IGF 2023 Open Forum #57 Procuring modern security standards by governments&industry

Thursday, 12th October, 2023 (04:30 UTC) - Thursday, 12th October, 2023 (06:00 UTC)
WS 10 – Room I

Cyberattacks, Cyberconflicts and International Security
New Technologies and Risks to Online Security

Other - 90 Min
Format description: Short presentations, followed by discussion of patrticipants and interaction with the public


As digital has become an integral part of everyone’s lives and work environment, security is no longer nice to have but a prerequisite to work and live safe from online harm and its implications in the offline world. At the same time cyber incidents seem only to grow and have more and more impact. This Open Forum will show what government procurement agencies and purchasing departments of other organisations can do to upgrade their own level of security and as a result, everyone else’s: by procuring secure by design. When discussing cybersecurity, the discussion often focuses on the user. He/she is responsible for security. In practice there often is not a lot these users can do to protect themselves. When Internet standards are not built in by design or ICT best practices ignored by designers or manufacturers, security-wise the end user is, often, clueless. This does not have to be this way. The Dutch government has a policy on open standards to support interoperability, (re)use of data and lower dependency on specific suppliers. To attain these goals, the Standardisation Forum was established in 2006. The Standardisation Forum does not develop standards but can assign a status (required or recommended) to existing standards in the public and semi-public sector. Its ‘Comply or Explain’-list assists governments to procure secure ICT. In this Open Forum, the Standardisation Forum presents its approach and the list of the most relevant and urgent security-related internet standards and ICT best practices. Inspired by the Dutch approach, the Internet Standards, Security and Safety Coalition (IS3C) of the IGF currently conducts a global study into procurement and supply chain management, analysing to what extend governments and industry use procurement to enhance their cybersecurity. The result of this study will be presented in this session. Representatives from other countries are invited to share their ideas and experiences. What are these experiences? The debate will focus on what is perceived to work best. 1. The stick Organisations are threatened with measures or legislation to comply. 2. The carrot Organisations are (financially) stimulated to comply. 3. Preaching Organisations receive messages on why it is good to comply. 4. Force Organisations are forced by legislations or fines to comply. Participants will be asked to share their experience and views on this matter. Finally, an international version of a ‘comply or explain’-list will be presented. This list is the result of an international advisory panel that worked under the aegis of the IGF in 2023, that reached a rough consensus on the content. Imagine how security can be changed for the better when all organisations in the world start to procure and purchase ICTs according to these principal standards. Because of it, they will become integrated in all ICT or IoT devices, services, applications, software and hardware. They will be sold secure by design.

Active engagement between the online and onsite moderator will ensure that all participants get their chances to speak. All participants will be invited to engage in the chat so that opinions can be captured this way as well. A moderator can read the most relevant comments from the chat so that they are on record.


🔒Netherlands Standardisation Forum
Mallory Knodel, Center for Democracy & Technology and Internet Architecture Board (IETF), U.S. Steven Tan, Cyber Security Centre of Singapore, government, Asia (still to be confirmed) Larissa Zegveld, Kennisnet and Netherlands Standardisation Forum, government, Europe Wout de Natris, Coordinator IS3C, Europe Participant from Japan Network Information Center (JPNIC) (still to be confirmed) Gerben Klein Baltink, Dutch Internet Standards Platform (Internet.nl), Europe Marjolijn Bonthuis, ECP, Europe


Mallory Knodel, Center for Democracy & Technology and Internet Architecture Board (IETF), U.S.; 
Wout de Natris, Coordinator IS3C, Europe;
Gerben Klein Baltink, Dutch Internet Standards Forum (Internet.nl), Europe;
Annemiek Toersen, Dutch Standardisation Forum, Europe;
Gilberto Zorello, NIC Brasil, South America;
Flavio Kenji Yana, NIC Brasil, South America;
Satisch Babu, INAPP, Southern Asia;

Onsite Moderator

Olaf Kolkman, ISOC

Online Moderator

Gerben Klein Baltink, Dutch Internet Standards Platform (Internet.nl), Europe


Marjolijn Bonthuis, ECP, Europe


9. Industry, Innovation and Infrastructure
16. Peace, Justice and Strong Institutions

Targets: Cybersecurity has to lie at the heart of our evermore digitizing world. When governments and larger organisations start to procure ICTs secure by design, based on the principles shared in this workshop, the internet environment as a worldwide critical infrastructure will become far more secure and less prone to incidents and harm (SDG 9). This will aid economic development because online platforms and services become more secure and safer. It will also provide a more peaceful and inclusive use of the internet and thus assist the goals underneath SDG 16 to flourish.

Key Takeaways (* deadline 2 hours after session)

1. Modern internet standards (such as IPv6, DNSSEC, HTTPS, DMARC, DANE and RPKI) are essential for an open, secure and resilient Internet that serves as a driver of social progress and economic growth. Such standards have been developed, but their use needs to increase significantly to make them fully effective. Procurement policies have proven to be an effective means of ensuring that these standards get traction and are used more widely.

2. Not using modern standards is a risk for the individual internet user. However, often users are not aware of it (because standards are "under the hood") and there are economic network effects that prevent users from fully benefiting immediately ("first mover disadvantage"). Research by IS3C has shown that public-private partnerships can play a crucial role in the creation of transparancy and awareness which is crucial to reach critical mass.

Call to Action (* deadline 2 hours after session)

1. To governments and TLD registry operators: Monitor the usage of modern internet security standards (such as IPv6, DNSSEC and RPKI) in the public sector and in society. For this, they can make use of open source tools such as https://Internet.nl and even extend it (eg tests for Universal Acceptance and for accessibility). Such tooling provides transparancy, helps end-users articulate their demand, and creates an incentive for vendors to comply.

2. To governments and industries: Publish procurement policies regarding modern internet security standards. These can be reused by others when creating procurement policies. Furthermore vendors could use these as requirements for their software and systems. The list with most important internet security standards that was created by IS3C (https://is3coalition.org/) can be used as a reference (consultation untill  5 Nov 2023).

Session Report (* deadline 26 October) - click on the ? symbol for instructions

Moderator Olaf Kolkman introduced this Open Forum by elaborating on the role of modern security standards in securing the internet. He emphasized that we need to secure the internet for the common good. One of the challenges that comes with securing the internet is the slow adoption of security standards. Therefore, this Open Forum highlights tools that enhance the adoption of modern security standards.

The Role of Open Standards particularly in procurement, experiences in the Netherlands

Modern internet standards (such as IPv6, DNSSEC, HTTPS, DMARC, DANE and RPKI) are essential for an open, secure and resilient Internet that serves as a driver of social progress and economic growth. Gerben Klein Baltink and Annemieke Toersen explained the role of standards in procurement and their experiences in the Netherlands. The role of open standards in promoting a safer, more secure, and well-connected internet has become increasingly recognized, with initiatives like the internet.nl test tool which contribute significantly to this progress. The tool is primarily aimed at organizations, attracting both technical personnel and board members, and allows them to assess if their mail, website, and local connections comply with established standards.

In the procurement and supply chain management domain, the Forum Standaardisatie think tank has been actively promoting the use of open standards, advocating for more interoperability. With 25 members from government, businesses and science, the forum advises governments on the adoption of open standards, emphasizing their importance in promoting information exchange, ensuring interoperability, security, accessibility and vendor neutrality.

The Dutch government has pursued a three-fold strategy to promote open standards. Firstly, through the implementation of a "comply or explain" list of 40 open standards, carefully researched and consultated with experts. This have led to increased adoption, particularly in areas such as internet and security, document management and administrative processes, like e-invoicing. Government entities are mandated to use these standards, with required reporting if not followed.

Secondly, the government has fostered national and international cooperation, facilitating workshops on modern email security standards within the EU, and engaging with prominent vendors and hosting companies such as Cisco, Microsoft, and Google. They have also facilitated the reuse of internet.nl code in various projects, such as aucheck.com and top.nic.br.

Finally, the Dutch government actively monitors the adoption of open standards, evaluating tenders and procurement documents, and ensuring that the standards are included. Reports are submitted to the government, and efforts are made to support and guide vendors who may  lagging behind in the adoption of these standards.

Lessons learned from these efforts emphasize the importance of consistently checking for open standards in procurement processes and providing guidance and support to encourage their usage. The comprehensive approach taken by the Dutch government, along with collaborations with various stakeholders, has contributed significantly to the wider adoption and implementation of open standards, fostering a more secure and interconnected digital environment.

Procurement and Supply Chain Management and the Business Case

Wout de Natris and Mallory Knodel elaborated on the role of the Internet Standards, Security, and Safety dynamic coalition in enhancing internet security and safety through various initiatives. The coalition has established three working groups targeting Security by design on the Internet of Things, Education and Skills, Procurement and Supply Chain Management and the Business Case, aiming to contribute to a more secure online environment.

Their ongoing projects involve the deployment of DNSSEC and RPKI, exploring emerging technologies, and addressing data governance and privacy issues. They strive to persuade decision-makers to invest in secure internet standards by developing a persuasive narrative incorporating political, economic, social, and security arguments. The Procurement and Supply Chain Management and the Business Case working group have released a comprehensive report comparing global procurement policies, shedding light on existing practices and advocating for more transparent and secure procurement processes.

The coalition highlights the need for greater recognition and integration of open internet standards into government policies, emphasizing the importance of universal adoption of standards for data protection, network and infrastructure security, website and application security, and communication security. They aim to provide decision-makers and procurement officers with a practical tool that includes a list of urgent internet standards to guide their decision-making and procurement processes.

By focusing on streamlining and expediting the validation process for open internet standards in public procurement, the coalition seeks to enhance procurement policies, resulting in more secure and reliable digital infrastructure. Overall, their collaborative efforts and initiatives aim to create a safer online landscape for individuals, organizations, and governments by promoting the secure design and deployment of internet standards and advocating for the adoption of open internet standards in government policies.

The report from is3coalition.org highlights a concerning trend where governments fail to recognize the critical components that enable the internet to function effectively. This issue has been a recurring question in various research endeavors, prompting the Working Group (WG) to prioritize and compile existing security-related internet standards and best practices in the field of ICT.

Best practice awards go to: the GDPR in the European Union provides common understanding and harmonization with regards to the security of information systems; the Dutch Ministry of the Interior and Kingdom Relations makes mandatory standards deployment. The ‘Pas toe of leg uit’-Lijst (comply-or-explain list) of the Dutch Standardisation Forum is a document containing 43 open standards that all governments in the Netherlands have to demand when procuring ICT; and Internet.nl: the tool used to track standards adoption by an organization’s website based on three indicators: website, email and connection. The software has been adopted in Australia, Brazil, Denmark and Singapore.

IS3C provides decision-takers and procurement officers involved in ICTs procurement with a list containing the most urgent internet standards and related best practices. This assists them to take into account internet security and safety requirements and procure secure by design ICT products, services and devices, making their organizations as a whole more secure and safer. By raising awareness and emphasizing the significance of internet security and safety requirements, the report seeks to prompt officials to consider and integrate these crucial standards into their operational frameworks.

To gather insights and perspectives on this critical issue, the coalition is conducting a consultation on the report until November 5th at 10:00 UTC. This consultation aims to engage stakeholders and experts to discuss and address the challenges associated with the recognition and implementation of internet security standards by governments.

Report: https://is3coalition.org/docs/is3c-working-group-5-report-and-list/

Perspectives from India

There are many examples of good efforts and effective tools enhancing internet security. One of these examples comes from India. Mr. Satish Babu highlighted that the Trusted Internet India Initiative was initially established at the India School of Internet Governance (inSIG) in 2016 and has since 2018 been collaborating with the Global Forum for Cyber Expertise.

InSIG organized GFCE’s Internet Infrastructure Initiative (Triple-I) Workshop in 2018, 2019, 2022 and 2023 as Day 0 events of inSIG. The Triple-I workshop seeks to “...enhance justified trust in the Internet” by building awareness and capacity on Internet-related international standards, norms and best practices. In its 2023 edition, the Triple-I workshop announced a new initiative that attempts to measure periodically the compliance of Indian websites, DNS and email services to modern security standards (to begin in 2024).

During the T3I workshop, it was emphasized that digital technology plays a crucial role in fostering India’s growth. The digital public infrastructure, which serves over a billion citizens, facilitates applications related to financial health, logistics, and more. However, the workshop shed light on the existing weak levels of compliance within these systems. In response to this observation, volunteers associated with T3I conducted extensive research to identify areas of improvement.

Building on their research findings, the initiative now plans to conduct comprehensive testing and disseminate the results to all stakeholders. The aim of this effort is to enhance compliance levels across Indian digital platforms, ensuring that they meet modern security standards and contribute to a safer and more secure digital environment. 

Perspectives from Brasil

Mr. Flavio Kenji Yanai andGilberto Zorello shared their experiences from a Brazilian perspective. The Brazilian Network Information Center (NIC.br) is a non-profit civil entity that since 2005 has been assigned with the administrative and operational functions related to the .br domain. NIC.br is actively investing in various actions and programs to improve internet services across different sectors. Their initiatives are geared towards disseminating knowledge and best practices, contributing to a safer and more secure internet environment in the country.

A key project they are currently undertaking is the TOP Teste os Padrões (Test the Standards) tool, which was initiated in December 2021 and utilizes Internet.nl provided by the Dutch government. As part of the Safer Internet program, their objectives include providing support to the internet technical community. This involves collaborating with various groups to develop technical teaching materials and promote good practices aimed at raising awareness within the technical community. Their efforts have yielded positive results, as statistics indicate a reduction in misconfigured IP addresses.

Furthermore, they have implemented the Mutually Agreed Norms for Routing Security (MANRRS) in Brazil, leading to a notable increase in the number of participants. The statistics reflect continuous improvements in various aspects of internet security within the country. With significant incumbents responsible for approximately 50% of the internet traffic in Brazil, the implementation of version 1.7 of internet.nl, currently in the validation phase, has been instrumental. The tool is being widely disseminated in conjunction with the Program for a Safer Internet, with government entities also starting to utilize it to test their websites and email services. The TOP tool has proven to be of immense value in fortifying the internet infrastructure in Brazil.