The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> WOUT de NATRIS - van der BORGHT: Good evening. If some of you would like to sit here because you're so far away from us. Am I audible now? I can hear myself. So let's get started.
Good afternoon. Thank you so much for joining this session. If you would like to join us here at the table, then we can see better who is in the room. So you're welcome to do so.
Welcome to the Dynamic Coalition Session: Safety and Security? Learning the Hard Way. Cybersecurity and Safety Lessons for the 21st Century. On behalf of the Dynamic Coalition DC‑CRIDE and DC‑IoT, welcome.
My name is Wout de Natris ‑ van der Borght. I'm your moderator for today. So, with me are João Moreno Falcão. Online, Matthias Hudobnik. Here is Jutta Croll.
Online is Elif Kiesow Cortez. And we have Liz Orembo here in the room. And Jonathan Cave online. And Torsten Krause is our rapporteur and online moderator.
So, thank you. And good evening from all of us. We will focus on three elements and not just our own Dynamic Coalitions. We look beyond that to the current priorities. But also to emerging priorities. And global alignment as it concerns around the globe, deployed along the globe and across borders and jurisdictions.
Why "learning the hard way" in the title? This has not changed a lot since I entered the internet arena 24 years ago or my first IGF presentation in 2009. From other groups and internet users are still vulnerable due to low numbers in devices and services that enter the market without security design built into them. And situations where the markets and commercial interests always takes precedence over security of what they call the user instead of the customer.
In some countries, that may start to change. Others still have a way long way to go. And we are learning the hard way, time and again. In this workshop, we look at the topic from a few angles. And learn with quantum computing on the rise, we have to do better to prevent digital and privacy disaster.
You're asked to keep your questions until the end. We have enough time to answer questions, I assure you. But first, let's look at priorities. Why are we talking about the future also? I think we have a nice analogy to tell you.
Imagine that you're buying a new car. And that car is at the top of the mountain. You get into the car. And you slowly start to descend. Because the top is not that steep.
But all of a sudden, waving to you, would you like brake lights? Would you like a steering wheel? Would you like to have brakes? And the car goes ever faster and faster.
And they're waving more furiously to you. And the first hairpin is approaching. And it is a real hairpin. And there's your car.
I think that is the analogy to what often happens on the internet. We get something, which becomes your responsibility to make secure. And not the one selling it to you. I think that is something that needs to change.
So, how do we provide secure bodies? I think we can do that to secure our digital environment and how we protect vulnerable groups and with quantum computing be upon us next year. Or next week even. From there, we'll go through a few questions we'll be asking the speakers.
Here they are. The first questions we're going to answer. Then I'll start to shut up. And give the word to the presenters.
The first question is the current state of IT security is safety. What measures are in place? Which measures need to be taken to better protect ICT systems and services? How to ensure online safety for different groups. While at the same time they rely more and more on digital technologies.
And who takes responsibility in this regard? How can certification and labeling support users to make the right choices in deployment of users of digital tools and services? Four, how can public and private procurement policies advance ICT security by design? And finally, what will the social implications of quantum computing be if we do not deploy post‑quantum encryption in time? That is, before the so‑called Q day?
Let me stop there. And give the first words to ‑‑ I've got to find my order of things. But the first speaker is João, I think. And after that, Matthias. João, the floor is yours.
>> JOÃO FALCÃO MORENO: Thank you, Wout. I've been working in ICT cybersecurity policy making for the past four years for IS3C. And I am here to present briefly what we have in the IoT security policy landscape. Because we need to understand the world we are into. To present actionable actions to fight the insecurity of the world.
So, when we started to develop this project, we really wanted to understand what was happening. And I decided to bring a couple of examples of attacks that we've seen in the past few years. And how they evolved until today. To better understand how we can fight them.
So, the first one is the Jeep Cherokee incident that caused the recall of 1.4 million cars. This was a major risk to the drivers. Because the car had a system insecure. That could be hacked from, like, close proximity. And block the brakes and control the steering wheel.
So this could be a huge issue and cause the death of many. So they wisely made a huge recall. And, wow, we think, okay. It happened in 2015. But what now?
I also decided to bring another example. Which was the Kia incident in last year. Where millions of cars were subject to an attack, a remote attack. A malicious person could change the car to his name in the system, the online system. And, with this, download all information about the car.
Which means that they could locate the car. You could unlock it remotely. And also see your history of places you've been to. And, again, this happened to millions of cars.
This shows us a clear need to improve the security. And another issue that we studied was the IoT bot nets. What we see is that we have millions of devices with similar software and similar vulnerabilities. Which makes them vulnerable to method attacks.
I bring an example here. The Raptor Train malware. Which was spread in hundreds of thousands of devices. And served a its purpose.
So attackers could steal information from the owners of the device. They could also engage in malicious activities, attacking third parties. Which makes almost impossible to protect. Because they can ‑‑ they seem to be a valid person inside your network, trying to access it.
And, wow, this is very difficult to tackle. Especially when we have devices spread from all over the world. So, to understand, after looking into the insecurity of the world, we dived into the policy landscape. So we went through the work of ITU study group, which had very interesting recommendations.
Also we went to the policies that were developed by European Union. Very interesting. And, of course, we went to the ITF. And this is the part that I believe really bridges all the things that we are going to discuss here today.
Which is how to make these devices not only protected to the threats that we know today. But also the threats of tomorrow. So, when going through ITF, they have ‑‑ they are worried about ‑‑ well, when we talk about IoT devices, we are speaking of devices that are not powerful at all. And they are ultimate.
So we need to provide lightweight systems to run. And we will face the quantum challenges. And for this, ITF is currently working in the TLS 1.3 that would bridge the classical cryptography with the post‑quantum cryptography. That is very needed to future‑proof our devices.
>> WOUT de NATRIS - van der BORGHT: Thank you, João. The introduction to the report we'll be telling you about a little bit later. Next we go to Matthias Hudobnik, who is online. Welcome.
He is a legal engineer and AI specialist in data protection function. Combining his roles as a lawyer and an engineer. He is also a member of ICANN Security and Stability Advisory Committee, and a representative of the Dynamic Coalition on the Internet of Things today. The floor is yours.
>> MATTHIAS HUDOBNIK: Perfect. Thanks a lot. It's a pleasure to be here. I am excited to contribute to this panel. I speak today in my personal capacity as a member of the ICANN Security and Stability Advisory Committee and also not necessarily reflecting the opinions of ICANN SSAC.
As our devices connect our hospitals, energy grid and homes, their security depends on not only protecting individual devices, but on the threat and integrity of the internet's core infrastructure. And how we govern its evolution responsibly. Today, I will focus on four key areas.
Internet security principles and DNS. IT security and life cycle management. I‑governance (?) revelations. And some future outlook and threats.
The internet's resilience is built in layers. At its core lies its main system, DNS. And the system that converts the main into (?). And if the DNS fails, so do IoT services.
From smart life to critical hospital equipment. We must secure this foundation with certain safeguards. First of all, we have Domain Name System Security Extensions that provides integrity by designing (?) by adding cryptographical signatures to ensure data authenticity. Then we have Resource Public Key Infrastructure. Which verifies which autonomous system can announce specific IP prefixes. And thereby prevent (?) protocol hijacking.
Lastly, we have DNS (?) authentication of name. With enhancing transport layer security authentication by. Binding certificates of domain names for enhancing authentication. These measures illustrate how redundant systems maintain resilience.
And to raise the bar, we must also adopt (?) treating every request as untrusted until verified. And combining encryption protocols zero trust helps to limit the attack surface. And a successful example of multi‑stakeholder collaboration to protect these global infrastructure elements.
Coming to my second point, life cycle management. These devices live in the field for years, long after the manufacturer has moved on. Making security across the device life cycle a nonnegotiable priority. Security must be embedded at every layer at the device level.
Security by design should be standard. Implementing secure tools (?) trust, and requiring software bills of materials. At the network layer, strong encryption and strict network segmentation are crucial. At the data level to end encryption data collection and safeguards are essential.
Coming to the life cycle management, this is key. Smart meters like over the air mechanism leaving them vulnerable for years. So, secure update path. And also transparent Software Bill of Materials are essential. This brings me to my third point.
As AI is both an enabler and a risk in IoT. We are able to detect in milliseconds, predict failures before they occur. And automate systems from traffic control to predictive maintenance. But AI also brings new risks. Issues such as data poisoning, model grid and capacity of decisions can undermine systems trusts.
As AI aggregates personal data from diverse IoT devices, we must expand data governance to balance data protection with functionality. That includes enforcing transparency, ensuring form content and also avoiding black box decision making. Here, revelations like the IS and general data protection revelation requires systems to be transparent, ethical, secure, audible and subject to human oversight.
We must assure that it remains accountable, reliable, secure and trustworthy. Especially when we talk about critical infrastructure. This brings me to my fourth point. Future outlook and threats.
Looking ahead, we face urgent challenges. First of all, quantum computing encryption algorithms, like (?), will not withstand quantum decryption. That means attackers may already be collecting encrypted data to break later. And, here, we must accelerate production of post‑quantum cryptography led by NIST organization efforts or also by the IGF, for example.
Another point I want to raise is also connectivity failures. In an unstable world, resilience means designing systems that provide offline also. That includes local fallback notes, decentralized operations and graceful failure handling when connectivity drops. At a certain point, (?) also supply chain and certification gaps. So many IT devices lack secure update mechanisms throughout their life cycle, and also certifications.
Very important point is also capacity in the wellness gaps. Beyond technology, there is a human element. Cybersecurity and capacity building are essential. So users should understand the risks and the importance of data protection.
And skilled in auditing both technical systems and also AI models. And both technical evolution and coordinated revelation are key to preparing for these threats. And also we must scale capacity building into literacy to meet the complexity of emerging systems. Global (?) framework similar to those in governance must be promoted.
To conclude, resilience in IoT is not something we can patch in later. It must be designed from the start. That means security centralized main system, secure trust principles and strong encryption TLS 1.3. Including OTA updates and SBOMs protections, including AI assistance that are explainable, governed and also privacy preserving.
And last, but not least, robust default mechanism for when, not if, connectivity fails. Yeah, but aligning with core internet principles and international standards, we can build an IoT system that is not only ‑‑
>> WOUT de NATRIS - van der BORGHT: Matthias?
>> MATTHIAS HUDOBNIK: Yeah?
>> WOUT de NATRIS - van der BORGHT: Your time is up. So please.
>> MATTHIAS HUDOBNIK: Thank you. I just wanted to say not only innovative, but also ethical and trustworthy. Thank you.
>> WOUT de NATRIS - van der BORGHT: There's a gigantic challenge that all that you mentioned needs to be done somewhere. And someone has to be responsible. And made responsible. Thank you for your contribution.
The next speaker will go into how to ensure online safety for different groups. And at the same time they rely more and more on digital technologies. That will be spoken to you by Jutta Croll, chairwoman in Germany. Graduated from university in politics, journalism and literature. The floor is yours, Jutta.
>> JUTTA CROLL: Thank you, Wout, for giving me the floor. Thank you to the previous speakers for drawing up a really vibrant image or picture of what threats we are facing in regard of security of devices. Now I would like to turn to a more user‑centric perspective. Threats to devices and services are always threats to the people who are using these devices and services.
So, when we are talking about ‑‑ I do not think we need only to focus on vulnerable groups. But firstly to think about all users. When they are more and more relying, as Wout said previously, on all these services. On the Internet of Things. For healthcare. For education.
All these connectivity services. They are, of course, subject to failures once the technology is failing. Be it ‑‑ sorry. Be it not having any more power supplies. Or being the failures, like have been heard about, that come from security issues to the services.
What would that mean, for example, for people living in rural areas that rely on house services that are IoT driven? What would that mean to children who are educated remotely? Because they can not have access to a school, going to a school. What would that mean in all those cases if the users are relying more and more on these services?
Coming from the Digital Opportunities Foundation, I firstly think about the opportunities these services provide. But on the other hand, we always have to have in mind that the more the people rely on these services, the more the services need to be stable and secure to the users. So we heard that the aggregation of personal data from various devices, IoT devices could put also the users at risk.
But on the other hand, we always have these ‑‑ you have a thing that all these data will help the house services, for example, better. Or the educational services better. So from a user‑centered perspective, we would like to ask not only to focus on the security issues and the capacity building of the users to cope with these security risks. Of course, media literacy, literature literacy is a very important aspect of the whole game.
But on the other hand, we need to build the trust and reliance of the services. And that means the service providers as well. So we already heard about the principle of safety by design. That would mean at the very beginning of a new service, all types of users need to be taken into consideration.
Not only those who have special needs that might be vulnerable. Firstly thinking ahead, what would that mean to those users if they are dependent on these services? And then the second step would be to build in the safety that these users need. And that is, of course, resilience of the service, stable connectivity. But it's also the creation of the services and the interfaces that makes it easy for the users to handle this service and benefit from using them.
I will stop here now, handing over. Then maybe I can step in later. Thank you.
>> WOUT de NATRIS - van der BORGHT: Thank you, Jutta. You presented to us the human perspective in this story of cybersecurity. I think that is a very extra dimension to what we've been discussing so far.
The next speaker is online. It is Elif Kiesow Cortez. And she is the author of this report called Social, Medical and Technical Impacts of IoT and PQC Policies. You've already heard the work that João has done.
Now we will hear what Elif has found out about post‑quantum. And if we do not fix it in time, what implications could be for society. Elif, the floor is yours.
>> ELIF KIESOW CORTEZ: Thank you so much, Wout. I hope everyone can hear me fine. Today we are happy to be presenting the findings of our report "Societal and Technical Impacts of IoT and PQC policies." The name speaks for itself.
We will have an amazing launch on the 27th of June at 9:00 A.M. I want to say in Workshop Room 1. But you can check with Wout. This can be seen as a very little preview of this amazing report that you will have also access to. And will get to hear more about, like I said, on Friday.
But if you want to have a preview right now, so you can chat a bit more in detail. Maybe on‑site with Wout as well as João, you can have a look. Let me now jump into the presentation. What we wanted to mention. Like I say, a bit of a preview of our report today.
So already saying that the report's name speaks for itself. Of course, you're addressing the critical intersection of Internet of Things, IoT security, and a set of post‑quantum cryptography. And this, of course, is a collaborative study by our Dynamic Coalition Internet Standard Security and Safety Coalition, or as we call it, IS3C, and the association for internet naming, APNIC.
Let me address the fifth question that Wout posed in the opening session regarding the impact of quantum computing for cybersecurity. Based on many expert views, we know that the advancement of quantum computing will pose, already pose a significant threat to our current internet security. We do not know yet when quantum computers will be fully functioning.
Let's try to scope a bit what we mean in our report or in today's presentation when we talk about quantum computing. Which has a lot of potential to bring a lot of good to the world as well. For us, from the cybersecurity risk perspective, when we refer to quantum computer, for example, we are looking at a quantum computer that is cryptographically relevant.
So a quantum computer that has a focus and capacity on breaking the currently valid encryption. Why is this a significant threat? For our discussion today, the risks of a not‑secure internet are already very clear. But let me introduce a new risk that is emphasized a lot in discussions about post‑quantum cryptography.
This risk is called harvest now, decrypt later. What it means is the possibility of breaking the current encryption. Which also means, in theory, malicious actors might be recording today's encrypted communications for days, or months, or longer. With the aim to decrypt them once they can utilize a cryptographically quantum computer.
Hence the name harvest now, decrypt later. The risk has been recognized by many experts, emerging organizations and governments to upgrade their cryptography systems to PCQ solutions. When we say this, of course, in our report, we already provide an overview of the current landscape. This discussion does not only belong to scholarly discussions in academia.
But there is real applications where we are seeing it in policy form. Both from the U.S. and EU. So, in our report, we mapped these policies. And we also mentioned the key developments.
So, for example, we are seeing that U.S. and EU, they have some distinct but also converging approaches. For example, the U.S., of course, already led to a bit of a (?) approach, let's say, by leading the standardization for frequency algorithms. And even going further and testing a target for when the federal systems should mitigate, should migrate to PCQ systems. They set this target to 2035.
When we hear a date that is a decade away, we may feel like it's not a current threat. But let me highlight the importance again by saying ‑‑ let's say painting a picture that it is very, very difficult to make sure that our migration to a new encryption system takes place. Because that is very difficult. Giving it a decade actually means that the action has to start now.
So that we can really reach the target by a date that we do not have any more systems that are using an old and, maybe at that point, quite irrelevant or, let's say, risky encryption. In the EU as well, we see European efforts. But we are also seeing different countries, such as France, who is also advocating for hybrid solutions. Or Germany, who is providing guidance participating in several projects that is facilitating PCQ migration as well. And in the Netherlands, as well, we have PCQ migration.
So we are already seeing national programs, in addition to the programs that were mentioned. Let's say that is more at the European level. We can say both in the EU and U.S., we are seeing that there is this more recognized shared imperative to protect our internet now. By highlighting the importance of PCQ.
So, let me just keep to the time. And mention very briefly, in this report, we are also highlighting the societal and legal impacts as well. We are touching upon the environmental impacts. Let me give you two examples.
From a societal impact perspective, we are saying PCQ is crucial for maintaining also the trust of the citizens for digital infrastructure as well. In addition to, of course, preserving long‑term privacy against these kinds of harvest now, decrypt later attacks. And when you think of this in a more legal angle, we are assuming it is possible that regulations like GDPR may also compel the use of quantum‑resistant encryption. We did produce many recommendations in this report as well.
>> WOUT de NATRIS - van der BORGHT: The time is about up.
>> ELIF KIESOW CORTEZ: I only need a few seconds. Just to show that we have organizational level. Much more technical advice in this report that is starting with, for example, creating a cryptographic inventory. We also want to help, of course, our IGF community as well. And we also included international guidelines.
That starts with creating global standards that looks at interoperability. So we are not leaving any organizations, countries, people behind. When it comes to making our more secure movement towards the better internet.
So I will stop here. Thank you very much for your attention to our session.
>> WOUT de NATRIS - van der BORGHT: Thank you, Elif. Again, you showed what immense task is ahead of us, if we want to fix it in time. My personal analogy is that the world should come together, like it did with the millennium bug in 1999. That everybody started to act on the same principles at the same time. And fortunately for something that never happened.
It is possible to align movements, decisions and policies. The next speaker is, unfortunately, not present here today. That is Maarten Botterman. He will be replaced by Jonathan Cave because of personal circumstances. My thoughts are with him at this moment.
Jonathan, you are taking care of the question, how does resilience assist us, and who has to play a key role here. Jonathan is also representing DC‑IoT. Jonathan, the floor is yours.
>> JONATHAN CAVE: Thank you very much, Wout. And am I heard?
>> WOUT de NATRIS - van der BORGHT: Yes.
>> JONATHAN CAVE: Because the IoT and the internet beyond it are large, complex networks, one of the questions we have to ask is resilience of what? And who is responsible for maintaining this resilience? So, as we see the new, emerging technological challenges ‑‑ and I'll mention particularly AI, machine learning, and to a certain extent, quantum computing.
Beyond a certain point, these are no longer merely quantitative changes. But they bring qualitative changes with them. And much of the governance of the internet and, indeed, the economic and social systems behind it is predicated on the notion that human beings be responsive to the choices they make and the oversight they might be able to exercise.
But as the speeds increase and as the complexities increase, it may no longer be appropriate or possible to rely on these things. When that happens, particularly in a system which has in it many, many generations of devices, performing changing sets of tasks, some of these cannot be overcome from a design perspective. What happens to the devices once they're unleashed in the wild ‑‑ what we do with them and what they do to our thinking and our behavior ‑‑ require monitoring and reaction. Rather than something we can build in from the outset.
So, one thing that would happen quite clearly is to maintain the functioning of the IoT or the functioning on the internet on which we rely. It may be necessary for the permissions accorded to devices ‑‑ what systems they can access, what processing they could do ‑‑ to change the uses that are made of them. And the other systems with which they have to interact continue to evolve.
And some of this can't be understood at the level of individual systems. But has to do with emergent effects. Another thing that we notice comes directly from the use of AI. When devices were stupid devices and merely did what they were told, you could hold individuals responsible for them.
The engineers designed them. And informed the users and systems what they could and could not do. And they would make appropriate changes. When the devices use things like deep learning, it may not be possible to make meaningful explanations of what they have done.
And it may be that the recommendations from these devices continue to supplant or change human decision making. An example of this is a recent report released last week from MRT. Which looked at the use of AI in educational settings. And found that while AI can be useful from a purely mechanical perspective, it results in shallow reading rather than deep reading. It actually changes the way people think. And the extent to which they can be usefully held responsible.
Another thing is, as competitive systems interact, what they do collectively may not be the kind of thing that we can easily control them from the individual system level. And in certain contexts, like the financial context ‑‑ if we have devices making trades, for example, you can have devices which effectively collude. And break the functioning of the system. Even though nothing any individual provides leads me to suspect that that might be possible.
And the faster these things operate and interact, the harder it is to detect these things before they become somewhat irreversible. On the level of quantum computing, I think one of the things that's most particularly interesting is the way in which the internet's development has relied on encryption. As a way of controlling access to information. And, of course, it is the case that fully functioning quantum computers can break our existing encryption levels.
But it also means we can use them on the other side. To attack or understand the behavior of the people who might be engaged in sabotaging or breaking the system. Moreover, the use of quantum computing can help us understand things that are not the result of attacks. But of the complexity of the system itself. What you might consider to be accidents. And from that perspective, I see quantum computing as rather part of the solution more than part of the problem.
And the final thing is to say that when we use these devices, when we do regulatory change, design change or certification ‑‑ which I'll talk about in a few minutes in another part of this session. We have to take account of the history that is available to us. And one of the things that can happen with AI is that it can lock in an interpretation of history.
We see a set of events. What Elif said about harvest now, decrypt later comes very much to this point. Decrypting in a different context than they were originally collected. And it may be certain ‑‑ what would you call them ‑‑ hallucinations become embedded in the way we engineer these systems. And the way in which we govern these systems.
So, that's actually all I had to say on this. In the interest of time, I will stop. Except to say, the resilience of a complex system is the rate at which it returns to the functions it used to maintain. The robustness of a system is the way in which it is able to fend off attacks. And continue behaving the way it used to behave. Even if that is counterproductive.
So, we have to be very careful that the system's resilience that we have encourages learning and evolution. And doesn't prevent it. In the hopes of preserving something which is no longer useful to us. And as humans and machines begin to share the same responsibility space, we have to be particularly aware of that.
That's it for now. Thanks, Wout.
>> WOUT de NATRIS - van der BORGHT: Thank you, Jonathan, for stepping in at the last moment to replace Maarten. It is much appreciated. We go to question four, how can public and private procurement policies advance IT securities by design? And Elizabeth Orembo is the chair of the IS3C procurement. But internet expert in her own right. Liz, the floor is yours.
>> LIZ OREMBO: Thank you, Wout. This is the first time I'm speaking into this mic. So I wonder if you are listening to me. But I'm also listening to myself. Which is very confusing.
I guess everyone is listening to me. My name is Liz Orembo. I'm from Research ICT Africa. And I led this working group that researched into procurement of internet of ‑‑ IoT devices.
Now, why do we do this research? Because the things that we buy actually determine market standards. The devices that you get secure. Who is going to determine that? Market follows what is demanded.
Who are the biggest users or buyers of technology? As we see, our assumption in this research, one of them is government. Government does policies. But it also uses technology itself. It also governs what kinds of technologies cross borders. And approves what kinds of protection. What kind of products are being used by the citizen.
In a way, they are very responsible. They play a very big role in determining whether the technologies and the services that we use, IT technologies, are secure. And in that way, they protect people. They protect data. They also protect system.
But when you look at it also broadly, these devices also form part of what you call global internet infrastructure. So if the devices are not secure themselves, even the security of the internet itself is not very, very secure. So, that's why we looked at government procurement. And also we looked at the role in guiding markets on procurement.
And one of our major findings here is that it's unfortunate that there's a lot of effort being put in standards development. And also time. Given that some of these bodies, like IEE. For them to come up with standards, it takes long efforts of consensus to come through.
Once these standards are developed, not many governments or even institutions, government institutions even use them. And there's an unevenness even in how they're being used. You find in some governments, good examples like Taiwan, Netherlands, Italy and the U.S. in IT standards have actually borrowed from some of these standards. To ensure some of their procurement aligns with some of these global standards.
But in some areas, like we interviewed some countries. Some countries just went through their procurement documents. And that's where I'm getting these examples from. I looked at African Union and those African countries.
There's very little information of some of the IEE standards on the cybersecurity. Even the protection standards were also not there. When you go to African Union, they really don't have IT procurement standards there, like the European Union or the U.S. itself. What you get on procurement is a concern that there is interoperability.
So from one procurement regime to another, the infrastructure is able to speak to one another. But not beyond that. But I would like to talk about ‑‑ I would like to move away from the traditional security standards.
Beyond the IEE standards, data management standards, there are also standards to (?) the governance. Those are standards where countries are required whenever they procure technology, they procure from territories that have political stability. Because they also recognize that some of these technology (?) software, for them to protect this infrastructure and devices, they need continuous relationship from where they procured it from.
If that country is not politically stable, then that relationship is also ‑‑ it can't be maintained. It means whenever there's a systems failure, whatever failure of that infrastructure, then it's going to take longer for them to take care of those incidents. So, some of these standards, government standards are actually selected in some of this procurement document.
One of them that I saw here was an EU procurement protocols and even the Netherlands procurement protocols really called for longer time relationship. And called for, actually came up with guidelines from the procurement itself. Identifying what it is to be procured.
The relationship between the service provider and the person who is taking the service. What types of (?) that should be there. And even after service delivery, what actions should be there. And even timelines. Some of them look at timelines even beyond five years for some technologies.
And then we look at ‑‑ I'm being told I have one minute. And I have a lot to say. I'll try to say it in a very short period of time. Okay. We also look at how this standard even governed or even put in place. Different ways.
Depending how government is organized. Or how they work with different agencies. My country, Kenya, some of these standards are being coordinated from a standards body that is officially coordinated by trade. A body dealing with trade. So it actually deals with the technology coming in. As well as ‑‑ in the country. As well as that which is being sold by the users.
The other one is through ministries of ICT. And these tend to work between the two ministries and the standards body. (?) recognize which works the best. The one body that has really worked very nicely ‑‑ okay. I have to stop there. Sorry.
Let me just say this. Because this was going to be my parting thought. My parting thought is that not many governments use these procurement standards. Which take a lot of effort to develop.
It could also be because of capacity. Or also because of even finance itself. And I think there should be a network to make sure even as the standards body develop these standards, they should also come up with implementation mechanisms. To ensure that countries are able to use them.
So a campaign for them. And also a capacity building for them. Thanks.
>> WOUT de NATRIS - van der BORGHT: Yes, thank you, Liz. I think it's also called economic buying power. If you don't buy from somebody who operates under the standards, then you're out of business pretty soon. Thank you, Liz.
Now going to Jonathan again in his original presentation. Jonathan, I forgot to introduce you. Jonathan Cave is a regulatory economist. He is an associate of Maarten Botterman consultancy. Also a member of the University of Warwick, Economic Department. A member of the Alan Turing Institute's Data Ethics Group. And TREx three‑year Group.
You can answer the question, how can certification and labeling support users can make the right choices and deployment end users of digital tools and services. The floor, again, is yours.
>> JONATHAN CAVE: Thank you, Wout. I'll try to be economical in my use of time. The first thing I wanted to say was, in thinking about this joint session, it became fairly obvious to us that the IoT perspective was only one perspective on a shared problem. And that coming from that perspective, if you think of the internet in terms of devices, there's certain assumptions that go with it. And certain solutions to problems that naturally suggest themselves.
From the IoT perspective, we might come up with device‑orientated or hardware‑orientated solutions. For devices that could be tackled in economic or other ways. Therefore, I wanted to be clear about the fact that anything I am going to say comes largely from the regulatory and device perspective.
But the ultimate call would be to use the problems as a common platform. Where all of our communities can come together. And explore different aspects of the issues. Without trying to take ownership of them.
So, that being the case, there have been a lot of approaches to dealing with IoT devices. In particular, because the technology, the manufacturer, the user of these devices is global. In the ways that laws, regulations, economic structures and social structures are not.
Therefore, there's an inherent cross‑border aspect to these things. And scheming to deal with these problems ‑‑ including labeling schemes. To put demand where devices embody the standards or practices that people think are valuable. And certification schemes. Which allow the devices to inter‑operate with other devices. Secure the knowledge that the whole system together won't topple over.
Are being developed quite rapidly. Each of them comes from a particular perspective. They can interact through what are called mutual recognition frameworks. And, in particular, in modern‑free trade agreements, there are very often components dealing with the ability to put devices on the markets.
That depend on mutual recognition and market surveillance to make sure that the devices meet local standards as well. Because of this, the IoT landscape, the ecosystem, is very dynamic. It's evolving very rapidly. But it's pushed by all these different forces. Government, civil societies, market operators, and so on.
And where there are problems that we already know about, the IoT responds with formal and informal actions. Including things like co‑regulation. And the thing I want to mention here is that a lot of the discussion has been predicated around the issue of privacy. Of the protection of personal identifiable information.
Many of the issues increasingly, particularly in the AI context, involves information which is not personal. It's not to identify a human being. But it may be proprietary. It may be nonpersonal information, whose protection and control is essential, if the system is to evolve in the right way.
So adapting the GDPR and similar mechanisms to deal with the broader understanding of data. Not merely in the sense of I can stop you from using it. But data in the sense that I now have a voice as to how that data is processed and used, is particularly important.
Now if you have a good decision, it could benefit everyone. But the structure of the value chain is such that it is unlikely to do so. And certain large firms or certain countries are more likely to benefit than others. And a degree of cooperative multi‑stakeholderism is necessary. If we're going to move toward actually getting these things implemented.
Now, the natural differences can arise in some cases because of technological or scientific differences. But also as a reflection of cultural or legal heritage. In a sense, the technology itself could serve as a platform for countries getting together. To address issues that they otherwise couldn't properly talk about.
The ways in which we deal with these, some of the schemes we have are permissive schemes. Open standards. Open labels. And certification. Which are there to allow the market to work. To encourage the development of good devices are in place.
They can also lock in or lock out people with different needs. And the result of that lock in or lock out could be innovation. But it could simply be fragmentation. It's not that we develop a lot of things, each of which serve somebody's needs. But we develop a (?) within which it's hard for people to make difficult decisions.
In example of such permissive scheme, in the procurement rules, you say, you should adhere to this standard. Or produce performance according to this standard. Or you should be able to demonstrate that you have equivalent performance. That kind of innovation‑friendly recasting of procurement rules can help. To resolve some of these otherwise intractable problems.
Privacy, openness or even trust are not necessarily good to an infinite extent. In other words, if I'm talking about internet security and I trust you as the provider of my system to protect that security, I may be reliant on you for something which either you don't deliver to me or which I can better do for myself. Because I have a better sense of when I want to share my information or my decision space. And when I don't.
>> WOUT de NATRIS - van der BORGHT: Jonathan? I'm going to ‑‑
>> JONATHAN CAVE: Am I at time?
>> WOUT de NATRIS - van der BORGHT: No, one minute.
>> JONATHAN CAVE: That's fine. Thank you very much. We want to be careful about these global issues. I'll just conclude by mentioning a couple of steps that might be useful in this sort of trust but verify, or comply but explain type environment.
Mutual recognition ‑‑ not just between countries in the terms of free trade agreements ‑‑ but between spheres. For example, hardware, software, service provision, or civil society or business. Mutual recognition arrangements are very useful. Not in solving problems. But in getting the discussion started.
We have to deal with the global aspects of the generation problem. In some countries, there's a higher preponderance of devices that come from older generations. Which may break or impair the connection of those countries and people to more modern systems. And deny them access to things which would be of more benefit.
Or which would tell people in more developed countries about things which they would, in their technological advancement, have overlooked. As we saw with the promulgation of things like raspberry pie in less developed context.
>> WOUT de NATRIS - van der BORGHT: Jonathan?
>> JONATHAN CAVE: And the final thing is we should monitor active support standards development organizations. And figure out how governments and businesses can join with civil society in the maintenance of standards that adapt to change as they occur. All done. Sorry for running over.
>> WOUT de NATRIS - van der BORGHT: Thank you, Jonathan. Jutta, you are also going to answer the same question. So Jutta Croll from DC‑CRIDE.
>> JUTTA CROLL: Yes. Thank you. Let me take up two points given by Jonathan and also by Liz. One example dates ‑‑ I think more than 20 years ago. For a government taking up a standard was Section 508. When that was adopted by the United States government. Making it mandatory for all procurement procedures to adhere to accessibility standards.
That was the game changer. And from that time on, we really have achieved accessibility in all these products that came through the U.S. administration. I think that's a good example of how governments can react to standards that are already there.
My second example would be the ISO, IC standard 27566 on age‑assurance methodologies. And that was a development of a standard that took less time than most of the other standards to come out. That is obviously due to the fact that we have such a huge and fast and quick innovation in that area. It's important we have the standard ready in time.
Now I'm going to answer your question, Wout. I do think, yes, Jonathan has also been talking about the complexity, and the difficulties, and the challenges it poses to human beings. Being able to cope with the complexity of all these systems they are relying on now. And definitely that is an issue that could be addressed by labeling and certification.
But we do think it's also necessary to have, for certain groups ‑‑ for elderly people, for children and intermediaries that help them understand the labeling. When they do the decision on the devices they will use. Also the parents responsible for the children need to have this kind of guidance. Which devices are appropriate for that children. And which devices are rights respecting in regard to their children.
So, yes, labeling and certification may help in this regard. But still we need to see how do we bring that information to the users themselves to make competent decisions in regard of the services they use in regard to the devices? And when it comes to artificial intelligence, I do think it's even the next layer of complexity. Making it very difficult to leave the responsibility only with the users.
We need to support them. We need to have concepts. To make them not only acquainted. But to make them considerate in the decision they are going to make. Thank you.
>> WOUT de NATRIS - van der BORGHT: Thank you, Jutta. That opens the floor for questions. So, who has any questions to the panelists? There are microphones but also ‑‑ here. Please introduce yourself first.
>> PARTICIPANT: Thank you, Wout. Can you hear me? Thank you for hosting this session. I think it's very important that we discuss safety and security. Especially in the new age that's coming.
It's important more than ever now. I lead the Dynamic Coalition on Gaming for Purpose. I also lead the committee (?). And the burning question I have is for developers and engineers actually.
How do we make sure when developers and engineers on the grassroot level use these tools coming together to ship products faster than ever ‑‑ how do we ensure that these tools and these AI systems understand how we need to implement security and safety from the ground up? How do we do that? How do we tackle that issue?
>> WOUT de NATRIS - van der BORGHT: Thank you. Who would like to answer? It could also be online. Who would like to answer first?
>> JUTTA CROLL: Okay. I've been told to go first. Definitely, what I said before. Have a user‑centric approach. Can you hear me? Okay. So if the developers have in mind who will be their target group and a broad perspective on that target group.
Not only considering maybe it's for a small percentage of users. But for all users. Taking in mind there are users with different needs. Then probably this would be the first step to a user‑centric approach.
>> JOÃO FALCÃO MORENO: Hi. I believe that developers need to understand that AI is not a teacher. It's a tool. You cannot learn how to cut a tree with an ax.
It's very important to understand what are the security risks that your code creates. And learn how to test them. So in the IoT spectrum, I saw some documents on how you can test your system in the development process. To validate if it has a specific vulnerability or not. So, we need to embed the security into the development process.
>> WOUT de NATRIS - van der BORGHT: Thank you. Thank you for your question. Is there a question online, Torsten?
>> TORSTEN KRAUSE: Hello. Currently, we have 22 participants taking part remotely in this session. We have several comments and also links shared for further reading and information. There was one question to Jonathan Cave. Meanwhile, he answered it in the chat already. So it's solved.
>> WOUT de NATRIS - van der BORGHT: Perhaps you could read it shortly. So we know what the question was.
>> TORSTEN KRAUSE: The question was raised by Kateryna Bovsunosvska. I hope I pronounced it properly. Regarding Jonathan's point on privacy going beyond PII proprietary data. Hasn't this type of data been already covered by the traditional understanding of confidentiality?
If considered covered by the confidentiality concept, this data would be included in the security design to the IoT. For instance, following the CIA triad emphasized by the NIST. Jonathan said up to the point where information elicited from the users it used to train and adjust.
For example, AI systems. Where confidentiality comes up against procurement rules for developing systems, for example, contractor collection and exchange requirements. Privity may be more relevant than privacy and NDAs should be negotiable if we are to limit foreclosure of markets.
>> WOUT de NATRIS - van der BORGHT: Thank you, Torsten. And thank you for your question online. Please introduce yourself. Then ask your question.
>> PARTICIPANT: My name is (?). I'm at Google Jigsaw on access and privacy. Just to give a background, when you access a site using HTTPS, the link is in plain text. Like when you establish the connection. And that has always been the case. With AI, this changes and becomes a real threat.
The domain name reveals a lot about you. It can give you your employer information. Your habits. Sexual preferences. Gender. Associations. Religious beliefs.
It's really scary. I ran an experiment. I captured my domain names. Ran it through LLM. And it created a profile about me. With the right tools, people could be building profiles with everyone here using the VPN connected to the public network.
There are two solutions for that. One is that needs to be used combined, like encrypted DNS. And the new protocol encrypted plan called Hello. But we need adoption.
I wonder if this threat is on your radar. How can we incentivize adoption? And make sure this gets deployed to cover and close this gap that is remaining? And with AI becomes easier to exploit.
>> WOUT de NATRIS - van der BORGHT: Thank you. I'll look to João for part of it. These standards are out there, in some cases, for more than 20 years. Why are they still minus 50% and, in some countries, minus 25% not being deployed?
That has to do with the will to deploy. But it also has to do with demanding that they are deployed. It has to do with legislation, perhaps. But in Europe, we're starting to touch upon that.
But if we start using procurement as a tool to demand security, then the company has a choice. Either to have the standard in place, or not. And not get the assignment or the service provider, or whatever. So, I think that is the strongest tool possible. Thank you, Torsten.
Matthias is online. And he has a question. The floor is yours.
>> MATTHIAS HUDOBNIK: Hello, everyone. Can you hear and see me well? Perfect. Yes, it works. Thanks a lot for the questions. I want to quickly respond to the first question related to developers and AI.
That's a very good question. It can be covered in various layers. Particularly it's an I‑governance question. You need to check, first of all, what is the kind of organization? So organization layer. In terms of AI, how do you govern?
What governance structure do you use? A second layer would be then, what kind of laws and policies are applicable, related to the organization? And then based on the laws, we have some certain standards. Which you need to fulfill when you want to deploy, for example, an AI tool.
Like in the ICANN. And what is clearly a high‑risk system. What safeguards need to be in place. What people need to be involved.
Another important point is, for example, a framework. You have some kind of risk autonomy. You identify some different types of risks. You also need to find some kinds of, yeah, operation or process layer.
How you will operationalize it in your organization. And then very important is a technical infrastructure layer. When you say, okay. How do we secure, for example, this operational thing? Like, whatever ‑‑ security, access control, monitor, involving testing and validation.
And a very important point is to find out people and culturally. Who is involved in deploying the system? Who has the training? What about ethics? What about security and AI development? What are the rules and responsibilities? And also incentives and comparability, let's say.
Then there was the second question related to the DNS. Various devices with regard to encrypted DNS and potential threats. Look on the website. We have one of 27 devices related to internet security and stability.
DNS blocking. Please have a look on the SSAC website. And if you have a further question, we can take it one‑on‑one. Thank you for the question.
>> WOUT de NATRIS - van der BORGHT: Thank you, Matthias. We are getting to the end of our session. I'm looking at you, Torsten. In, perhaps, one sentence, can you say what was the main message of this session? I think it's a hard question. You can also say no.
What would be the message that we are going to share within two hours?
>> TORSTEN KRAUSE: One sentence is really hard. Thank you so much. I'm not sure I can give another input. But what would maybe be kind of the core is threats to service and devices are not just threats to the tools. But are threats to the users, to the humans.
That's why it's so necessary to have safe and secure procurements in place. To have such safe tools, IoTs. But safe and secure environment for us, as human beings. I think that's the core. That's why it's so necessary to develop all these standards and procurements.
>> WOUT de NATRIS - van der BORGHT: I think that's worth an applause to have us end.
[ Applause ]
>> WOUT de NATRIS - van der BORGHT: Thank you. That brings us to the end of our session. And I think we had a very good workshop showing what the three dynamic coalitions represented here. And the work and the result they're bringing to the IGF.
I would like to point to the fact that we have a main session tomorrow, I think at 9:00, if I'm correct. We have cluster three and cluster four on Thursday and on Friday. I want to thank the speakers for their effort of being here. Not only being here, but also sharing with us the knowledge they've gained over the last year.
I just want to say, my heart goes out to Maarten, who could not be here for sad circumstances. To Torsten for being our rapporteur and online moderator in one. And the technical people in the room. You did an excellent job. That is really commendable.
[ Applause ]
>> WOUT de NATRIS - van der BORGHT: And, finally, thank you for being here and showing interest in our work. We hope to show more next year. Thank you very much. I have five seconds left so I maintain time. So bye‑bye.
