Session
Speaker 1: Alaa Abdulaal, Intergovernmental Organization, Global
Speaker 2: Aderonke Sola-Ogunsola, Government, African Group
Speaker 3: Ekaterina Imedadze, Government, Europe/Asia Group
Speaker 4: Pawan Anand, Government, Asia Pacific Group
Genie Gan, Private Sector, Asia-Pacific Group
Sharon AlvaresPrivate Sector, Middle-East Group
Dmitry Fonarev, Private Sector, Eastern European Group
Theater
Duration (minutes): 90
Format description: Given the high profile of our speakers as senior government leaders and technical leads, we expect a large turnout and a theatre setting would accommodate a larger audience. In this setting, each speaker can be given the space and airtime to present their views on digital infrastructure resiliency to a wider audience. As the aim is to shape best practices and common standards in this space internationally, great emphasis will be placed on discussion with participants - onsite and online. In addition, small surveys will be included to further engage participants and obtain feedback on individual questions.
A. What are the prominent legislations for digital infrastructure such as data centers and cloud services being considered worldwide, and what improvements can be made to them? B. What are applicable lessons best practices from the cybersecurity industry that can be juxtaposed in the digital infrastructure space to increase overall cyber resiliency? C. What kind of novel threat scenarios to digital infrastructure should public and private organizations be looking out for, and what are the best ways to guard against them?
What will participants gain from attending this session? Participants will learn about the latest threats of disruption to digital infrastructure, and how different countries are trying to tackle this problem through legislation of new standards and requirements. Perspectives from the workshop’s speakers will introduce best practices from the cybersecurity industry that could become a commonly-accepted standard for operators of such digital infrastructure, and enlighten public and private organizations on a systematic way to overcome these threats. As regulations in this area are just taking shape, participants’ questions and ideas have the potential to shape best practices and common standards internationally.
Description:
Globally, requirements of cybersecurity and resilience of Critical Information Infrastructure (CII) have been well-established. However, there are also foundational digital infrastructure components, such as data centers and cloud services, which would have a systemic impact on a country’s economy and society if disrupted. In a prominent example, a data center outage affecting Citibank and DBS, the biggest bank in Singapore, disrupted 2.5 million payment and ATM transactions. While this had not resulted from a cyberattack, it had nonetheless resulted in widespread disruption of banking services. Governments around the world have started looking at this problem, beyond traditional CII regulations. In the UK, the government launched a public consultation in December 2023 on ways to enhance the security and resilience of UK data infrastructure, addressing resiliency risks including extreme weather and poor information-sharing and cooperation across industry. The Singapore government said it is studying the introduction of a Digital Infrastructure Act (DIA) in March 2024, going beyond cybersecurity to address a broader set of resilience risks ranging from misconfigurations in technical architecture, to physical hazards such as fires, water leaks, and cooling system failures. Conversations in this area are still nascent, and there is a chance for the IGF to shape best practices and common standards. Lessons can be drawn from the cybersecurity industry, where increasing sophistication of threats has shaped modern approaches to achieve cyber resilience. One possibility could be an expanded role for national Security Operations Centres (SOCs) to monitor this aspect. With a workshop comprising regulators and thought leaders from the industry and governments, we hope to brainstorm ideas that will culminate in a white paper that forms the baseline for Digital Public Infrastructure under the UNDP, to serve as reference material for countries which are planning for laws to enhance digital infrastructure resiliency.
As many of the legislation on this topic are still in the draft stage, there is a chance for the IGF to shape the outcome of it positively, bringing in the perspective of the cybersecurity industry and its best practices. Discussions from this workshop will be captured in a white paper to form the baseline for security standards in Digital Public Infrastructure under the UNDP, to serve as reference material for countries which are planning for laws to enhance digital infrastructure resiliency. This will ensure that the influence of the workshop lasts beyond the session, and serves the global public interest.
Hybrid Format: The moderators will actively involve the participants in the discussion, for example through short online surveys at the beginning, after the initial statements and at the end of the session. The survey tool (Kahoot or Menti) can be used both by onsite participants and by online participants. This will generate additional personal involvement and increase interest in the hybrid session. During the "Roundtable" part, active participation is possible for both onsite and online participants, as all participants should actively contribute their ideas. Both onsite and online participants will have the same opportunities to participate. Planned structure of the workshop: • Introduction by the moderator • Survey with 2 questions • Brief impulse statements by all speakers • Survey with 2 questions • Moderated discussion with the attendees onsite and online –Roundtable • Survey with two questions • Wrap-up
Report
Digital infrastructure resilience is a complex endeavor with multiple layers of risk. It goes far beyond physical protection and includes security of services and operations, data protection and integrity, capacity building and risk awareness, amongst other things.
Given the constantly evolving threat landscape in an era of rapid technological advancement, universal regulations should be developed to enhance the protection of digital infrastructure. However, such policies should be balanced and flexible, tailored to the specific challenges of each country, and should not disproportionately restrict the development of digital technologies.
To develop universal standards for digital infrastructure resilience, the primary objective for stakeholders is to establish the specific goal to be achieved, agree on definitions and language used to describe the issue, develop clear measurement metrics, and determine what is the desired outcome of these efforts is.
A multilateral approach involving governments, the private sector, academia and civil society is essential to develop rules and standards to protect digital infrastructure, with international organizations as facilitators. It is important to ensure the engagement of all stakeholders who can contribute with shared experiences, use cases, and skill-building initiatives.
IGF 2024 WS #81 Universal Standards for Digital Infrastructure Resiliency
Key Takeaways
- Digital infrastructure resilience is a complex endeavour with multiple layers of risk. It goes far beyond physical protection and includes security of services and operations, data protection and integrity, capacity building and risk awareness, amongst other things.
- Given the constantly evolving threat landscape in an era of rapid technological advancement, universal regulations should be developed to enhance the protection of digital infrastructure. However, such policies should be balanced and flexible, tailored to the specific challenges of each country, and should not disproportionately restrict the development of digital technologies.
Kindly find the whitepaper on the principles developed by Kaspersky here:
Call to Action
- To develop universal standards for digital infrastructure resilience, the primary objective for stakeholders is to establish the specific goal to be achieved, agree on definitions and language used to describe the issue, develop clear measurement metrics, and determine what is the desired outcome of these efforts is.
- An international multi-stakeholder approach involving governments, the private sector, academia and civil society is essential to develop rules and standards to protect digital infrastructure, with international organizations as facilitators. It is important to ensure the engagement of all stakeholders who can contribute with shared experiences, use cases, and skill-building initiatives. Perhaps the IGF can take that topic into account in the future work of the PNAI.
Session Report
Globally, requirements of cybersecurity and resilience of Critical Information Infrastructure (CII) have been well-established. However, there are also foundational digital infrastructure components, such as data centers and cloud services, which would have a systemic impact on a country’s economy and society if disrupted. Recent large-scale outages have shown how far-reaching the consequences of undetected or unpatched vulnerabilities can be. In this context, participants at an IGF workshop held on December 17, 2024, used this platform to discuss the main threats to digital infrastructure, possible ways to mitigate the associated risks, and how to reach multilateral consensus on security standards.
The session started with each speaker citing an impulse statement and giving their take on securing Digital Infrastructures under their remit, potential challenges, threats and opportunities.
Genie Gan, Director of Government Affairs and Public Policy at Kaspersky, highlighted the opportunity for the IGF to shape best practices and common standards for future of digital infrastructure, and presented the main themes/pillars for the development of these principles:
- Emerging threats and challenges to Digital Infrastructure
- Multi-stakeholder Collaboration
- Regulatory and standards development
Dr Pawan Anand, Senior Fellow at the United Service Institution of India, highlighted data integrity as a critical issue for digital infrastructure resilience, noting that India is facing serious challenges in its digitization efforts due to the rapid rise in cyberattacks and offshore data storage. He also noted the need for a right response plan for recovery – both international and regional/national level to have immediate exchange of information and experience to curb threats and extent of damage. He also mentioned a number of ever-evolving threats to CII security, such as ransomware, supply chain vulnerabilities, cyber-jacking, and the threat posed by quantum computing to blockchain technology. In this regard, Dr Anand emphasized the urgent need to protect infrastructure and develop appropriate standards, while warning against over-regulation that could stifle positive innovation.
Aderonke Sola-Ogunsola, Assistant Director for Corporate Planning, Strategy and Risk Management at the Nigerian Communications Commission, spoke about the importance of having standards that are contextualized for local conditions, citing the drastic impact that the disruption of submarine cables would have on West Africa. She argued that universal standards for digital infrastructure resilience in balancing universal standards and meeting a country’s digital infrastructure security needs, one needs to look at SDGs being adopted by all. Such standards should provide a basic foundation, while allowing flexibility for regional and national variations, as not every country has the same technological or economic capabilities.
For Alaa Abdulaal, Chief of Digital Economy Foresight at the Digital Cooperation Organization (DCO), the development of universal standards to protect digital infrastructure is a shared responsibility, and multi-stakeholder collaboration should be a keystone of these efforts. Notably, governments should take the lead in policy development, engaging other actors to ensure its effectiveness and feasibility, ensuring setting frameworks that are impactful and can be executed successfully. The private sector has a critical role to play in advancing technology and supporting capacity-building initiatives, while civil society and academia can help ensure that standards are inclusive and well-researched. International organizations, in turn, should act as connectors and platforms to bring together all stakeholders, facilitating an open and ongoing dialogue.
The panel identified several challenges to the adoption of universal standards, particularly in developing regions. These include economic disparities, technological gaps, and lack of infrastructure, amongst others. However, a key challenge is to ensure that countries have adequate human resources and expertise to implement these recommendations and best practices effectively.
The development process for Universal Standards for Digital Infrastructure Resilience has the potential to galvanize for stakeholders across geographies and sectors to share their best practices, offer insights into threats that have not been experienced elsewhere, and allow for cross-juridiction collaborations. Such standards can form the baseline for local-level governments to consider and adopt as appropriate. While standards must be contextualized for local implementation, these must not deviate too far from the Universal Standards given the porous nature of threats facing digital infrastructure. Such a structured, risk-based approach ensures progress and effectiveness in addressing the rapidly changing digital environment. Furthermore, participants and audience members agreed that resilience standards should be agile and verifiable, with regular reviews to adapt to new technologies. It is also essential to leverage existing standards and perform threat modelling and risk assessment to respond to the different risks faced by different countries.