IGF 2023 Day 0 Event #23 On how to procure/purchase secure by design ICT

Sunday, 8th October, 2023 (05:25 UTC) - Sunday, 8th October, 2023 (06:55 UTC)
WS 7 – Room K

Cybersecurity, Cybercrime & Online Safety
Cyberattacks, Cyberconflicts and International Security

Cybersecurity, Cybercrime & Online Safety

Internet Standards, Security and Safety Coalition
Mallory Knodel - IS3C Working Group 3 Chair; Center for Democracy & Technology - Civil Society - North America Elizabeth Orembo - IS3C Working Group 3 Lead Researcher; Global Cyber Security Capacity Centre - Technical Community - Africa Wout de Natris - IS3C Coordinator; De Natris Consult - Private Sector - Europe Mark Carvell - IS3C Senior Policy Adviser; Independent Internet Governance Consultant - Private Sector - Europe


Mallory Knodel - IS3C Working Group 3 Chair; Center for Democracy & Technology - Civil Society - North America Elizabeth Orembo - IS3C Working Group 3 Lead Researcher; Global Cyber Security Capacity Centre - Technical Community - Africa Bart Knubben - Platform Internetstandards - government - Europe Steven Tan - Cyber Security Agency Singapore - Government - Asia

Onsite Moderator

Mallory Knodel

Online Moderator

Mark Carvell


Wout de Natris


12. Responsible Production and Consumption

Targets: Responsible production needs to contain ICT products, devices and services that are developed and manufactured according to long-existing, security-related internet standards and ICT best practices in such a way that they are secure by design. This will ensure a far more safer and secure online environment, adding to trust in the use of the internet and lead to even more successful (economic) use.


This is a fully open consultation. After a short presentation, by working group chair Mallory Knodel and researcher Liz Orembo, of the main findings and recommendations in the report, participants are engaged in the debate about deployment of the report’s outcomes. The moderator will lead the audience into this debate on the basis of pre-determined and published questions. The questions, in part, will depend on the outcome of the study which is currently undertaken. The answers will co-determine IS3C's next steps on the topic of procurement and its deployment.


IGF Dynamic Coalition Internet Standards, Security and Safety Coalition (IS3C) strives to make the internet more secure and safer through the widespread deployment of existing, security related Internet Standards and ICT best practices. One way to achieve this, if not the shortest route to success, is when all organisations start to procure and purchase ICTs secure by design. By demanding that ICT services, devices and products contain the relevant security-related internet standards and ICT best practices, as part of the product. At this IGF, IS3C’s working group on procurement and supply chain management (WG3) will present its global study into and guidelines for this topic. The WG has collated, compared and analysed all available documents on the basis of three questions: 1) What procurement policy/documents focus on internet and digital communications?; 2) What does the procurement policy/document say about security?; 3) Does the security section talk about internet standards and ICT best practices? This has led to a set of conclusions, best practices and recommendations, that will be presented as an introduction to this open consultation. This workshop however focuses on the main and huge challenge: How can the world move from theory to practice? In this session stakeholders at large will be asked the above question directly and are invited to provide answers to the following as well: - How to get this message on procurement across best?; - Which stakeholders need to become involved to successfully drive the deployment of the guidelines on procurement?; - What should their respective roles be? - Which organisations are best suited to provide training? This workshop invites representatives from all relevant stakeholder communities to debate the deployment of the conclusions of the global study and the analyses of the gathered data. The outcomes of this IGF session is the start of the next phase for IS3C: setting theory into practice. The draft report will be published on IS3C's website, www.is3coalition.org, in the first week of June and discussed in an open consultation at EuroDIG on 19 June.

Both moderators, by way of constant interaction, will engage the whole audience in the debate by alternating between the online and offline participants, including the use and monitoring of the chat function. Active outreach will encourage those stakeholders who are not able to travel to Kyoto, to participate online.

Key Takeaways (* deadline 2 hours after session)

If the internet and ICT are to become more secure and safer, procurement by large organisation can be a powerful tool, that is fully underused. A narrative needs to be developed that will make individuals in decision- taking positions and those in procurement offices take a decision which includes ICT security by design.

Call to Action (* deadline 2 hours after session)

IS3C announced a consultation on a document containing the most important and urgent internet standards, organisations should demand when procuring ICTs. https://docs.google.com/document/d/1ZC6PBHOREbObHUgopAkPQbIWC_EgLQ8nDyD…

Session Report (* deadline 26 October) - click on the ? symbol for instructions

The Dynamic Coalition on Internet Standards, Security and Safety Coalition organised a day 0 event on procuring ICT products, services and devices secure by design.

In an introduction IS3C's coordinator Wout de Natris explained how governments and industry can become more secure by design. The most powerful tool any large(r) organisation has over manufacturers and developers is its buying power. When they start to demand that open, security-related internet standards and ICT best practices are built in by design, most likely industry will adhere to this demand. As a trickle down effect, ICT will become more secure for all users. However, IS3C's research shows that buying power is seldom applied where ICT security is concerned.

Next, the overarching themes from IS3C's research were presented. They are:

  1. Governments, and most likely other organisations as well, do not use their purchasing powers to procure secure ICT and IoT products, services and devices;
  2. There is insufficient cooperation between governments to coordinate on ICT security regulation or advise. This makes it hard for industry to adhere to commonly set standards;
  3. Open standards, created by the technical community are not recognised by by far most governments. This results in the public core of the internet to remain unprotected;
  4. Better cooperation between governments will lead to a better protected and safer internet for all.
  5. The lack of a level playing field for industry results in an insecure ICT environment as products are as a standard to be released on the market insecure by design.
  6. The lack of demand for security by design from society as a whole leads to a lack of incentive for industry to manufacture and develop security by design in ICT.
  7. Governments can be the big driver for security by design to procure according to this principle
  8. There is a world to win where cybersecurity is concerned that is currently fully underused.

The floor was opened for questions and comments, but none present had experience with this way of working.


David Hubermann, chair of IS3C’s WG 8 on DNSSEC and RPKI deployment, explained the importance and uniqueness of open internet standards. For many ordinary things in life countries or regions have their own standard. E.g. currency, electricity voltage, sockets and plugs, the side of driving on the road, etc. On the internet however, the standards are the same everywhere. When these standards were first created, security was not an issue. Since, security has become a major topic. The technical community has come up with solutions for the insecurity in standards. For the DNS system, the domain names, it is a set of security extensions called DNSSEC, for the routing on the internet it is called RPKI, Resource Public Key Infrastructure.


The  strange situation occurs that security is within grasp, if only it was deployed by, mostly, the internet industry. This is insufficiently the case, leaving everyone on the internet exposed to threats and attacks, including those who have deployed, as the "dark side" can use these flaws for their nefarious purposes. The focus of the technical community has mostly been focused on the technique. It has become clear that this does not convince the people in decision-taking positions to agree to deployment.


To change this, IS3C's WG 8 has formed a team of experts who will provide advise to all who have to convince their managers to deploy with a new set of arguments, that move away from the commonly used technical ones. The result is expected in the winter of 2024.


People present were invited to join this work and IS3C in general. From the comments received, it was cleat that the message came across loud and clear but not how individuals present could contribute to this challenge.