you for doing this.
>> WOUT de NATRIS: Thank you, Kristina.
I think that we have heard from the panel that we have quite some challenges. But also a lot of opportunities. And I suggest that we when the meeting starts, see if we can organize the first event to get this going. So, I will be in contact with you in the coming year. For now, thank you very much for participating and for a very clear and concise answers because we have heard very good answers this this panel so thank you, Steven, and thank you, Kristina.
>> KRISTINA MIKOLIUNIENE: Thank you for inviting me.
>> STEVEN TAN: Thank you for the invite.
>> WOUT de NATRIS: You're very welcome. And next I'm very happy to say that IS3C has received a new assignment, we are going to start a new work early next year and I have the chairs of Working Group 1 on the project of Working Group 1 with me and online of working group 9, emerging technologies. Working Group 1 has produced a report last year on IFC security by design led by (?) and (muffled audio) five minutes to Nicolas to say what exactly was the current affairs where we are going to, then I ask Elif to tell about the (?)
>> NICOLAS FIUMARELLI: I'm Nicolas Fiumarelli chair of working group 1 on IoT security design. It is a pleasure to be here and discussing how we can empower the consumers on different topics we have raised. In 2022 we conducted a comprehensive analysis of (?) security regulatory documents and different policies around 18 different countries and regions. We identify 442 different best practices, data privacy, use and empowerment and operational resilience. 442 best practices. So, so far many nations particularly in the lower south, right, they lack about enforceable IoT security policies even where the frameworks exist because they are several of them. They are often voluntary or fragmented ones and the global adoption of the security by design, ICTs is hindered by this inconsistent standards, right. One of the most promising solutions in implementing cybersecurity and labeling scams, labeling schemes in Singapore, Finland, labeling empowers consumers by providing clear information and about products, security features. So, this drives manufacturers to prioritize, right, on the security.
But these systems require robust independent testing mechanisms and so on, so global standardization and ensure effectiveness is difficult.
So, on the other hand, consumer empowerment must be complemented by strong regulatory frameworks. For example we have the new ones about the UK private security and so on, NIST standards on the 8425, 2024, and the AU cyber resilience act, different ones, right.
But on our research report, we recommend establishing this clear frameworks promoting interoperational global standards and so on, and well, the Working Group 1 remains committed to advancing our IoT security through education, research, and different advocacy mechanisms, as we recommend in our research, but looking into the future, we will continue with this research, we will continue with different approach now because we will file that there are other factors that are important and so my colleague will tell us more about the 2025 action plan for our working group and beyond and, well, I invite you all as well to show our efforts, whether implemented this recommendations we had at the report and also contributing to engaging on our ongoing research and repository of the best practices I mentioned we have 442, so looking for more examples from the global world. Also to advocate for this stronger policy right in your own regions. So together we can ensure that the IoT devices and in the more extended way ICT not only connect us, but also protect us. Right?
So, I am giving the word to Shah to explain more about the next year plans.
>> Thank you, Nicolas. I think that the message here is that. I think it was 22 or 22 constituencies in the world that were studied in 22 constituencies we had 442 different best practices or advices or whatever you want to call them and that's you know workable for industry. I'm think I'm going to let inaudible go and then jawl. We started a working group on emerging technologies. And we talked to a lot of organizations and finally once we met in Kyoto decided to work with us and that project is going to start soon, the contract is signed. And Elif, please explain from your side, from the what exactly what it is that we are going to study and report on and how then jawl will explain how that interconnects with IoT. Elif, the floor is yours.
>> ELIF KIESOW CORTEZ: Thank you very much, Wout. We are, of course, very happy to announce this new project of IS3C with AFNIC from France and this project will be delivered as a collaboration between Working Group 1 and Working Group 9. Our research will have two different areas focused, one dedicated to the societal impacts of IoT and the second one on the post quantum cryptography. We will be providing a brief combined analysis of these domains and our project will have multidimensional analysis looking at societal, legal, economic and environmental impacts and we will be also including policy recommendations, both at the state level and at the organization level. So, we have a big task for us, for this project.
And in the next IGF in 2025, we will be also facilitating stakeholder engagement on these issues through a common workshop that will encourage dialogue on societal implications as well as the future directions.
The project will be finalized with a combined report both on IoT security and on (?), also exploring cross cutting teams like digital transformation and future proofing against emerging threats. That was also the focus of our Working Group 9.
We will be also making sure to refer to international cooperation and economic competitiveness aspects within the broader context of global cybersecurity efforts and we think that these are extremely relevant and important topics today. So, we are also happy to hear from you if you would like to collaborate with us in the future in any of these domains. And I think I can give the floor to Joel.
>> WOUT de NATRIS: Thank you, Elif.
>> Hello, everybody, I am here to represent the working group that will develop the part regarding to IoT. So, when we were discussing about this project and sketching it, what we see is that people understand that there is a security problem with IoT. And what we wanted to know about after realizing it, is, well, okay, if someone gets hacked, if the the current security status of IoT is kept, what are the security implications of it. And what are the social implications? Because we are developing a world based on the security levels that we see and we want to see further and think of what will happen and why and what we need to change to make the society safer in regarding to IoT.
So, we want to see this societal face of the work of making IoT safer.
>> WOUT de NATRIS: Thank you, Joel. And I think that shows how the two topics also intersect with each other, beca when the quantum computer is there, then all IoT devices will have an instant security problem that's even bigger than it is today. That is where we are going to try to come up with not immediate solutions, but at least with an occasion of where we are at this point in time and what the consequences will be. And from there, hopefully build that into some sort of a capacity building programme which have been discussed with APNIC already about how to move forward after the IGF in 2025.
What it shows is that IS3C is building and we are delivering, as you see at this moment all the reports we promise to deliver are there, you can find in our website.
Is it possible already, Selby, to show the QR code? The gentleman in the back, can we show the correct QR code, please? Thank you.
To wrap this session up, because we are about to end, but if there are any questions first and are there any online questions. That is something that I cannot see from the stage. Are there any questions?
No? We don't have any? So, I will wrap the session up and let you go to the next sessions.
To talk about IS3C again, the Internet standards and safety coalition, the Dynamic Coalition within the IGF structure, we are now in existence for four IGF cycles. We started at the virtual IGF in 2020 with our an overall meeting. We can look back at being a Dynamic Coalition that started by making promises. We painted a picture of where we wanted to be about two years' time. And we decided on three topics to start with.
The first was IoT security by design. The second was education and skills. And the third is procurement. And that's the only one you haven't heard about. Well, that was also a report we published that showed that most governments in the world do not procure their ICT secure by design. They have no policy for it.
But in 2021 we were able to present solid plans on these three topics. With them came the first funding in 2022, and the first research and then our first reports.
From there, we grew and more topics came aboard. The fact we have seen a new one presented just now.
But it's also proven to be a struggle to find funding to attract attention to be recognized within the IGF system and this all still has not been solved satisfactorily. But this has led to ideas on how to organize ourselves in a different way. And that is what we are seriously studying at this moment.
We are looking at two options simultaneously. The leadership team that is Mark Carvell who is sitting next to me who is rapporteur of this session who is our senior Policy Advisor and our working group chairs, we have decided to try and become to apply or to apply to become an Internet Society special interest group. This will allow IC3C to reach out beyond the IGF but also to bring funding of projects closer.
This does not mean that we will not remain Dynamic Coalition because we will. Only that we are spreading our wings. There's also logical. If we manage to set the next step and that is what we strive to do to move from theory to practice to come up with a recommendation to turn them into capacity building programmes or workshops or whatever we call them, we move ourselves out of the IGF system, because that is not what the IGF is for. The IGF doesn't do capacity building programmes or workshops. And we do strive to do that. So that there will be some form of harmonization around the world on specific topics so that organizations start thinking the same about, for example, procurements and the Internet standards that you can procure on.
So, IS3C will and is striving to become more mature but it also means that it has to organize itself differently. So, what we are also studying and that's the second topic, do we establish ourselves as a non for profit foundation. And that is something that people are investigating at this moment and we get the first report on on our close DC session on Wednesday.
The benefits would be, of course, that we were allowed to have members who can pay a membership fee or allowed to accept donations. And from there, be funded if a more structural way, hopefully, so that our plans will go through.
Well, these are our plans. I don't know if anybody has experience with this sort of topics. Then please talk to us after this session.
On Tuesday, at 12:30, we will be showing a video again at the Dynamic Coalition booth. So you are invited to join the session, if you are interested to join the hub, let us know and then we will send you the invite on the first meeting that I will be organizing with Janice Richardson in January.
For now, I want to thank you, the presenters, all the people online, Elif, Steven, Janice and Kristina, Mark for reporting. For the people in the back, for the technique, thank you very much. And described somewhere in the world, probably thank you very much. And thank you for joining. And I hope you had a good session, which you learned some new topics. And if you are interested in IS3C, please join us and just talk to us during the week.
And Nico has a final comment. Nico.
>> NICO: just to invite everyone also to our session on Thursday from 11:15 to 12:15, will be our main session, joint session with the Dynamic Coalition on the IoT with our Dynamic Coalition, so you are also invited to that session.
>> WOUT de NATRIS: For reminding me, Nico. Thank you very much. Thank you. And have a very good IGF and we will see you soon probably.