IGF 2019 WS #195 Cybersecurity concerns everyone - Responsibility and education throughout the digital supply chain

Organizer 1: Daniel Brinkwerth, Charter of Trust (GPLUS)
Organizer 2: Paula Iwaniuk, Charter of Trust (GPLUS)

Speaker 1: Eva Schulz-Kamm - Head of Global Government Affairs at Siemens AG
Speaker 2: Dr. Alexander Wolf – CEO Division Business Assurance at TÜV SÜD AG
Speaker 3: Wolfgang Percy Ott – Head of Government Affairs Germany at Cisco
Speaker 4: Jacques Kruse-Brandao - Global Head of Advocacy at SGS
Speaker 5: Dr. Jochen Friedrich – Technical Relations Executive at IBM
Speaker 6: Laurent Bernat – Policy Analyst on Digital Security Policy at OECD

Moderator

Daniel Brinkwerth, Private Sector, Intergovernmental Organization

Online Moderator

Daniel Brinkwerth, Private Sector, Intergovernmental Organization

Rapporteur

Daniel Brinkwerth, Private Sector, Intergovernmental Organization

Format

Break-out Group Discussions - Flexible Seating - 90 Min

Policy Question(s)

- How can industry, governments and other stakeholders work together to make sure that the digitalization of the global economy is trustworthy, safe and secure? - What are the baseline requirements for cybersecurity that all business players along the global supply and value chains should fulfill to make the digital economy secure for future growth? - What legal regulations are already in place but potentially need to be enforced and what new legal regulations should be created to address upcoming threats? - What role should different stakeholders play in cybersecurity capacity building approaches?

SDGs

GOAL 4: Quality Education
GOAL 8: Decent Work and Economic Growth
GOAL 9: Industry, Innovation and Infrastructure
GOAL 17: Partnerships for the Goals

Description: (A) The issue: Due to the architecture of the internet infrastructure, national or regional regulatory solutions are of a limited effect, so global cooperation is needed. The Charter of Trust is the beginning of a unique initiative by leading global companies, taking their responsibility on Trust and Cybersecurity. IT and cybersecurity are topics of intense discussion on a global scale. At the same time, dialogue often raises questions about the options for action of state actors. The complexity of the development of the Budapest Convention shows how challenging global developments are. The Paris Peace Call, in turn, shows the political intent for greater security. (B) Discussions: The session should deal primarily with entrepreneurial responsibility in reinforcing cybersecurity standards. The topic will also be expanded to how this cannot be done without the support of governments and public bodies to enforce minimum requirements along supply chains, for example. In the session, we aim to shed light on the complexity of global discussions and define common action corridors e.g.in the context of standardization, certification and possibly regulatory frameworks. The EU framework (Cyber act) could be used as an example. (C) Agenda: Although discussion and participants contributions will ultimately drive the agenda, the following will be used to guide conversation: - The session will start with the introduction of invited speakers and a short ice-breaker presentation by the moderator, to set the scene and map out the journey the conversation will take (10 minutes) - Speakers will then take the floor in turn to present the above-mentioned topics, each followed by input from the audience (60 minutes). - At the end of the session the moderator, with the help of the rapporteur will summarize the discussion and ask the speakers and audience to comment on the session’s key takeaways (20 mins).

Expected Outcomes: The workshop will bring together leaders from global business organisations as well as regulators and think tanks / academia. It will discuss how the various stakeholder groups could collaborate to enhance cybersecurity alongside the supply chain based on global baseline requirements. The workshop would explore how the private and public sector can work together towards a global framework (of commitments) for cybersecurity.

The list below provides examples of the way discussion will be facilitated amongst speakers, audience members, and online participants and ensure the session format is used to its optimum: Seating: Participants will sit in a circle or semi-circle (room permitting), with seats in the middle for the speakers. An empty chair will be placed next to the speakers. Audience members will be invited to occupy the empty seat at selected times of the discussion, to provide further or new perspectives or challenge the speakers. This will facilitate discussion by creating an enabling and comfortable atmosphere where all speakers and participants are given an equal footing in the discussion. The moderator will have a prominent seating position and may walk around the room to engage participants. Preparation: Several preparation calls will be organised for all speakers, moderators and co-organisers in advance of the workshop so that everyone has a chance to meet, share views and prepare for the session. Given the varied background of discussants and audience members, organisers will advertise the session and introduce questions to animate discussion on social media in the run up to the workshop. This will introduce the subject, encourage conversation and create links to other dialogues on the topic taking place in other forums to create awareness and help prepare in-person and remote participants for the workshop. The moderator will have questions prepared in advance to encourage interaction among invited experts and between participants, if conversation were to stall. Potential Q&A’s will also be prepared in advance to that every speaker is prepared to respond to any comment Moderator: The moderator will be an expert and well-informed on the topic and experienced in animating multi-stakeholder discussions. Charter of Trust Secretariat has a long-standing experience of organising events with moderators and panellists. It will suggest a list of potential moderators well in advance and help brief him/her before the event. During the discussion, questions will be incorporated to encourage responses from participants and everyone will be given equal weight and equal opportunity to intervene. Walk-in participants will be encouraged to participate in the discussion by the moderator who will seek contributions from participants in person and remotely. The remote moderator will play an important role in sharing the ideas of remote speakers/participants and will encourage their interventions through video. Reporting: Following the discussion, participants will be encouraged to share their key takeaways from the session through online tools and social media. This will help ensure diverse perspectives raised during the discussion are included in the reporting.

Relevance to Theme: The workshop directly addresses one of the main themes of IGF 2019: Security, Safety, Stability, Resilience. It aims to bring IGF participants closer to identifying the need of collaboration for a more secure digital world. (A) Relevance of Charter of Trust Charter of Trust is a joint initiative of the Munich Security Conference and 15 multinational companies (AES, Airbus, Allianz, ATOS, CISCO, Daimler, Dell, Deutsche Telekom, IBM, Mitsubishi Heavy Industries, NXP, SGS, Siemens, Total, TÜV Süd) that operate across various business sectors and are committed to improving cybersecurity in the global economy. These companies are united in the firm believe that cybersecurity is a necessary condition for the success of the digital economy. Digitalization and cybersecurity must evolve hand in hand; users need to trust that their digital technologies are safe and secure. To achieve this objective, Charter of Trust has set out 10 principles for cybersecurity. The Munich Security Conference and member companies engage with business partners, regulators, think tanks and academia to define these principles and work on a swift implementation in daily business operations. Therefore, we believe Charter of Trust can contribute to an aspirational yet pragmatic debate about cybersecurity at the IGF. (B) Relevance of workshop topic Cybersecurity is only as strong as the weakest link in a given system. Therefore, the Charter of Trust Principle 2 sets out the aspiration to ensure that global supply chains meet cybersecurity standards. Companies – and if necessary – governments must establish risk-based rules that ensure adequate protection across all IoT layers with clearly defined and mandatory requirements. Ensure confidentiality, authenticity, integrity, and availability by setting baseline standards. In the workshop we will discuss questions, such as - Identity and access management: Connected devices must have secure identities and safeguarding measures that only allow authorized users and devices to use them. - Encryption: Connected devices must ensure confidentiality for data storage and transmission purposes, wherever appropriate. - Continuous protection: Companies must offer updates, upgrades, and patches throughout a reasonable lifecycle for their products, systems, and services via a secure update mechanism. The workshop will cover the responsibility of companies and address the need of collaboration on a global scale with further industry partners, governments and as well with civil society. It will also be based on concrete examples of companies from Charter of Trust, and how they overcome security and safety crises.

Relevance to Internet Governance: The digital world is changing everything. Today, billions of devices are connected through the Internet of Things. While this creates great opportunities, it also harbours great risks – ranging from data breaches to serious risks to life and limb where the digitalisation creates complex cyber-physical systems. To make the digital world more secure, the member organisations of Charter of Trust have joined their forces. Taking the spirit of the Paris Peace Call, which Charter of Trust offically supports, the workshop would focus on how cyber and IT security can be enhanced globally.

Online Participation

Ahead of the session, the remote moderator will be involved throughout the workshop planning and organization process to advise on where remote participation will need to be facilitated. During the session, the online platform will be used to animate the discussion and ensure participants in the room and online will have an equal opportunity to engage. The online moderator will occupy the empty seat on behalf of online participants at any given time they wish to join the conversation. The moderator will frequently communicate with the online moderator throughout the session to ensure remote participants’ views/questions are reflected. The moderator and speakers will be encouraged to follow the online participation tool throughout the workshop themselves, so that issues brought forward by participants in the chat can be carried throughout discussion. Participants in the room will also be encouraged to use their mobile devices to connect and interact with remote participants. Social media will also be used to generate wider discussion and create momentum for online participation as the workshop is unfolding. Charter of Trust has wide experience in using social media during events and coordinating between member companies. Co-organizers will ensure that the workshop is promoted in advance to the wider community to give remote participants the opportunity to prepare questions and interventions in advance and to generate interest in the workshop. Organizers will also explore the possibility of connecting with remote hubs around the globe and organize remote interventions from participants.  

Proposed Additional Tools: Organizers will explore the use of audio-visual material (i.e. videos, PowerPoint slides, images, infographics) throughout the workshop to animate the session and aid those whose native language may not be English.

1. Key Policy Questions and Expectations

How can we achieve responsibility throughout the entire supply chain? And what would that look like? How do we educate everyone involved in the supply chain accordingly to ensure that all baseline requirements are met? As an alliance of global industry leaders, the Charter of Trust will bring together experts from various industries and countries (Siemens, CISCO, TÜV Süd and more) as well as engaged partners from other sectors to discuss how the various stakeholder groups can collaborate to enhance cybersecurity throughout the supply chain. The workshop will explore how the private and public sectors can work together towards a global framework (of commitments) for cybersecurity.

2. Summary of Issues Discussed

The discussion focused on the responsibility along the supply chain and how to create and implement standards on a B2B level. Participants were in agreement that on the extended need for global rules and standards. Equally important, all suppliers need to adhere to established baseline requirements. Some disagreements were had on the extent of mandating such requirements, or who should be implementing them. The Charter of Trust has been working on creating high-level baseline requirement recommendations that will be applicable for companies from various industries. Disagreement was had on the best implementation of these requirements across a company’s supply chain. Dr. Wolf (TÜV SÜD) expressed that non-fulfilment of these standards should possibly lead to the disqualification of a supplier. Whereas Mr. Kruse-Brandao (SGS) suggested that mandatory standards carrying concrete consequences for non-compliance should come via governmental regulation. However, ultimately  all panellists agreed that full responsibility along the supply chain can only be achieved, if all members of a company have a minimum awareness of cybersecurity hygiene. Discussing the issue of education along the supply chain, Dr Wolf (TÜV SÜD) added that many skilled workers with years of experience will have to broaden their expert knowledge and get high-level training on cybersecurity as well. As an example, he gave car mechanics certifying car safety, who will have to be trained in cybersecurity as cars continue to become more and more digitally connected devices.

3. Policy Recommendations or Suggestions for the Way Forward

The IGF and all the sectors represented in it should address the need for establishing rules and standards for IoT/connected products. These standards and rules should address the businesses, their suppliers, anyone else involved along the supply chain, from product development to the end-user. At this point baseline requirements, rules, standards, and certifications will help set guidelines for the companies involved in the production of IoT devices  Particularly certification will help companies screen for secure and compliant suppliers and help consumers choose products, who they know will be safe to use. Additionally developing cybersecurity curriculums for academia to best address the needs of the industry will serve to engrain awareness amongst everyone involved and gives guidance to high-level policy institutions from those who will be at the practical end of regulation implementation. Further, establishing formal training for employees will help companies be prepared for the increasing threat of cyber attacks.

4. Other Initiatives Addressing the Session Issues

Of course, the Charter of Trust is at the very center of this discussion, with industry leaders coming together and hoping to lead by example as a well as coming together with academia, government organizations and others to have an open and productive knowledge exchange that informs all output of the Charter of Trust. Other great initiatives include the IBM X-Force Command Cyber Tactical  Operations Center, the OECD’s efforts in addressing digital policy on a governmental and private sector perspective. TÜV SÜD has made extended efforts to address cyber security by offering specific training to their employees. SGS has been working closely with the European Public-Private Partnership (PPP) for Cybersecurity of the European Commission and the European Cybersecurity Organization (ESCO) to work on future legislation and standardization. Siemens was a key initiating partner of the Charter of Trust and has been at the forefront in tackling these rising threats on cyber and data security. Academic institutions such as the Hasso-Plattner-Institute and the TU Graz have made great efforts in research and education of the next generation of cybersecurity experts.

 

5. Making Progress for Tackled Issues

(1)Establishing a certification process to asses a company’s compliance with recognized cybersecurity standards. This will help other companies assess who they can safely partner with in product development and give companies a way to prove their efforts in cybersecurity. (2) Establish a cybersecurity hygiene awareness program. Similar to the awareness campaign on physical hygiene in the early 20th century, such a campaign will help to engrain awareness of the risks we are all exposed to on a daily basis and provide us with methods to protect ourselves and our devices. (3) Install mechanisms, similar to hardware products or food, which trigger product recalls if infractions are noticed. All of these efforts should be pushed within and outside of the IGF ecosystem to ensure a safer more secure digital world of tomorrow.

6. Estimated Participation

Onsite participants were around 70 ppl, online fluctuated between 6-8. The representation was around 2/3 male, 1/3 female

7. Reflection to Gender Issues

It can hardly be denied that there is a gender disparity among cybersecurity experts. The panel itself recognized that it did not manage to achieve parity on this matter and addressed what needs to be done better. To close the gap, a bottom up approach can ensure that women are empowered from an early educational level to follow their talents in the field, and ensure the environments, from the classroom to the workplace are non-discriminatory. Equally, top-to-bottom measures promoting diversity and inclusion through soft and hard measures like unconscious bias training will help to move us towards parity in tech.

8. Session Outputs