Procurement and Supply Chain Management and the Business Case

By Liz Orembo and Mallory Knodel (email authors)

This draft report aims to document existing policy requirements for public sector procurement contracts and supply chain management of digital technologies and asks whether security-related technical standards are mentioned. It highlights emerging best practice and gaps in an effort to provide high-level guidance at the global level on how procurement plays a role in improving the security and safety of the global internet for all. We close with discussion and suggestions for future work. The document’s current status is open to feedback.

Background: Global governance

Internet and ICT security is an issue that is high on the agenda of governments, industry and individuals alike. Many networked products and services are increasingly vulnerable to security threats and the spread of online harms and criminal misuse. A massive cybersecurity industry sells products, services and insurance to governments and the private sector to mitigate cybersecurity incidents. However, prevention and the reduction of overall risk can be achieved if relevant security-related standards and best practices are more effectively adopted and deployed worldwide.

 

Global internet governance provides an opportunity to shift normative practice in cybersecurity. Governments, the private sector, civil society, the technical community and academia tackle contemporary issues through open and inclusive processes. Since 2006 the Internet Governance Forum (IGF) provides a non-binding, multi-stakeholder space for policy dialogue on internet governance issues under the auspices of the United Nations. One such process of the IGF is that of the Dynamic Coalition (DC). DCs are long-term intersessional groups dedicated to an internet governance issue or set of issues.

 

The IGF Dynamic Coalition on Internet Standards, Security and Safety (IS3C) brings together key stakeholders with the shared goal of making online activity more secure and safer. The current work of the IS3C focuses on three areas in order to achieve this goal: Security by design; Education and skills; and Procurement and business models. These areas of work set a foundation for the IS3C joint work that aims to consider both demand and supply factors in order to propose the best options, deployed as key standards. Standards, in this case, are essentially policy recommendations for decision makers to take forward.

 

The third working group of the IS3C (WG3) envisions the development of policy recommendations such as on the procurement of digital technologies. Ensuring procurement best practice takes into account internet security and safety requirements, and that this is included in procurement training, in particular in developing countries.

 

To that end this worldwide survey of procurement guidance amplifies existing work and processes. The report begins with an introduction, providing background information, research objectives, and an overview of the methodology. The methods section follows, detailing the approach, tools, and techniques used in the study. The findings section presents the results and outcomes, including data analysis and relevant visual representations. The conclusions and future work section summarises the key findings, discusses their implications, and suggests potential areas for further research. The acknowledgements section acknowledges individuals or organisations that contributed to the study. Finally, the annex provides supplementary information, such as raw data, additional figures, or detailed calculations.

Terminology: Procurement contracts and supply chain management

In the context of internet technologies, we are concerned with the procurement, supply chain management and security standards therein.

 

Procurement, in the context of digital technologies, refers to the process of acquiring goods, services, or solutions from external sources to meet the needs and requirements of an organisation. It involves activities such as identifying suppliers, negotiating contracts, and managing the purchase and delivery of digital technologies. Effective procurement strategies ensure that organisations obtain high-quality products or services at competitive prices, within specified timelines, and with favourable terms and conditions. By adopting efficient procurement practices, organisations can optimise their resource allocation and enhance their operational capabilities in the digital domain.

 

Supply chain management plays a crucial role in the procurement of digital technologies. It encompasses the coordination and integration of various activities involved in sourcing, procurement, production, and distribution of goods or services. In the context of digital technologies, supply chain management focuses on ensuring a seamless flow of products, information, and resources across the supply chain network. It involves managing relationships with suppliers, monitoring inventory levels, mitigating risks, and optimising logistics and transportation. Effective supply chain management in digital technology procurement can result in improved efficiency, reduced costs, enhanced customer satisfaction, and greater agility in responding to market demands.

 

Security standards are critical in the procurement of digital technologies due to the increasing importance of protecting sensitive information, systems, and networks from cyber threats. Security standards provide guidelines, best practices, and frameworks that organisations should adhere to when procuring and implementing digital technologies. These standards ensure that the procured technologies meet specified security requirements, protect against vulnerabilities, and safeguard critical assets. Compliance with security standards helps organisations mitigate risks, prevent data breaches, and maintain the integrity, confidentiality, and availability of their digital infrastructure.

Methods: Global survey of procurement guidance

With this framing and these definitions in mind, we seek to find a connection on the influence of procurement on the security of the internet as a public infrastructure. 

 

The aim of this research is to document what has been done by others and identify actionable areas for developing guidance and future research. First, we conducted basic desk research to answer “What has been done by others on procurement and supply chain management guidance”? Then, we developed a decision matrix to narrow in on global institutions within the UN IGF’s sphere of influence and impact to choose which cases to include in our research. We then collected and documented existing procurement and supply chain policies of those institutions. An outreach exercise to request for government and regional bodies procurement documents reached more than 2000 industry players, and governments. We received relevant documents from the IS3C working group members and the IGF community at large, and where required, we conducted interviews to get more insights into some of the documents.

 

For each document we reviewed, we asked the following research questions:

1. What has been published on procurement and cybersecurity standards already? 
2. Are there any companies that publish their procurement and supply chain policies?
3. What procurement policy/documents focus on internet and digital comms?

 

When searching for new primary sources, we ask, “What are the multilateral fora that publish best practice related to supply chain and procurement?” We sifted the data on existing and previous initiatives to identify a) common elements of best practice; b) shared problems barriers; and c) global north and Global South applicability. We also identify gaps for future research needed to inform sound policy guidance in the second phase, or potentially in place of it.

Findings: Security standards in technology procurement policies

Technology standards are a set of specifications and processes that are developed to achieve purposes such as interoperability, better coordination and cybersecurity. Open standards have existed to serve public interests: such as to protect internet infrastructure and organisations through no cost, or low cost implementation, provide better security safeguards for users and  promote wider coordination in maintaining cyber resilience. The “open” in open security standards means that the process of developing these standards are open for participation by any stakeholder and that the standards are freely published for everyone to access.

 

Much of the evolution of the internet has been based on layered, open technology standards, with the vision of the internet being open for end innovation by any players across the globe. While the early developments of the internet did not put much, if any, emphasis on security. As Vint Cerf explains:

 

“Four decades ago, when Bob Kahn and I were creating the TCP/IP networking protocol for the internet, we did not know that we were laying the tracks for what would become the digital superhighway that powers everything in society from modern business to interpersonal relationships”^].

 

This has changed. The threats posed by attacks on and abuse of the internet and ICTs over the last two decades have underscored the need to develop cybersecurity standards to promote and maintain an internet architecture that is secure for everyone to use by design. A wide array of standards development organisations (SDOs) cover technical cybersecurity include the Institute of Electrical and Electronics Engineers (IEEE), US National Institute of Standards and Technology, Open Worldwide Application Security Project (OWASP), and the Internet Engineering Task Force (IETF). Policy standards are developed by regional bodies such as the European Union and African Union, and through international cooperation: countries coming together to develop and harmonise laws to facilitate coordination of cybersecurity measures across borders.

 

Successful standards are measured by how wide they are used across geographies and industries. In this study, we ask how national governments and regional bodies use open cybersecurity standards through the analysis of public procurement policy documents.

 

We find policy documents regarding cybersecurity and procurement to be concentrated in the Global North. This does not mean that these regions do have cybersecurity policies that apply in procuring goods, but it could mean that these documents are either not online or not searchable by the search engines. But more noteworthy, it could also mean that not much work has been done to enhance cybersecurity during procurement of goods and services. Although direct use and reference to the international cybersecurity standards are missing in most of the documents we analysed, these documents, as national or regional guidelines, provide some sort of standardisation. For example requiring that service providers should follow standards in the EU’s Global Data Protection Regulation and International Organization for Standardization standards. 

 

Mapping cybersecurity standards to identify areas that have been less covered is a futile exercise because of its wide scope. Every industry will have its own standards and therefore it is hard to exhaust the list of all standards. In this literature review, we instead analyse the security standards elements in procurement documents to uncover how public bodies have relied on the existence of open standards to enhance cybersecurity in the procurement of ICT products. To map out the trends and areas of focus, we organise the literature according to the US’s National Institute of Standards and Technology’s (US NIST) five core cybersecurity functions: Identify, Protect, Detect, Respond and Recover. This framework builds an actionable and robust cybersecurity legal and technical model for organisations and businesses and US NIST standards are the most widely adopted cybersecurity standards. Fifty-eight percent of respondents in a 2018 study conducted by HIMSS (2018), adopted the US NIST framework for their own cybersecurity policy and standards. The US NIST standards provide a holistic framework of cybersecurity resilience, including technical, administrative and government related standardisation. This helps us map out the trends on cybersecurity standardisations across these functions of cybersecurity resilience.

1. Identify 

Under the US NIST framework, the ‘identify’ function is the first action that lays the groundwork for the other core functions. It entails developing an understanding of the organisation and its cybersecurity resilience and maturity, as well as understanding how the cybersecurity risks relate and would affect core functions of the organisation. Activities in this stage include assessments of assets, governance frameworks, and people’s understanding of cybersecurity within the organisation. In principle, all awareness raising documents fall in this category, but perhaps a leading example of awareness raising of cybersecurity standards is the US NIST (2018) document mapping IoT security standards among the US public and public agencies, highlighting their status of implementation. It not only promotes the use of already established standards, but also encourages government agencies to participate in international standards development bodies based on their missions and cite the appropriate standards in their procurement. At a national level, the guidance directs government agencies to work with industry to support the development of appropriate conformity schemes to the requirements in such standards. 

 

Another example is the UK government publication, that is meant to guide organisations through the identify process, help them understand what needs to be protected and why, know their suppliers, understand security risks posed by their supply chain, communicate their view of security needs, raise awareness, provide support for security incidents, and build assurance activities into management approach, encourage continuous improvement, and build trust with suppliers (UK Government, 2018). 

 

Regionally, while documenting good practices for cybersecurity in procurement, European Union Agency for Cybersecurity (ENISA) provides a good example on using open standards in mapping of ICT procurement in healthcare. In this document, ENISA has recommended the ISO 2700 family for security protocols that include; clinical information systems, remote care systems, and identification systems. Other standards included in the document as best practice are the OWASP, and global policy frameworks such as the GDPR, and European National Cybersecurity policy frameworks.

 

Many procurement and cybersecurity awareness guidance documents have also encouraged periodical and wholesome assessments of systems. For example, the guidelines for the Kingdom of the Netherlands (2022) advise that in procurement, the supplier should allow the client to be able to make their own independent security audit  and penetration testing.

 

On the supply chain management, the identify functions entails identifying risks from suppliers and their products, including third party suppliers, through periodical evaluation. A good example here is a guide by the New Zealand government which aims to help businesses leaders and cybersecurity professionals to identify supply chain entities and supplier management processes, assess the cyber threat landscape and determine which suppliers are most critical to establish effective processes for managing supply chain risk. (New Zealand Government, n.d.)

2. Protect

The ‘protect’ function involves setting measures to limit or contain potential cybersecurity risks. Functions under this category may include organisation and country policy development, training and awareness raising, putting measures for protecting data, and maintenance. 

 

Various government documents on chain management have called for an enabling policy environment so that organisations are able to protect themselves and respond to attacks. For example, requiring suppliers from foreign countries to adhere to regulations such as the Budapest Convention, facilitates coordination at a regional level. The Taiwanese Government Procurement Act (2019) requires that the procurement of ICT products and services from foreign entities and their implementation should follow international treaties that Taiwan is party to, and creates avenues for coordination between government agencies when it comes to procurement concerning national security. For example, it provides for consultation with relevant government agencies when procurement touches on matters of national security. This presents an opportunity for open standards bodies to integrate these international standards into their work, and encourage countries and regions to harmonise policies to facilitate such coordination in protecting systems. Of course the downside of such large scale regional standardisation would mean that cybersecurity threats would also be large scale. 

 

The government of Netherlands guidance on trustworthiness of consumers requires that suppliers should follow the principle of security by design. It also proposes that the supplier is obliged to provide maintenance updates. For the Czech Republic, the concept of security by design will be embedded in the whole public procurement process. In line with its national public procurement act, the National Cybersecurity act which comes into force in 2024 will allow clients to terminate contracts of suppliers whose services are not in line with the cybersecurity act. And to minimise loss from the suppliers, the procuring, in their request for services, are required to set out service specification requirements in line with the cybersecurity act (email response from a member of IS3C Working Group, 2023).

 

Both worth noting and recommendable, is countries directly adopting standards from other well established nations. For example, Poland adopted the US NIST standards to develop its own (Republic of Poland, n.d). This provides policy coherence, especially where there are trade functions between countries. The downside however, the countries may miss out on prioritising policy harmonisation with their neighbouring countries and trade blocks, which are also crucial for coordinated protection and response.

3. Detect

The ‘detect’ function defines activities that would enable organisations to detect cybersecurity attacks as soon as they occur. It may involve setting up continuous monitoring mechanisms that detect anomalies in the systems.

 

The supply chain documents we came across called for continuous monitoring of systems to detect cybersecurity threats in time, but also went further to call for continuous relationship between clients and their service providers to ensure vulnerabilities detected by the suppliers are communicated as soon as they occur. The guidance by the Australian government (2023) puts emphasis on risk management activities to be conducted during the earliest possible stage of procurement to manage jurisdictional, governance, privacy and security risks. The Kingdom of Netherlands advises that apart from providing the clients with maintenance updates, suppliers should also be willing to report on the vulnerability of their solutions at the time of provision and those that emerge in the future.

4. Respond

The ‘respond’ function contains activities put in place to contain cybersecurity incidents. This includes both long term and short term measures to control the spread of cybersecurity attacks. It may also involve setting up crisis communication mechanisms, frameworks/channels for coordination and analysis to draw lessons learnt for better response in future. 

 

The respond function actually employs the standards already in place to contain cyberthreats. For example, building collaborative networks for coordination, and information sharing could help mitigate cyberthreats. The Trusted Automated Exchange of Indicator Information (TAXII) defines protocols for services and message exchange that “enable sharing of actionable cyber threat information across organisation and product/service boundaries.” (OASIS Open, 2016)

5. Recover

The ‘recover’ function not only contains a set of activities that restores the organisation to how it was, but also sets up activities to implement actions from the lessons learnt. It therefore might include setting up measures that were not there before to prevent a repeat cyber threat, and these might be the same measures set in the aforementioned cybersecurity functions. For example, if there were security gaps before the incident, or if the security protocols in place were interfered with, the recover function gives guidelines to restore them back in place. Because it mainly relies on the ability of organisations to learn from incidents, standards on information exchange would be helpful here.

 

Conclusions: Best practice and gaps

At the very best level of standards harmonisation is the use of regionally developed policies to procurement policies and guidelines. The GDPR in the European Union, for example, has provided opportunities for common understanding and harmonisation with regards to the security of information systems. The GDPR recognises that there are risks in data processing, and therefore obliges data processors to put in place state of the art kind of protection. As such, putting in place standards such as the ISO 27000 series standards does not necessarily mean full compliance to the GDPR though in practice, these standards are considered as ‘state of the art’ measures of protection in data processing and management. 

 

The approach of the Dutch Ministry of the Interior and Kingdom Relations towards all levels of government is close to mandatory on the topic of standards deployment. The ‘Pas-Toe-Leg-Uit Lijst’ (comply-or-explain list) of the Forum Standardisation is a document containing 43 open standards that all governments in the Netherlands have to demand when procuring ICTs, unless there is a very good reason not to do so. The comply-or-explain list was created with a few criteria in mind. The basis for this selection is the criterion of interoperability. With interoperability comes an interdependency where security is concerned, in the sense that the use of an insecure standard affects all concerned and the deployment of the latest standards secures all simultaneously. Often there is no first mover advantage for industry. The government can stimulate deployment by demand. Under this Forum, the Platform Internet Standards operates. By way of the tool used to track standards adoption internet.nl, raising awareness of the deployment of certain internet standards for all organisations allows the general public to test the deployed level of security of an organisation based on three indicators: website, email and connection. When a website is analysed with the tool, it automatically tests whether the website has deployed the following standards: DNSSEC, TLS, SPF, DMARC, DKIM, HTTPS, StartTLS, and IPv6. The Internet.nl software is open source and available for all countries to adopt. Currently, as far as known, the software has been adopted in Australia, Brazil, Denmark and Singapore.

Future work: High level guidance

From this exercise, we note the following trends in procurement and cybersecurity, though it is important to note that these cannot be the generalisations of all public procurement trends because not enough documents have been analysed, which is in itself an area for future work.

 

1. There are many awareness documents targeting businesses, organisations and government agencies, however, none of these guidelines make use of open cybersecurity standards as points of reference.
2. A number of government procurement regulations in relation to cybersecurity procurement e.g. Finland and Taiwan point to the compliance of international treaties. This demonstrates an opportunity for the role of international institutions like the IGF to provide guidance on technical and policy standards.
3. Many government ministries do not have a standalone document addressing cybersecurity standards in the procurement of ICT and electronic services. At best, they have procurement of cybersecurity products.
4. General public procurement regulations do not give provisions of guidelines to ensure cybersecurity safeguards, which is fine, but they also don't give directions for the development of frameworks to enhance cybersecurity in the procurement of ICT goods and services.
5. In general, procurement documents touching on cybersecurity standards focus on reducing disruptions. For example, they address interoperability and the ability of internal handlers to continue to be familiar with the systems for maintenance and to be able to tackle unforeseen challenges. These are mostly addressed in the requirements for proper documentation before and after service provision.
6. There seems to be little coordination among industry and public agencies in how these standards are applied, mostly because of lack of awareness by these agencies and lack of coordination among the standards setting bodies themselves.

 

Specific use of open standards is conspicuously missing in the procurement documents we analysed. Based on this work we see the need for a fit for purpose suite of materials aimed at decision makers. These might include guidelines, checklists, or other educational toolkits. For future policy recommendations it is critical to identify to whom recommendations will be made: government procurement agencies, trade and industry bodies, tech sector, standards body liaisons, and others.

 

As much as there are already existing standards to promote security in cyberspace, there could be a lack of understanding and cooperation between regional and national bodies with regards to the wider aims of promoting cybersecurity on the internet. Next steps should therefore look at developing a best practice toolkit that guides organisations on how to use open international cybersecurity standards, not only for their own cybersecurity resilience, but also for better coordination in efforts to promote a secure cyberspace for all. The toolkit will look at how procurement bodies can integrate international cybersecurity standards with national cybersecurity strategies, regional policies, as well as developing national standards for cybersecurity considering the different cybersecurity priorities for different countries and regions.

Acknowledgements

The authors would like to offer many thanks to the DC IC3C members who provided feedback on the very early concept of this working group. Thank you to Selby Abraham for communications support and the design and layout of this report. Special thanks to the DC IC3C coordinator Wout de Natris and senior policy advisor Mark Carvell. We also thank the community members for providing support in locating resources relevant to this research and their expertise. For this, we specifically thank Titti Cassa, Karolína Menšíková, and Timothy Asiedu. This research was supported by RIPE NCC Community Projects Fund 2022. We welcome participation from a wide range of geographies and stakeholder groups on future work.

Annex: Bibliography of policy documents

African Union. (2016). National Procurement Manual. African Union. Retrieved May 12, 2023, from https://au.int/sites/default/files/documents/36320-doc-african_union_procurement_manual_v._2.0_-_2016-1.pdf 

Australian Government. (2023, March 2). Guidelines for Procurement and Outsourcing | Cyber.gov.au. Australian Cyber Security Centre. Retrieved May 19, 2023, from https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-procurement-and-outsourcing 

ENISA. (2020). PROCUREMENT GUIDELINES FOR CYBERSECURITY IN HOSPITALS. European Commission. Retrieved May 19, 2023, from https://ec.europa.eu/futurium/en/system/files/ged/procurement_guidelines_for_cybersecurity_in_hospitals.pdf 

Government of India. (2019). Public Procurement (prefference to make in India) for Cybersecurity Products. https://www.meity.gov.in/. https://www.meity.gov.in/writereaddata/files/Public_Procurement_(Preference_to_make_in_India)_order_2019_for_Cyber_Security_Products.pdf 

Government of Taiwan. (2019). Government Procurement Act. Laws & Regulations Database of The Republic of China (Taiwan). Retrieved May 19, 2023, from https://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?pcode=A0030057

Kingdom of Netherlands. (2022, January 12). Non-paper on the principles of a Cyber Resilience Act. The Netherlands at International Organisations. Retrieved May 12, 2023, from https://www.permanentrepresentations.nl/permanent-representations/pr-eu-brussels/documents/publications/2022/01/12/non-paper-on-the-principles-of-a-cyber-resilience-act 

National Cyber Security Centre. (n.d.). Supply Chain Cybersecurity. National Cyber Security Centre. Retrieved May 19, 2023, from https://www.ncsc.govt.nz/assets/NCSC-Documents/NCSC-Supply-Chain-Cyber-Security.pdf 

National Institute for Standards and Technology. (2018, February 14). Draft NISTIR 8200, Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT). NIST Computer Security Resource Center. Retrieved May 19, 2023, from https://csrc.nist.gov/csrc/media/publications/nistir/8200/draft/documents/nistir8200-draft.pdf 

New Zealand Government. (n.d.). Supply Chain Cybersecurity. National Cyber Security Centre. Retrieved May 19, 2023, from https://www.ncsc.govt.nz/assets/NCSC-Documents/NCSC-Supply-Chain-Cyber-Security.pdf 

Purser, S. (2014). Standards for Cyber Security. In Best Practices in Computer Network Defense: Incident Detection and Response (Vol. 35, pp. 97-106). IOS Press. 10.3233/978-1-61499-372-8-107 

Republic of Poland. (n.d). Narodowe Standardy Cyberbezpieczeństwa - Baza wiedzy - Portal Gov.pl. Gov.pl. Retrieved June 25, 2023, from https://www.gov.pl/web/baza-wiedzy/narodowe-standardy-cyber 

UK Government. (2018). Supply chain security guidance - NCSC.GOV.UK. National Cyber Security Centre. Retrieved May 19, 2023, from https://www.ncsc.gov.uk/collection/supply-chain-security 

 

The Policy Network on Meaningful Access (PNMA) is a type of intersessional activity under IGF created to establish an expert-led framework network on broad Internet governance topics that create spaces for in-depth multistakeholder efforts. It aims to identify best practices and successful solutions applied somewhere in order to formulate impact-driven, concrete, and actionable policy recommendations on how to achieve meaningful and universal Internet access aligned with the Secretary-General's Roadmap for Digital Cooperation and the Sustainable Development Goals.

In 2022, the PNMA’s analytical focus was on the community’s agreed three overarching thematic workstreams: Connectivity (Infrastructure & Business Models), Digital Inclusion through citizen approach (accessibility & multilingualism: local services and contents in local languages based on local needs and resources) and Capacity Development (technical skills training). During the last year’s intersessional activities, the policy network has actively contributed within and outside IGF communities to identify a certain number of good practices and policy solutions, and retain them  as possible models to be exported or applied to other regions of the world. Stakeholders from different groups joined this enterprise: government, international organisations, academia, private actors, non-profits. The PNMA 2022 Output Report features a collation of selected cases for each of the focus areas. Additionally, one section of the document is devoted to recommendations around meaningful access and its expansion. 

The PNMA decided to pursue the development of this experience for 2023, assisting with the implementation of solutions for the issues previously raised. Its community wishes to open a multistakeholder public debate under these actions to influence policy change and the upcoming Global Digital Compact, in addition to the WSIS+20 and IGF+20 processes. 

Below are the key areas being developed by the Policy Network in Meaningful Access (PNMA) in its 2023 report. Comments can be added below each section by clicking on ''View and Add Comments for Paragraph''.

Deadline to post comments is 22 September 2023.

______________________________________________________________________________________________________

Exploring Connectivity

For each focus area, the policy network is collating data on good practices, collaborations and partnerships.



Thinking of Connectivity,

1. Are you aware of any network, collective, organisation etc, working to promote meaningful connectivity, that its efforts should be highlighted in the report? We would like to engage with big and small, local, regional or national initiatives.



2. Have you come across any activity/project during the last year that could be highlighted as a good practice? We would be happy to know the following:



(name of the project)

- Location: (country, city/region if available)

- Funding: (funder, figure, for how long, n/a)

- Responsible institutions / partners / people:

- What is the problem(s) it is trying to solve? (set up the context; describe the problem)

- Is it a Rural / Urban setting?

- Is there a gender focus?

- What were the services provided, subsidies used, anything else worth sharing?

- Which were the actions taken to address the problem(s)? 

- Results:

- Impact:

- Lessons learned: (what worked / remaining challenges)

Exploring Digital Inclusion

For each focus area, the policy network is collating data on good practices, collaborations and partnerships.



Thinking of Digital Inclusion,

1. Are you aware of any network, collective, organisation etc, working to promote meaningful access, that its efforts should be highlighted in the report? We would like to engage with big and small, local, regional or national initiatives.



2. Have you come across any activity/project during the last year that could be highlighted as a good practice? We would be happy to know the following:



(name of the project)

- Location: (country, city/region if available)

- Funding: (funder, figure, for how long, n/a)

- Responsible institutions / partners / people:

- What is the problem(s) it is trying to solve? (set up the context; describe the problem)

- Is it a Rural / Urban setting?

- Is there a gender focus?

- What were the services provided, subsidies used, anything else worth sharing?

- Which were the actions taken to address the problem(s)? 

- Results:

- Impact:

- Lessons learned: (what worked / remaining challenges)

Exploring Capacity Development

For each focus area, the policy network is collating data on good practices, collaborations and partnerships.



Thinking of Capacity Development,

1. Are you aware of any efforts by a network, collective, organisation etc that should be highlighted in the report? We would like to engage with big and small, local, regional or national initiatives.



2. Have you come across any activity/project during the last year that could be highlighted as a good practice? We would be happy to know the following:



(name of the project)

- Location: (country, city/region if available)

- Funding: (funder, figure, for how long, n/a)

- Responsible institutions / partners / people:

- What is the problem(s) it is trying to solve? (set up the context; describe the problem)

- Is it a Rural / Urban setting?

- Is there a gender focus?

- What were the services provided, subsidies used, anything else worth sharing?

- Which were the actions taken to address the problem(s)? 

- Results:

- Impact:

- Lessons learned: (what worked / remaining challenges)

Collaborating with the IGF Leadership Panel

A close interaction with the Leadership Panel enables a better understanding and advocacy of the PNMA mandate, and of the IGF structure as a whole.

1. In your expertise/working area, what are the key topics the PNMA should look for support of the Leadership Panel?

2. How do you foresee the institutional and pragmatic collaboration between these two entities?

 

Contributing to the Global Digital Compact/Summit for the Future

The PNMA community wishes to open a multistakeholder public debate under these actions to influence policy change and the upcoming Global Digital Compact, in addition to the WSIS+20 and IGF+20 processes.

1. In your expertise/working area, what are the key topics the PNMA cannot miss in the discussion with the GDC?

2. How do you foresee the institutional and pragmatic collaboration between these two entities?

Intersessional work with Youth IGF, DCs, and/or NRIs 

The PNMA understands that encouraging internal cooperation is one way further to the success of our common pleas. Hence, the network would like to know from the Youth IGF, DCs, and NRIs how the relationship can be improved:

1. For your intersessional group, what are the key topics the PNMA and your intersessional group could work together?

2. How do you see this partnership moving forward?

3. Please share any feedback you might have on the PNMA activities

Collaboration streams beyond the UN

In 2022, the PNMA improved its relationships with the ITU, ICANN, WIPO, and WAN-INFRA, including the promotion of their good practices around meaningful access. Would you suggest any additional collaboration opportunity? Let us know! 

Issues for IGF consideration and action

The discussions at the annual meetings and during the development of the PNMA work plans have identified some ideas about the possible role of the IGF in promoting the solutions and policy change demanded by the community. Similarly to the 2022 process, the 2023 Output Report would like to open a public debate around said issues, and collate them for monitoring. Let us know if you would like to report anything, being it a structural, long-standing problem or a new issue recently identified.

 

CHAPTER 1: Introduction

[Pages 3 - 8 in the Draft report, please read the pdf draft report to see pictures and footnotes]

In the 21st century, artificial intelligence (AI) is considered a key driver of social and economic development and its applications are transforming every walk of life. From smart homes and digital assistants to personalized learning or identifying medical conditions in CT-scans, AI is rapidly impacting our lives. If developed and deployed responsibly, AI can be used to for example deliver more effective government services tailored to the needs of citizens, by improving transport services, health services, and infrastructure. Powered by quality data, AI contributes to cutting-edge innovations that aid technological development across sectors. Applications of AI and their impact transcend national boundaries and national or local interests. AI is an essential tool in tackling the global challenges and accelerating the progress towards reaching the goals of the 2030 Agenda for Sustainable Development. AI can accelerate action aimed at improving social welfare, environmental stewardship and sustainable economic growth.

While AI technologies can be of great service to humanity and all countries can benefit from them, rapid technological advances and accelerated society-wide uptake of AI raise fundamental ethical concerns. For instance, biases embedded in AI systems can potentially result in AI systems that sustain and amplify existing unjust biases in our society, reinforce discrimination and enable new levels of authoritarian surveillance. Without decisive action and concerted interventions, AI could exacerbate discrimination, inequality, digital divides, exclusion and environmental harms, and deepen socioeconomic divides.  

AI can be leveraged to analyze climate data, predict climate patterns, and optimize energy use, that can identify vulnerable regions, assess risks, and develop strategies for climate adaptation, for the most vulnerable. Paradoxically, the environmental impact of AI in the context of data storage, computation, and energy consumption, is a growing concern.

Responsible AI and robust data governance can support climate adaptation and resilience efforts; For example, robust data governance can facilitate high-value diverse datasets, including climate data, socioeconomic data, and infrastructure information, which requires that software, data, foundation models, standards, and other digital content that are freely or openly available to the public as digital public goods. Effective AI policy for the environment requires a fine balance between data governance that ensures high-value global datasets are accessible for responsible data usage to support public interest decision-making while reducing the environmental footprint of AI systems.

AI technologies have a great potential to be beneficial to the environment and society. However, for these benefits to be realized, the potential harms should not be ignored but addressed.

It is vital to guide AI technologies, their development, uptake and use, in a responsible direction. Many countries, regions and international organizations have developed AI strategies, policies, recommendations, regulations and initiatives to maximize the benefits but also to manage the risks. As AI’s development and impact are global, international dialogue and joint action is needed. There is a need to continue developing, strengthening, sharing and implementing international recommendations, for example standard-setting developed through a comprehensive approach. These should place human dignity and human rights in the center and be grounded in gender equality, justice and mental well-being, diversity, interconnectedness, inclusiveness, and social and economic development - while also taking into account environmental and ecosystem protection.

The Policy Network on AI (PNAI) addresses policy matters related to AI and data governance. It is a global multistakeholder effort hosted by the United Nations’ (UN) Internet Governance Forum (IGF), providing a platform for stakeholders and changemakers in the AI field to contribute their expertise, insights, and recommendations. The primary goal of the Policy Network is to foster dialogue and contribute to the global AI policy discourse. This report is the first output document of the PNAI. It is not intended to be a comprehensive assessment or analysis of policy questions on AI and data governance. Rather, this first report develops analysis and recommendations to start a conversation. It delivers fresh suggestions from the global multistakeholder community, and paves way for the PNAI’s future work on AI-enabled technologies.

Recognizing the opportunities and risks AI presents, the UN is promoting ethical development and application of AI and has for example committed to support AI-related capacity building for developing countries and broader stakeholder engagement on AI. The UN Secretary-General's Roadmap for Digital Cooperation presented in 2020 notes a gap in international coordination, collaboration and governance on AI, and calls for enhanced international multi-stakeholder efforts to ensure AI benefits all. In July 2023, the UN Security Council discussed threats of AI to international peace and security for the first time. The Secretary-General announced the formation of a new high-level meeting on AI to assess options for global AI governance, as well as issuing new recommendations on AI governance to the UN Member States.

PNAI’s work and this report contribute to the UN's Global Digital Compact, a forthcoming agreement that focuses on the impact of digital technologies and their role in achieving the Sustainable Development Goals. PNAI's recommendations and report will be presented and discussed at the 18th annual IGF meeting in Kyoto, Japan, in October 2023. 

1.1 The IGF Policy Network on AI

PNAI work focuses on AI and related aspects of data governance. The policy network seeks to learn from and elevate AI governance frameworks, principles and policies being developed in and for the Majority World and Latinate languages, and to bring the IGF’s multi-stakeholder community together, gather and synthesize knowledge in the community. Participation in and contribution to PNAI are open to everyone. As a Policy Network under the IGF, PNAI seeks to build in-depth understanding of the topic, raise awareness and prompt cooperation across regions and stakeholder groups. The impact lies in the ability to facilitate discussion across stakeholder groups, facilitating a common understanding and inspiring and informing decision makers. A Multi-stakeholder Working Group, consisting of experts, supports transforming the PNAI community's perspectives into actionable measures and recommendations.

PNAI emerged from the request of the community: the Messages from the 2022 annual IGF meeting held in Addis Ababa conclude that the “IGF could be used as a platform for developing cooperation mechanisms on artificial intelligence. A policy network on artificial intelligence could be considered for the upcoming work streams in order to review the implementation of different principles with appropriate tools and metrics.” PNAI was launched in May 2023. The PNAI’s work on AI and related aspects of data governance builds on previous discussions, reports, and the wealth of knowledge within the IGF community. Over the past years, the IGF has discussed topics including AI use by social media platforms and content moderation, dangers such as manipulation, deception and mis- and disinformation, transparency needs in the operation and reporting of algorithmic systems, and necessary principles of rule of law, human rights, democratic values and diversity in the governance of AI.

1.2 Multistakeholder process adopted to develop recommendations on AI

This report was developed through exploration and multi-stakeholder discussions in the PNAI community. The PNAI work and meetings are open for everyone to participate in. The information was shared through the PNAI website and open mailing lists. Invitations and updates were also shared widely through IGF mailing lists and social media channels as well as community updates through the IGF website. Further PNAI community members circulated invites and information of the work being done within their communities and stakeholder groups.

The work towards the report was structured in five phases: The first phase of the work was ‘open dialogue’, where the group defined three thematic focus areas for the report and agreed on a report outline. Early discussions on the PNAI held in spring 2023 highlighted the importance of focusing the dialogue and work on selected topics rather than striving to cover all areas relevant to AI. For the PNAI’s first output report to bring value to the global AI dialogue, the aim should be to provide deep-dives areas that are central to fostering responsible AI development globally. Through an open brainstorming exercise, analysis and several commenting and input rounds the following thematic areas emerged: (i) Interoperability of global AI governance; (ii) AI gender and race; and (iii) AI and environment. The PNAI set up three sub-groups each dedicated to developing and drafting one of the three topical chapters of this report.

Once the topics were selected, the “information gathering” phase began. This took place through desktop research, engaging with invited expert speakers in the PNAI monthly calls and by tapping in the expertise of PNAI members. ‘Drafting the report’ phase consisted of writing and editing the report together. The thematic drafting teams led the way and shared progress for comments and suggestions in the broader policy network meetings. The fourth phase of the process was ‘consultation’ where the draft PNAI report was shared with the wider IGF community for comments and suggestions. Finally, after editing based on the consultation input, the report was finalized and published to be discussed in the IGF 2023 annual meeting in October 2023.

1.3 Structure of the report 

The following chapter ‘Exploring AI and related aspects of data governance’ sets the scene and presents the Global South lens selected for the report. The chapter also describes the emergence of generative AI. The remainder of the report is structured around three thematic chapters each addressing one key topic relevant to AI and related data governance issues. Each chapter presents and assesses existing policy measures relevant to the topic, proposes next steps, and shares recommendations based on the multistakeholder discussions.

The first topical chapter, ‘Interoperability of AI governance’, delves to study the convergence and divergence among the different AI regulations being drafted by countries and regions; identify the AI development and policymaking gap and   the challenges in strengthening global interoperability of AI governance towards AI that is   security, reliable, robust, fair, accountable and respecting human rights and innovation. It compares and identify good practices and bottom-up initiatives that foster interoperability in AI governance, and proposes eight steps for further actions.

The following chapter, ‘Framing AI Lifecycle for gender and race inclusion’, focuses on AI and gender, as well as AI and race. Do AI systems and harmful biases reinforce racism, sexism, homophobia and transphobia in society? Under which circumstances could AI be a force for good at improving gender and racial equality? What could be done to ensure that today’s AI systems are a positive force in achieving that equality?

The third topical chapter ‘Governing AI for a Just Twin Transition” takes a deep dive into the nexus of AI, data governance, and the environment, through the lens of  two case studies. The purpose of this chapter is to comprehensively delve into the intricate interplay of AI, data governance, and the environment.

The concluding section of the report summarizes the conclusions and recommendations of the Policy Network on AI.

CHAPTER 2: Exploring AI and related aspects of data governance

[Pages 9 - 14 in the Draft report, please read the pdf draft report to see pictures and footnotes]

The PNAI community selected AI and related aspects of data governance as the topic of this report and the group’s dialogues in the first months. The interdependence between AI and data is a critical nexus for addressing key societal challenges related to interoperability of AI governance, gender equity throughout the AI lifecycle, and environmental sustainability. Effective policies should strike a balance between fostering AI innovation and safeguarding the rights and well-being of individuals and the planet. By recognizing and acting upon this interdependence, we can harness the full potential of AI while ensuring a more equitable and sustainable future for all. Furthermore, robust data governance is needed to mitigate information asymmetries, ensure data quality, and address multidimensional power dynamics to drive informed climate adaptation, resource management, and conservation efforts, essential for addressing the biggest challenges of our time.

PNAI’s work on this report started from the observation that there is a plethora of AI governance frameworks, ethical AI policy approaches, documents, strategies and forums, but the vast majority of these have been developed in or for the Global North. The policy network set as one of its goals to look at AI and related aspects of data governance from the Global South Perspective. Inspired by the leaps in technological development that have dominated the headlines at the time of writing this report, PNAI decided to dive deeper into the world of generative AI technologies. Setting the scene for the report and its recommendations, this chapter presents the Global South lens selected for the report, and provides an introduction to the world of generative AI.

2.1 Viewing AI policy debates through the Global South lens

The Roadmap for Digital Cooperation issued by the United Nations Secretary-General in 2020 noted a lack of representation and inclusiveness in the international coordination and collaboration on AI. The Roadmap’s call for diverse stakeholder participation in global digital cooperation is particularly relevant if we consider the underrepresentation of Global South countries in the drafting of AI principles. A 2019 study by ETH Zurich researchers found that the USA, UK and Japan alone were responsible for most of the 84 ethics and AI documents identified for analysis. Although the sample analyzed then does not represent the current landscape of AI standards and guidelines, it is clear that certain countries and regions are responsible for most of the global dialogue and development in this area. AI ethics principles do shape policy debates at global, regional and national levels, but oftentimes, such supposedly “global” processes ignore contextual particularities including concerns and needs of the Global South.

In addition to the underrepresentation of Global South in AI policy documents identified at global level, it is important to shed light to the questions of inclusiveness and representation when developing AI policies in and for regions or countries. Evidence from Latin America, for instance, shows that public participation was limited in the drafting processes of national AI strategies. The processes in general failed to involve the groups which can be most affected by such technologies. This is the finding of a 2022 study that describes the scant participation of women and the failure of government institutions to provide disaggregated data which would demonstrate the representation of priority groups.

The findings of the studies are in stark contrast with the ongoing vibrant discussions on global AI governance, numerous initiatives to develop AI grounded in justice and equality and the research undertaken on the topic in  Global South countries. It also doesn’t take into account the key role such countries play across the AI value-chains, for example as providers of minerals that are fundamental for the development of their infrastructure, energy to sustain data centers, data and workforce to train algorithms or as final users of systems. The exclusion of Global South countries from policy debates on AI invisibilizes key priorities from discussion.

Global South participation in global AI policy debates is key. As highlighted in several international standards, AI governance, development and deployment should be discussed in different organizations, groups, parts of the world by experts, enthusiasts and laymen with different backgrounds. According to the UNESCO’s AI Ethics Recommendation, participation of different stakeholders throughout the AI system life cycle is necessary for inclusive approaches to AI governance, enabling the benefits to be shared by all, and to contribute to sustainable development. Otherwise, global inequalities between North and South tend to increase, as the AI industry is concentrated in a few developed countries and their systems are built from the extraction of value from less developed regions, including Africa and Latin America. Thus, building frameworks which guarantee sustainable, human rights-compliant AI requires both North-South and South-South collaborations.

The PNAI community seeks to learn from and elevate AI governance frameworks, principles and policies being developed in and for the Global South and non-latinate languages. With our growing global network, we can bring value to the AI dialogue by leveraging Global South perspectives, which are vital but typically missing or under-represented on AI policy debates. Hatched under the IGF network, PNAI can build on two decades of experience organizing global, multistakeholder discussions on digital governance. It can also benefit from the IGF’s concrete mechanisms for engaging the Global South through its more than 155 national and regional initiatives. 

At the same time, PNAI acknowledges the several imbalances that prevent Global South stakeholders from having a meaningful participation even in spaces built for inclusive worldwide participation, such as the IGF. These include limited funding to travel and precarious connectivity conditions to participate in events, the prioritization of English as the main language, among others. Global multilateral organizations committed to opening spaces for multistakeholder participation should take into account such inequalities in their design in order to foster true global dialogue and to ensure Global South perspective is included.

2.2 In the wake of generative AI

As stated, AI has significantly transformed, and continues to transform, our society. Recently, generative artificial intelligence has emerged to form one of the most promising and, at the same time, most controversial areas in AI development. Until recently, machine learning was mostly limited to predictive models (analyzing data to make predictions) while generative AI is a specialized branch of AI that focuses on learning from various data patterns with the purpose of creating new content. Systems powered by generative AI, such as Open AI’s ChatGPT and GPT-4, Anthropic’s Claude, or Google’s Bard, create texts, images, videos, music, software design, or scripting for test codes based on prompts by the user.

Due to its versatility, generative AI is increasingly employed across different areas including economy, social interaction, business, arts, and academia. Moreover, these tools can tackle repetitive tasks swiftly and efficiently, leading to a significant boost in productivity. Generative AI is expected to increase productivity across sectors, estimates show it could add USD 2.6 to 4.4 trillion annually to the global economy.

Generative AI carries the potential to benefit or harm vulnerable groups and communities. On the one hand, it makes possible personalized solutions.  Generative AI can for example help teachers create personalized lesson plans for each student. It assisting blind or low-vision people by turning images into text interpretation in numerous languages. These and many other linguistic or cultural adaptations make services more accessible. However, if the data used to train generative models is not representative, Generative AI could perpetuate stereotypes and biases, exacerbate discrimination, and increase inequality. AI developers and society in general must make a conscious effort to ensure that generative AI is developed and used in ways that empower underprivileged groups, rather than further marginalize them.

In the case of generative AI and Gender, there are high expectations to design algorithms that allow raising awareness on this topic. Therefore, the objective should be not only to use generative AI as a tool for the study, analysis, and promotion of gender issues but also to guarantee that these systems are trained with accurate and representative data linked to awareness, avoiding false content or information with discriminatory visions, thus contributing to a broader and fairer understanding of gender issues in today's society.

The ability of Generative AI to generate content, such as text and images, raises serious ethical concerns. It can be used for disinformation and other forms of digital manipulation. Speaking to the Security Council in July 2023, the UN Secretary-General highlighted the capabilities of new generative AI models, and warned about the risks that the advent of generative AI can bring, for example for disinformation and hate speech. Furthermore, the integrity of the information and the protection of personal data and individual privacy are at risk. It is essential to establish clear limits and regulations that protect individuals from possible abuse, without going against innovation.

Generative AI has the potential to democratize digital services, as it allows the creation and adaptation of content in an automated way. However, if not managed properly, it could lead to digital monopolies where a few companies control access to and use of generative technology. A truly open and free digital future demands that generative AI be developed and distributed in a transparent, equitable and accessible manner.

The digital age has led to the emergence of new challenges, especially manipulation, deception, and misinformation on the Internet. Therefore, generative AI emerges as a double-edged tool in this context. Although it can be a potential source of problems, it also presents itself as a viable solution to combat these same challenges. One of the most promising areas is generative AI’s ability to detect manipulations in digital content. While it is true that systems building on this technology are used to create text, images, or videos, they can also be developed and trained to identify anomalies or inconsistencies in the data. This can help detect false information, for example fake news, generated by this powerful technology. Disinformation can spread and influence public opinion at an alarming speed, therefore such tools need to be urgently developed and implemented.

Another concern to consider is fragmentation on the Internet, where algorithms personalize and limit the information that users have access to. This distinction can be counterproductive, as it reinforces existing opinions and limits exposure to diverse perspectives. Generative AI can be trained and used, to analyze broader patterns and understand context. Moreover, it can contribute to the creation of more balanced filters that present information in a more impartial way.

Finally, human rights can be affected or violated by misinformation or the construction of misleading narratives. To avoid these harmful practices, Generative Artificial Intelligence can be used to create content and verify its authenticity to ensure that the truth prevails. However, there is a risk of using this technology as a surveillance or repression tool by authoritarian regimes. Therefore, it is necessary to design an ethical framework and its implementation.

Generative AI has the potential to transform industries and society, to boost innovation across diverse fields, from arts to scientific research and empower individuals including marginalized groups. To ensure generative AI contributes towards a positive future, it is crucial to prioritize responsible design and release practices from the beginning. As generative AI continues to advance at an unprecedented pace, there is a need for collaboration among stakeholders to ensure that AI serves as a force for good.  The IGF Policy Network on AI promotes the debate on how to increase international cooperation among the stakeholders on  the use of  generative AI and related aspects of data governance.

2.3 Global multistakeholder dialogue is crucial in getting global AI governance right

Understanding AI’s future impact on societies is very difficult. It is known that governing and regulating a technology in development is always difficult but it is even more difficult later when the technology becomes deeply entrenched and its effect on society is better understood. Under these circumstances, making effective and informed decisions on AI is complex. Bringing in diverse perspectives and expertise can enhance understanding of the implications of AI in a holistic manner, it is necessary for developing relevant and applicable policy for the national and international context.  Multistakeholder approach facilitates the development of inclusive AI policies that help decision makers to consider diverse viewpoints  and  expertise,  prevent  capture  by  vested  interests,  and  counteract  polarization of policy discourse.

The multistakeholder dialogue is crucial for addressing AI’s policy evolution. But it is not easy to create spaces for truly global AI dialogue or reach stakeholder groups, including those with limited financial, grass-root organizations, from developing countries. Already in 2020 there were over 160 organizational, national and international sets of AI and governance principles worldwide but so far no common platform to bring these initiatives together. At the time of writing this report, PNAI is in its early stages, but is already bringing value to dialogues on AI governance as it is an open forum that brings diverse stakeholders from across the world together for timely discussions on AI. The impact of IGF’s intersessional activities, such as PNAI, comes from facilitating global discussion across stakeholder groups.

The private sector, the technical community and civil society should be involved from the beginning when making decisions on digital topics. Involving stakeholders across technical and non-technical communities, promoting inclusivity, and respecting the different cultural backgrounds are key components for designing a system approach to global AI governance. Multistakeholder engagement furthermore should meaningfully address concerns of various actors and consider power asymmetries between them. This PNAI report is developed by the PNAI multi-stakeholder community through a transparent process and an open consultation.