The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> MODERATOR: Hello. Do you hear me? I hear myself. Good morning, everyone. Welcome to this session on DC-IoT and IS3C Global Best Practices for a Resilient and Secure IoT by Design. IoT has been on the agenda since 2008, and at that time there were more people online than devices. This is definitely the other way around today and increased importance to also the use of IoT devices and networks and services in our environments has become true.
Hence the criticality of making sure it's more secure than before. Because we rely on it more than before. So a very short introduction because we only have an lower. DC-IoT is a very good practice for IoT so finding a multistakeholder and what that entails. And very short -- it comes down to issue of thing, good practice principals, that we believe that Internet of Things for practices and services, taking practical considerings to account for the outset. Legal is obvious. Ethical hasn't always been that obvious. Both in the development and use cases of the life cycle. Thus to find the ethical sustainable way ahead. Using IoT to create a free and secure rights environment for minimal economical footprint on the future we want for us and our future generations.
So this is where we are work towards and we are very happy to work with IS3C who has also done some work in the past and we have done some working to before. I'm having about the coordinate from IS3C to introduce the IoT activities of IS3C.
>> Thank you, Maarten. My name is Walt (?) and the coordination for the International Standards and Safety Coalition. We work in a few fields. I'm not going to mention but you understand how broad our work does.
We do security design on IoT and education and skills in the cybersecurity sector. Procurements for governments. Data governance and we create tools and we will do work with (?) transcription -- and that's what 8 and 9 chair will be talking about. And we do that all of that with one specific goal, making the internet more secure by design to make sure that security related and second generation, international standards adopted by the industry to make us all more secure and safer. Thank you for the opportunity to introduce myself.
>> MODERATOR: Welcome, and thank you for assisting for online moderation and online questions are also very welcome. We will only have an hour or
So what we decided to do is have three topics that we are going to talk about. The first topic is -- so what are the current IoT security developments. And the panel focused on that. Second one on the data governance related to IoT. IoT is creating an enormous wealth of data. And they are dealt with differently and how to do it well and also in context to privacy. And last but not least, we also talk about emerging technologies and the impact with IoT government apps.
Without further adieu, I would like to introduce to you a lady who is at the core of these activities in the U.S. Renee Roland from the SEC who has been overseeing this work there and has been seeing that is the U.S. has created some standards. And now also has the pleasure and honour of starting to ecochange experiences with countries other than the U.S. on mutual recognition and things like that.
Renee, very welcome. After you Nicholas will speak, and then we will have space for some questions. Renee, thank you for getting up at this amazing early hour for you.
>> RENEE ROLAND: Thank you for having me. And please let me know if my volume is high enough.
>> MODERATOR: It's high enough.
>> RENEE ROLAND: Good. Renee Roland here at the special Federal Communications Commission here in the United States. And as you said, I'm in the U.S. cyber programme and the trust work and the Federal Communications Commission has established rules laying out the foundation and framework for a voluntary cybersecurity programme for wireless consumer IoT products that happened in March of this year. And then in September those rules became effective.
Under this voluntary programme, qualifying consumer smart IoT products will have a cyber label that is going to include the new U.S. cyber trust market that indicates to consumers that the product meets critical minimum sign he security standards.
Now the IoT product for our programme include IoT device and any additional product component, for example a back end or gateway or mobile app that are necessary to use the IoT device beyond bake operational features.
The device is a product that is internet connected. Also capable of intentionally emitting radio frequency energy, as that is under our jurisdiction. And also capable of having at least one transducer for interacting directly with the physical world. So a sensor, for example or an accentuator. And at least one neck work interface for interfacing with at digital world so an Ethernet or Wi-Fi or Bluetooth. So Smart watches and light bulbs, baby monitors, et cetera, are included in our programme.
While the product is defined with data communication links to external components it does not include external components or any external their party components that are outside of the manufacturer's control.
Under our programme, the commission is the programme owner. However the programme will be supported by a leaded administrator who we recently announced a couple week ago as UL Solutions. They will be responsible for collaborates with stakeholders and with making a number of recommendations, most note reply regarding standards and testing.
We will also have cybersecurity label administrators that we call CLAs responsible for the day-to-day management of the principal, including accepting and reviewing and approving or denying the use of the trademark.
We also just recently announced the select of ten CLAs for the programme.
And finally we are our cyber labs that will be responsible for at thing product to make sure manufacturers meet requirements to use the label.
Now the products will display the U.S. cyber trust mark in a QR code, and that QR code will direction the consumer to a decentralized public available registry. And that renal industry will link to additional information that is consumer friendly about the securability of the product, such as how to change the default password, how to configure the device securely, et cetera.
Excluded from our programme are medical devices, motor vehicles, and there are a number of provisions that we have that address national security threats.
MIST core baseline, 84-25 starts as the basis of our IoT labeling programme along with the 82-59 series of reports that provide guidance for designing securable IoT products.
Finally, the programme recognizes that international harmonisation of cybersecurity standards really brings an immense value to manufacturers. And in that regard we really have been meeting with a number of different countries over the past several months learning about their respective labeling programs. We do have an arrangement with the EU to commit to achieving mutual recognition of our plans and we are in the process of doing comparative analysis of our plans.
We have been working closely with them in that respect on comparisons. Other countries, Singapore, has also been very eager to begin comparative analysis one our standards and scope are in place. They -- as you may know have cybersecurity labeling scheme for Smart consumer products and have already stood up their benchmark up again the European Standards Organisation and have mutual recognition agreements with Finland and Germany. We have also met with a number of other countries including Australia, Canada, Israel, India, Japan, Korea, New Zealand and the U.K.
And we expect once our standards and scope are in place to move as expeditiously as we can on developing mutual recognition of the IoT label and we looking forward to continuing that dialogue. Happy to answer questions with regard to next steps.
But we will mention we have kicked off a 90-day engagement stakeholder period that will begin in earnest after holidays during which time the leader minister in collection with the CLAs and ministers will have recommendations to us most notably the recommendation on developing procedures for our programme. Thank you.
>> MODERATOR: Thanks, Renee. thanks for that excellent layout. Two quick questions. One, is the public common period -- is that the public one, or is that restricted to certain bodies?
>> RENEE ROLAND: The 90-day stakeholder engagement process has not yet had an official, official start, because of the holidays. We expect it to start in January. And we are working with the lead administrator right now on how we will ensure that there is a diversity of stakeholders engaged in the process.
But we will also be putting out the recommendations from the lead administrator to the public. So the public has an opportunity to comment on them.
>> MODERATOR: Thank you very much.
And the other, one as you mentioned, was a multilateral context. Is there also harmonisation -- or how do they call it, looking at the IEEE work in this area, et cetera? The global standards models?
>> RENEE ROLAND: Yeah, I think part of our coordination with (?) is to start off the process with the EU and understanding they will be working with the CRA and coming one a process so we can develop mutual recognition with the other countries as well. So I think we are trying to be as flexible as possible keeping in minute the scope that we come up with.
>> MODERATOR: Thank you very much for this. For now we will move on to Nicholas. Nicholas, you have been overseeing a lot of work on this for IS3C. What is your latest input. Where are we and what is next?
>> Thank you very much, Maarten. Good morning, and afternoon. My name is Nicholas (?) chair of Working Group on IoT Security by Design and in North American and (?).
Our mission is to ensure the security becomes a foundational principal into every IoT device's design and life cycle. In 2022, our report from the Dynamic Coalition saving the world from IoT and policies from 18 countries.
We have designed 442 best practices for four key areas that were data privacy, security updates, use of empowerment and organizational resilience. It's all about IoT, right. Despite this, some gaps remain, particularly on policies and lower standards are fragmented. On the topic for this first pan he the schemes are gaining global recognition as a key mechanism for addressing IoT security challenges. These are schemes by design, and to inform consumers about the security features of IoT products. They are empowered in some manner to make more informed decisions while driving manufacturers to secure by design principals.
At the research IS3C where the past underscored this critical of scheme submission between consumers and manufacturers. But, however, implementation of these schemes remains globally, right. Regions like Europe and Asia-Pacific and U.S.A. have significant strikes other regions particularly in the lower south and where I come from Latin America and Caribbean we face such mechanisms.
In our report we have looked a global anywhere actives. One of them is the CLS, as mentioned by Renee, Singapore has pioneered we think one of the most complicated schemes available globally.
They used the entire approach based on the security features. The device must meet rigorous benchmarks as well, such as secure software updates and unique identification protocols. Another one is the Finland security labour initiative. Finland is more on the transparency and trust. And third party testing for these IoT devices. Ensuring some manner it's providing a cheer and more verifiable security claims. Maybe trust. And another one is a United States cyber trust as mentioned by Renee. They have launched this highlight operation of resilience.
And also updating a standard like the four or five -- 84528. A natural steps toward the standardization. Minimal IoT standards in the North American market. Just to mention another one, because in our report we analyzed several regulatory documents and policy duties talking about IoT security specifically.
So the other one is the Korea regulatory framework that takes a multilayer approach. It's a technical perspective offering detailed requirements on how to address diverse stakeholder means. And also this provides examples sufficient as protocol schemes and the device administration that other standards does not provide. They are more like high level. This is more like practical. We found not only on the complex literary language but also accelerating the compliance implementation.
So despite these advancements we think the challenges remain. It was very great to have Renee on the issues. As you mentioned because in our report in 2022 we recognized that the lack of these are harmonised global standard is sometimes creating consistencies, you know. Where the schemes live the reach and I pack of the leveling product. Additionally awareness of labeling and schemes remains low in many regions, as I mentioned, so that's why the cyber labs approach that Renee mentioned are so docile.
So from our report, we have a number of IoT recommendations. One is on labeling. Two is that the voluntary frameworks while available sometimes fail to achieve widespread adoption. So it's up not governments to introduce mandatory labeling policies for implementation.
Then on the labels they should not only reflect a device for a security state but thinking in the future. Why they need to account for life cycle commitments. That is very important for us. As details on the end of life consideration. Because IoT devices and the state-of-the-art of security, also in the light of the quantum advancement is always challenging.
Finally consumer location compliance. We think of -- that is what one of our recommendations from the report. We identify -- a future war to focus in on that much the labour and the skills can only succeed if consumers understands the value, how the consumers will understand the technical stuff. So governments and industries stakeholders and we think must invest in public awareness. To reach this knowledge gap.
So in adopting these measures, we think that we can transform the labeling to a more powerful trust and security in all IoT that exist. Thank you.
>> MODERATOR: Thank you very much. Have you witnessed the work of the IOC? One of the things that strikes me with this work -- much of it was done a year ago. How much has happened since? And Renee's presence here is a very clear testimony of that on the labeling and certification in particular from individual initiatives. So individual countries and initiatives coming to what is beginning to be harmonized today.
So, Renee, also, very much thank you for your work in there. And as you pointed out, the labeling it's useful to inform consumers they still need to know how to deal with it. And very much appreciate that input.
Any questions in the room at this moment? Please. Please introduce yourself to me.
>> QUESTION: Thank you very much. My name is Gibson (?) from the council of the African City Alliance of the Cybersecurity Organisation. So this is a very, very important panel and I really appreciate the presentations. You know, you raise a concern about harmonisation and about reeling with the stakeholders, the customers, you know, the users.
So my question is why are we not -- the IS3C, International Standards Organisation, introducing all standards -- all providing to -- why can't we get to them first so that we can stream line the process going forward? Thank you.
>> MODERATOR: Thank you for that. And I will ask Renee to come with an answer on that. While saying one of the reasons why we try to come to a common understanding of global good practice is that it would be to inspire and to provide a common line.
And in an ideal world there's interaction between the understanding which we develop here at IGF and the initiatives that are rapidly verifying around the world, both in the International Standards Institutions as in the countries. Renee your feeling on this, please.
>> RENEE ROLAND: I think that's right. You have countries like Singapore that had started obviously before the United States have started. And they have -- you know the four-tier system. And then in terms of our system, we determined the best system for us was to have a system that is not a tiered system. You either get the label or you do not get the label. There is no tiering.
And there are some other differences between the various schemes that are out there and the scheme that the United States has determined to come up with. So I think that -- part of the problem is just the different in timing in terms of when these programs have initiated. But I think the goal is ultimately to be able to have some sort of -- either mutual recognition or otherwise harmonisation of the programmes going forward.
And I think that's the intend of the countries at least that we have spoken with.
>> MODERATOR: Thank you very much. Next, Walt?
>> You need to come back to the question on of the official standards institutions. But my experience in the past three years that I'm working in IS3C is that internet standards are made by people who represent the internet. So in the IETF, Internet Engineering Traffic Force -- and that's separate from the institutions like IS3C or what have you, but they don't do the internet standards. But that's what make the internet work.
And one example where it failed. Instead of European commission had a group of people that had to decide to officially recognize IP version 6 or DN there, or something like that. After 18 months of talking, they just decided to stop because they couldn't agree whether that was the right standard or not.
But this would make the internet work. It's not about recognizing it officially. It is about making sure that you understand that it's just there. It's not going to change. So you have to start working with it and not recognizing. Because there's no need to recognize it any more. It is the standard. And that's what the IoT more or less is saying in my opinion.
>> MODERATOR: So the natural evolution of this is standards that are not only available to the count Flames have the capacity to be front runners like Singapore, U.S., but this would be shared with the world. And as Renee expressed clearly, it's the intent.
So for the sake of time, I would like to move on to the next part. We're exactly on time, so I think for the questions, this is the first step into the work to come. But I think we are on track and your question was right on.
So with that we move on to IoT data governance and privacy. And for that I would like to invite Jonathan Cave from the (?) the university with the work of IoT acknowledging that many live data from persons are collected 24/7 and to our analysis are even reelable to people and AI will strengthen that process as well.
But Jonathan, please your opening rashes here.
>> JONATHAN CAVE: Thank you very much, Maarten, and thank you, everyone for attending this in whatever time zone you happen to be in.
Just to begin, I wanted to note that both the resilience and the security and indeed of functionality of the Internet of Things depend on how the Internet of Things is used and the awareness people have on them. And they also depend on a range of different participate's. Designers but also users and all the intermediates that like them in between.
And one of the things that flows in between them and enables them to decide who does what, or one of the attributes are the data that are collected. The Internet of Things, like in other things in the internet is self-documenting. It collects data as it goes along. And this data can be retained and processed and used to provide and protect all the thing we want from the Internet of Things, which include privacy and security.
But it's worth noting that privacy as we normally understand it nowadays is data privacy referring to personal data of identifiable persons. But that's really only the tip of the iceberg. However that tip of the iceberg has been used to create legal and regulatory structures that may get in the way of some of the ways we have come to understand and use data.
One obvious example is proprietary data or data that can be shared. They are not private to the individual but they are useful in sharing in smaller groups. And they link peopling to through networks of trust, what lawyers might call privacy. So it's important to -- when we think about data government apps, not simply to protect into the Internet of Things thing that came from a world of individual who's individual privacy was being protected.
The second point related to that is that data privacy is only a part of the privacy we want individuals to have. If we want individuals and indeed devices, to be able to act on the basis of the information that they receive, they have to have a certain responsible attached to them.
Now with individuals, we do that through mechanisms like consent and awareness. So in other words we ask people to consent to the collection and processing of their data.
But as Maarten mentioned that many of the data are not data we can ask for people to give informed concept. They are simply collected in the process of people going about their normal interactions. And that applies not just to the people but to the different devices in the Internet of Things. The received data and take actions. And these thing are perfectly preserved and their implications may not be fully understood.
Now another thing that happens in this world is when people interaction with the Internet of Things they receive data from these device as well as supplying data to them.
The data they received from them, the prompts for example and query responds and so on, change the understanding and change the behaviour of those people. So it's not necessarily correct to say that all people in all parts of the world have the same degree of sovereignty and understanding or should be made responsible in the same way as the others.
So the final point about this is that many of these devices are becoming Smart devices. Smart devices among other thing they not only take decisions, but they learn. And they learn from each other and they learn from the people around them. And that change means that the device itself can certainly the algorithms want device are different when they are in use than they were when they left the factory.
They are putting the responsible on designers and saying we must correct these things by design may miss the most essential element, which is you may have an algorithm that is perfectly innocuous. But based on what it learns it can wind up makes decisions about which people Mike have concerns and which they might want to monitor if not exactly control. This is what happens, for example with algorithmic conclusion in the case of pricing algorithms although that's a slightly different issue. But it is true that some of the players here the manufacturers and platforms and so on have special responsibilities.
The final thing I want to mention is the data that collected will be retained and used and through the longitudinal study of this data, the repositories that are created we can come to understand many complex phenomenon that the law at present and regulations are inadequate to deal with.
But part of that continuity is new generations will come forward. And one of the kinds of meat and potatoes data governance issues is the fact that new generations of devices are entering the Internet of Things all the tile and with these new generations come new protocols for storing these data. So they may not be understandable or accessible by later generations. And they may not function properly when fed with data collected by later generations of device. So the formats, the level at which these things are retained and access to long-term repositories, may be very important.
And the conclusion of that is that many of the rules that we have on the privacy and proprietary nature of this data may get in the waive having an Internet of Things is a capability of retaining enough data to be able to understand the problems it may create or to be able to back away from or modify the standards and methods that it uses when things cease to be a problem.
Okay. Those are my remarks.
(Audio Difficulties)
>> RENEE ROLAND: Maarten, I can't hear you.
>> JONATHAN CAVE: No sound from the room here either.
>> MODERATOR: Can you hear me in the room now?
>> JONATHAN CAVE: We can, but are you slightly reduced? Although you are quieter than you were before.
>> MODERATOR: Quieter. The technical team has been learning every step how to work with the setup and in the room. Thank you for that.
So yesterday in this room we also talked about the consciousness of equipment that can be on the ability of the user that they are serving. So to adapt to -- for instance elderly and the way they interaction. So I think that relates to the point you just made too.
>> JONATHAN CAVE: I think just one small comment on that. And that awareness also includes whether or not -- what people understand about what their devices are collecting from them. And it is quite possible that the population of users may fragment into people who basically don't trust having data collected in ways and used in ways that they know they don't understand.
And people who become unaware of the collection that is taking place. So as with Smart speakers and so on they fade into the background and you take them for granted the same way as you do other thing we use normally. And that splitting in the population may have concerns, particularly in international contexts.
>> MODERATOR: I very much appreciate it. On this, Nicholas, the work of IS3C on IoT as it relates to privacy, please.
>> Yes, as well everyone, because you know IoT systems generate this mass amount of data and often sensitive that can be managed responsibly. So this week is about the policy as mentioned that balances innovation with the privacy and I should emphasize in data governance it's different than it was.
The integrity of data, right. It's not appropriate to make them all the same. Each category requires like tailored security measures for a specific risk. I would also like to highlight something that was addressed not only about the user using device right but also thing to thing. It means devices communicating and activators operating between them. So different area as well.
Some of the recent developments in IoT data governance we can measure is the EUCRA the life cycle security, the manufacturers as well throughout the device organize alive.
We also have seen the specific beginnings for critical component of this IoT ecosystems and also why not to highlight the work on theme to theme research group, the IRTF, the Internet Research Task Force, that is focusing more on exploring this advance in technology and also raised by (?), because a new generation of devices are there.
Protocols and intersections and this communication among IoT devices a stated in the website the research group, the mission of this group is to identify the challenges and opportunity related to the device and communication and related consistency. So it's important that it's not only about the user. This is very important for policy makers.
And we also need to mention that this cannot be left behind. The global initiative exact, forcing international cooperation to look at the standards, particularly for the IoT devices that operate across borders and the internet.
So in our report in 2022 and 2023, gaps in governance and particularly in issues in the south and like this enforceable privacy laws. Many countries relied on guidance and mechanism, but what other recommendations we want the government to adopt is holistic privacy and challenges such as encryption and controls and minimization of exposures. Different things that are there.
And also life cycles about the protection and use of empowerment mechanisms and this global organisation. Because we have a difference with working groups and protocols. IETF and deep suite can you explore the IETF website on harmonizing these government systems. It's essential for us to have consistent protect across the years.
This may be required a digital tax contact and collaboration and alignment with frameworks like (?) but now more advanced technology. So to translate these recommendations into action, the IS3C is looking at the multistakeholder corporation like industry and government and the Civil Society must work all together to create these policies that are enforceable and adaptable to emerging technology.
So it's not just about the connectivities. Maybe about trust. We need to deal with data and embedding this is strong governance and privacy measures into the IoT landscape. We can create this future, where the technology serves the humanity without compromising our security or privacy any more. And I'm looking forward to questions and the issues here.
>> MODERATOR: Thank you. I don't see questions in the room, right. Jimmy. Very quickly.
>> You are talking about Smart regulation. The data is going to be huge. So what you recommend, there was a period for data to be stalled two years, three years, five years, for IS3C in charge of data storage. And secondly, you consider the net guidelines for engagement because you mentioned collaboration.
>> MODERATOR: Thanks. Please introduce yourself.
>> QUESTION: My name is (?) for Africa -- (?) foundation. I just want to understand the difference between AI and IoT. Now we realize that -- let me say in Africa, governments are beginning to regulate the process to regulate AI. So I want to know the difference. Is IoT AI or AI IoT?
>> MODERATOR: I appreciate that question, but for the sake of time we will discuss that outside of the meeting. But a quick response on Jimmy's question, and I'm very happy to talk further.
>> Yes, I would answer your question over here. The corporation mechanisms. You know like for promoting the digital inclusion, IoT is almost not reeled with AI but not like the same. Because we are talking about constrained devices. For me the most important part here is that it's different from the ICT technologies where you have more power.
The IoT devices are restricted. And in terms of energy or batteries. It's a different approach. That is why we differentiate from the ICTs but advancing global cooperation. This is something important for the nations and the industries to have this global challenges as well as cybersecurity for the ICT or misinformation or digital information. These devices. We build millions of devices.
So these also align with the digital transformations. The United Nations sustainable development. Also at the end it's all about harmonisation, and digital cooperation. And also you know these devices are promoting -- we have other products that are globally, back to the future and the climate change. We are talking about the location with the devices so at the end, we need to have more a holistic approach to understand how to have a global picture of all of this.
>> MODERATOR: So I'm sorry, Martin, but we have 15 minutes left, so very quickly. But then we move on. Typing doesn't help. Switching on does.
>> Thank you, about GIC Africa. The question I have raised, it's something -- it's not really a question. It's something I want to emphasize.
Two areas that are difficult. One is the way IoTs organize especially when you look at the ecosystem. For example the centralization of the IoT system brings with it some challenging, especially when it come to manufacturing and the equipment. And also the geo politics of the equipment as we know it very well. There will be specific parts of the world that will develop many tools and equipment that are not allowed to be in specific parts of the world as well. Or the other way around.
The other thing also is we need to emphasize on regulation. Because regulation is one of the most difficult. IoTs in isolation. They are in specific jurisdictions across border ands how do you make sure we harmonise that regulation. Because it's different.
And if we do anything as far as global settings are concerned, regulation will always have a difference. And that is something we really need to look at. Because if we don't look at regulation how do we have users using it and monitoring, et cetera.
>> MODERATOR: I will remark That it's true for IoT governance and true for data governance and AI governance and essential issues. Renee touched a little bit upon it. What drives the positive there is that there's an recognition that -- that mutual recognition will help because things come across borders all the time. Whether it's data or even devices.
So that is the positive stimulant. And yes, we have different -- actively different incentives in the world. Very much recognized but with that I just wanted to really also open the floor for the next one which is IoT government Ann and emerging technologies with a focus on the impact of quantum and AI. It's about thinking ahead of the issues that we will be facing tomorrow or a couple years from now.
For that very happy to have Elif Kiesow online who is the chair of the working group Mine. Elif, please.
>> Thank you, Maarten. I will jump into the subject. Today we note cinematography highlight that the IS3C is important for data privacy as quantum computing capabilities advance. Recent research shows that the algorithms like IS3C is vulnerable to attacks from powerful quantum computers which do not yet exist but remain a credible threat for the future. IS3C provides algorithms that are designed to ensure long-term protection of sensitive information and secure communication challenges and implementing the solutions now allowing organisation security measures against potential quantum threats over the coming decade preventing possible data breeches and security risks.
Governments and standards bodies like MIST are --
>> MODERATOR: Actually?
>> Perfect.
>> MODERATOR: You are gone for ten seconds but are you back because you are clearly speaking now. Thank you. Please continue.
>> Okay. So I would not know where it broke. So I was explaining the importance of implementing PQC solutions so the organizations are future proofing their security. This is both for data breeches and national security risks and governments and important organizations like NT are actively looking a standards that needs to be adopted and for this widespread adoption across the industries to safely guard against computing threats.
And today we are very happy toy announce a new project of our Dynamic Coalition. This will be for the DC IS3C 3C. We will be collaborating with France on a new project that is very relevant to this session.
We will work on a collaboration between the working group one, that is on IoT security, as well a as working group nine on emerging technologies. Our research will have two different areas to focus. One that is societal impacts of IoT and the second one on those of post quantum photo and we will combining analysis on these as well.
In this research, we will include a multidimensional look for this. And we will be looking at impact on societal, legal, economic and environmental levels, and we will be also including policy recommendations both at the state level and the organisational level.
Next year in IGF 2025, we will be enabling stakeholder engagement in the issues through a common workshop that will be pro promoting dialogue on society obligations and future networks. And we will be finalizing the combined report that will be looking at IoT security and PQC where we will be also exploring teams like digital transformation and future proofing against emerging threads and include references to international cooperation and economic competitiveness aspects within the bod broader context of cybersecurity efforts.
This project will be conducted and concluded within the next six months. So please reach out to Walt, who is in the room, if you would like to reach out to us for similar project in the future too. Thank you, Maarten.
>> MODERATOR: Thank you for that.
And this is also an area where capacity building around (?) is important. So everybody gets involved or all cultures are understand understood when moving ahead in this area. So the global dialogue is crucial in these areas I think.
There's a broad recognition -- and we talked about the data from different generations. Jonathan raised that. They may also have different levels of encryption that may be affected by quantum computing, the power of those. So standing ready for that is -- as Elif raised one of the elements to really look to moving for.
The other element is very much related also to AI. AI is not a global concept. AI is very much about how you apply it in your region for your purpose. And that can only happen if you know how to do it.
So even if a device measures temperature or whatever. What you want to do with that may be different whether you are in Africa or the north pole, for instance, just some examples. So really looking at how you ensure that you can adopt what we learn on AI and what we develop in IoT and help to -- in the end impact on the people in your region is something that clearly needs to be considered moving forward.
Therefore, also, I think both -- at all stakeholder levels government on how to put in guardrail, how to stimulate the development, industry. How to see the opportunities and how to be able to grasp the opportunities. Technical community to support this, whether it's focused on the internet or on the car industry. And the users in the end. What do we really want? To be involved in how this progresses. Jonathan anything to add to that?
>> JONATHAN CAVE: Just a couple of tiny points. Thank you so much, Elif. That's really provocative.
Among the things that may be of concern. Are you probably already thinking about them but they have implications beyond that specific initiative are the proliferation aspect, that quantum computing becomes cheaper and more ubiquitously available.
The nature of the problems and seclusions themselves may change, for example with decentralization opposed to a concentration on platforms that can see what is going on and respond to it. And that movement of intelligence from the edge to the center or from the center to the edge should probably change a lot of the way Wes think about these things from a regulatory point of view.
Another one is the dominance of the cryptography thing. Because that is a killer application at the moment which is strong cryptography and very smart ways of breaking cryptography. But the use goes beyond the greater complexity with how the IoT will function.
And with charge capacity come emerging types of behavior that we will need to think about, not just from a security but from a safety perspective and even to be able to detect these things may require a different kind of thinking than thinking about how systems operate as they were designed to do by the people who use them.
And the last part of that is that in the security world we tend to think about thing in terms of attackers and defenders. Obviously the multistakeholderism of the implications of quantum computing goes far beyond that.
And a lot of the things that we worry about or place our hope in don't come from a kind of zero some perspective but involve the interaction of many, many people. So the game theory should get a look in that. But thank you. That was really provocative.
>> MODERATOR: Thank you for that.
So thinking of the future any questions in the room? Nicholas, please. Your microphone is gone.?
>> Just to highlight a comment with the quantum. Because you know scientific is more information that does not see these. We are see the healthcare device, critical infrastructure having IoT sensors or -- so implementing quantum standards is like future proof.
You know, the systems are against marching threads and for those interested, just one hour from now, in room 9 we will have hosting an interesting workshop on the topic of the critical importance of security routing and -- it's called a advancing IoT security most quantum encryption so we will dive into this post quantum encryption and IoT security to explore. So you are invited to thereon that conversation as well.
>> MODERATOR: Thank you very much. Walt, please?
>> Yes. There are interesting comments that Jonathan made in the chat. So do you want me to read them, Maarten, or do you leave it there as it is.
>> MODERATOR: Please summarize.
>> It's a lot so I will try.
>> MODERATOR: Shall we ask Jonathan, because he's online.
>> Jonathan, make one or two point have you in the chat.
>> JONATHAN CAVE: Thank you, Walt. I will just summarize them. If people want to come back, I can explain them.
>> MODERATOR: Can you hear --
>> JONATHAN CAVE: I'm hearing you --
>> MODERATOR: Technical support to resolve that. Please give me your thumbs up. It should work. Hi, Jonathon.
>> JONATHAN CAVE: Is that any better?
>> MODERATOR: Yes, it's better. Thank you.
>> JONATHAN CAVE: So the first one was the data may cross categories. One of the thing here is that -- for example automobile sensors could to a lot of thing that have nothing to do with the operation of the car. They can reveal their driver's political preference, their gender, et cetera, et cetera, et cetera. And this crosses regulatory boundaries, and therefore, is a separate thing that we may need to think about.
In relation to the apply the technologies particularly to developing country the issue of data colonialism should be mentioned where people from developed countries give devices to developing countries which help them, but also siphon data out of them and they can use the developing countries a almost like elaborates to harvest their data. And equitable sharing of that data and equitable control of how those data are used will be very important.
The trust network is also very important but also the trustworthiness of the data. When it's human data we worry about disinformation and justice information and malinformation. The same thing is true with devices but may the much harder to detect. Devices with
(Audio Difficulties)
And finally in relation to the devices and the people behind them are the IoT and AI component of it. If the AI is the brain, the IoT are the eyes, the ear and the hands. And just as it's hard to think about a mind without thinking about the senses and capabilities of the person, the distinction between AI and IoT particularly when the devices themselves may have some degree of what we used to call ambient intelligence but where the intelligence of the system comes through interaction of all of these devices we may want to be careful about whether we retain that distinction.
And the final thing on mutual recognition. Mutual recognition is a good thing. We have it in free trade agreements and things like that. It can be very help.
But it could also be very harmful. Mutual recognition can be a back door for bypassing the regulations of countries and for denying the people in those countries access to information that they may need.
And this is particularly true between high-tech and low tech countries and we are seeing it already in the world. If you accept devices and services on the grounds of mutual recognition there has to be some degree of verification before the trust that lies-in that mutual recognition can be fully embraced. Okay. That's it, thanks.
(Audio Difficulties)
I think they may have a chance to do it right within the technology for once if we could bear for the post quantum era up front and we would be more secure where they were with the internet and with IoT but it doesn't do a collaboration -- deal with collaboration.
And when he have this report out, you will have to make sure that people actually read it. And that is going to be probably the biggest challenge that we have. And we may have to prepare for it together. So that we have the right influence when it's ready. So that's a final comment. Thank you.
>> MODERATOR: Thank you for that.
Renee, thank you again for being with us at this ugly hour in the east coast, the U.S. Your final takeaways?
>> RENEE ROLAND: I did want to talk a little bit when we are talking about regulations and some of the challenges that we have. Certainly, as I mentioned at the Commission, under our programme medical devices are not included automobile equipment are not included.
We did consider in terms of flexibility in the future other things we may add, rye and I think part of the issue is there are already regulations by other agencies, right, for equipment, automobile equipment and then medical devices. So there's a whole other stream of work that is going on with respect to harmonisation of federal agency regulations and some of the inconsistencies that there may be or overlap that there may be. So I think that's a different stream of work that we are also doing and part of the commission.
>> MODERATOR: Thank you very much. Elif a final reflection from your side?
>> I will just echo Renee's comments in saying that all of those issues that we are seeing about standardization will be now also applicable to the PQC space, so I think we will be see I a lot more there too. Thank you.
>> MODERATOR: Thank you. It's time so let me round up this session. We raised a couple of very important issues. And I think even if you talk -- we started labeling it certification, we can also see that that evolves throughout the international process of mutual recognition throughout the multistakeholder input that emerges over time and across the world.
If we keep it short on what the global practice looks like, it's kind of a reflection almost happening. There's many things moving. And let's try to keep that clear for all of us so we can move together.
One of the other influences there may be is there's the initial focus on security. There may be a next focus also on privacy aspects in the label to take that important labeling. Maybe even the environmental impact in the labelling.
So it's likely that to evolve as well. And a role I think I'm really happy with the understanding that we got all the systems. But we also got the beta, and let's not forget that. And last but not least, where we are not is not where we will be tomorrow.
So let's think ahead because we have seen over the last year how quickly things move. What we will see toward the future. My expectation maybe not what we expect, but we will move very fast. So let's stay on the ball. Stay on the balling to and move this together.
So thank you all very much for your inputs, your thoughtful comments and questions. And we looking forward to publishing the report and going from there. This is for us a step in the process and a good step. Thanks to all of you. This is the end of the session. Thank you for all of your help technical section.
>> RENEE ROLAND: Thank you.
>> Thank you.