Check-in and access this session from the IGF Schedule.

IGF 2021 Day 0 Event #15 Closing the gap between the theory of digital security and the practice of insecurity

    Time
    Monday, 6th December, 2021 (08:30 UTC) - Monday, 6th December, 2021 (10:00 UTC)
    Room
    Conference Room 7

    Dynamic Coalition on Internet Standards, safety and security
    DC-ISSS chairs and coordinators: Ms. Janice Richardson, Insight SA, civil society, Australia Mr. Raymond Mamattah, EGIGFA, education, Nigeria Ms. Mallory Knodel, Center for Democracy & Technology, civil society, United States Mr. Yurii Kargapolov, Ukrainian Numbering, Naming and Addressing Operation Center, technical community, Ukraine Mr. Wout de Natris, Coordinator DC-ISSS, Private sector, The Netherlands Mr. Mark Carvell, senior policy advisor DC-ISSS, private sector, United Kingdom Mr. Savyo Vinicius de Morais, Instituto Federal de Educação, academia/technical community, Brazil Ms. Yung-Chi Chen, assistant research fellow, academia, Asia Pacific region

    Speakers

    There are no presentations nor speakers foreseen. After a short introduction, repeating the preparatory instructions, the group breaks into working groups. TBD rapporteurs present the outcomes from the online and on site breakout sessions.

    Onsite Moderator
    Wout de Natris
    Online Moderator

    Mark Carvell

    Rapporteur

    Mark Carvell

    Format

    Breakout sessions and plenary reporting including final comments.

    Duration (minutes)
    120
    Language

    English

    Description

    This workshop invites you to participate in a discussion about Internet security revolving around one question: How do we close the gap between the theory of security and the daily practice of what is in effect insecurity by design? The Dynamic Coalition on Internet Standards, Security and Safety (DC-ISSS) focuses on the topic that has been identified as a hugely important driver for establishing a safer and more secure Internet: the widespread global adoption of existing, security related Internet standards and ICT best practices.

    Cyber security is an issue gaining more and more public and political attention due to the ever increasing number of cyber attacks and threats. Many experts discuss it, propose policies to proceed towards a safer Internet and digital environment, create new Internet standards and ICT best practices aimed at reducing  existing vulnerabilities, etc.. Despite all these efforts the Internet and ICTs has not become significantly safer.

    There are hundreds if not thousands of these standards and best practices. Many organisations work actively to promote digital security but often with the focus on one specific component of digital security, where their specific competence and background makes them an expert.

    And then there is the end user who is faced with all these threats. How can the end-user protect his or her privacy and security online? It is time to look at the whole picture and acknowledge that there is a considerable gap between the theory of cyber security and the daily practice of insecurity by design.

    Many, if not all, vulnerabilities and threats can be prevented when the ICT industry develops and manufactures devices and applications based on secure by design principles, i.e. containing state of the art Internet standards and ICT best practices.

    It has often been pointed out by industry observers that there is hardly any demand for secure products, so they are not supplied in the market. Security has to be demanded when buying new products, services and devices. If organisations and businesses in their procurement and supply chain management processes, demand ICT products, devices and services to be secure by design, all end users would benefit and be able to operate online with greater trust, security and safety.

    Current practice in the ICT industry, which does not drive the deployment of effective security standards, is therefore very discouraging. The gap between theory and practice is clear for all to see and it needs closing; if the goal is a more secure ICT and Internet environment.

    This workshop is about how to bridge that gap. If cyber security is so important for our economic and personal well-being, how is it that ICT-products which are not designed to be secure continue to be procured by public administrations and corporate organisations? What does it take to change these procedures? What steps can be taken to achieve this? What are known best practices? What can others learn from them?

    The DC-ISSS addresses this challenge head first. We invite you to discuss the aim of bridging this gap together in an open workshop aimed at sharing expertise, knowledge and ideas. The discussion is led by DC-ISSS coordinator Wout de Natris. The outcomes will feed into the DC-ISSS' workplan for 2022 and the DC-ISSS session on 9 December at 16.50.

    You can find general information on the DC-ISSS here.

     

    Key Takeaways (* deadline at the end of the session day)

    In the breakout groups different topics on Internet standards were discussed. The main points made, all concern the need for broader and deeper forms of cooperation between stakeholders: the rech community, industry, governments, consumer organisations, etc. Together they have to establish consitions for the more widespread deployment of Inernet standards. The DC-ISSS can facilitate these processes through guidelines and policy recommendations.

    Call to Action (* deadline at the end of the session day)

    Very diverse actions to promote standards deployment were identified. 1) Convene all relevant stakeholders, 2) Develop trust components; 3) Create capacity building programmes; 4) Engage decision takers 5) Create a list of urgent best practices.

    Session Report (* deadline 9 January) - click on the ? symbol for instructions

    The Dynamic Coalition on Internet Standards, Security and Safety (now renamed the Internet Standards, Security and Safety Coalition with the acronym IS3C as announced at the main DC session on day 3) discussed how to close the gap between the much discussed theory of cyber security and the daily experience of insecurity online.

    The workshop had a clear focus. The IS3C wanted to gather insight, good practises, ideas and (potential) solutions from the participants and learn about how they experience the discussed gap and how they envision to close it. The takeaways and actions reflect the contributions of the participants, not, necessarily, the current approach of the IS3C.

    The agenda was planned to include five parallel breakout sessions with individual challenges. Due to technical problems with the IGF website at the start of day zero, it was decided to create two parallel groups: one group for stakeholders participating online; and one for the onsite participants in Katowice.

    The following takeaways and actions were identified and agreed.

    Takeaways 

    i. Importance of cybersecurity standards

    1. Making the Internet more secure and safer is extremely important for national economies and society generally, in order to realise the full benefits of digital transformation.
    2. The complexity and divergence of agreed standards and protocols is a challenge for consumers. Harmonisation of security-related standards is not technically easy due to the complexity of applications and requirements of different users such as big corporate enterprises, SMEs (small and medium-sized enterprises) and micro-businesses, individual users and public sector administrations. However, the tech community should aim to establish minimum design standards for the security of devices and network applications.    
    3. More open processes of standards development would foster beneficial cooperation e.g. with civil society and government policymakers. 

    ii. Empowerment of stakeholders

    1. Mechanisms for protecting the security of consumers online need to be developed such as certification and labelling schemes.
    2. Wider societal rights, business needs and consumer requirements should be included as topics in training curricula for engineers.
    3. Ensuring decision-takers have more knowledge about security-related standards should be a common goal for the tech sector.
    4. Need to assist micro-businesses and SMEs who lack the technical capacity to strengthen their online security.
    5. Developing and least developed countries need assistance in addressing cybersecurity challenges through effective deployment of security-related standards in their digital economies.

    iii. Role of governments

    1. Governments could lead by example through their procurement programmes.
    2. Governments could consider making the requirement of security-related standards mandatory.

    iv. Role of consumers

    1. The role of consumer advocacy organisations needs to be explored.

     

    Actions

    For all IS3C members:

    1. Bring together the stakeholder communities so that they can understand each other better and work together in support the deployment of security-related standards.
    2. Assist developing and least developed countries to develop the expertise and capacity to make informed choices about cyber security standards.
    3. Consider which tools and advisory services are available or need to be developed to help SMEs and small and micro-businesses, who due to size have no the necessary technical capacity.
    4. Address the potential role of consumer advocacy groups and whether to start a new Working Group in 2022.

     

    For IS3C Working Group 1

    1. Develop a set of principles for technology developers that will promote greater trust.

     

    For IS3C Working Group 3

    1. Provide guidance for private sector decision-takers on how to make well-informed purchasing decisions relating choices on to cyber security standards.
    2. Assist public and private sector decision-makers in identifying which security-related standards to prioritise in their procurement and supply chain management processes.
    3. Assist government policymakers on how they can influence the markets for more secure devices and network applications through their procurement policies.   

    The IS3C will take these views and recommendations into account when finalising its workplan for 2022-23 following IGF 2021. We thank all our participants for their time and valuable contributions in this session.