The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> MODERATOR: Good morning and welcome to our session on securing IOT for the post quantum era. My name is Wout de Natris - van der Borght. And I'm the coordinator for the coalition at the IGF with the People from the Coalition and together we're presenting the report we're putting out here at the IGF.
First, a short word about what ISC3 coalition is. We have one overarching goal. That goal is to have long existing security-related internet standards deployed by industry. And we've been producing reports over the past five years, as we exist. And the first one was on education and skills. And so I to close the skills gap between what sub security curriculum offer and what the industry actually demands. And we identified an age gap and a skills gap and a gender gap all in one. All over the world.
The second report was on IOT security and that will come back a little bit in Joao's. The third report on government procurement. We found out that governments mostly do not procure their ICT's secure by design. So it's not in that procurement prospectives. So that is something that really needs to change. If you want to have an incentive for industry to actually start producing secure products.
Whether services or devices or applications, as such.
Then we produced two tools. We identified the global forum of experts what are the most important internet standards to deploy interconnectivity. And we added websites because everybody thought that was extremely, extremely important to put the point of pressure on for industry, as well.
Then we produced a tool kit on arguments. What arguments do technicians need to use to convince their CEOs, their CFOs, their boards of directors, et. cetera, to actually either deploy standards or procure standard secure by design.
And this year we have our fourth report, which the people at the table will tell you about post quantum encryption. The way I look at it, the history of cybersecurity is: Imagine that you buy a car on the top of a mountain. And the salesman gives the keys to you and said "drive down." You start down the first bend and there's a guy saying "do you want to buy brake lights." The next bend somebody is waiving. "Would you like to have whatever seat belts." And finally, "do you need brakes?" And there's the first hair pin turn and the ravine going down. And this is what sort of happens with ICT. You buy a device and says you have to install this or buy ant virus or you have to whatever. That's something that is not normal for any other product in the world. Everything comes with sort of design for security. So I think that is what we are trying to prevent with this report. If quantum day comes and there's not security in place. The future will tell. We think it matters. And with me are the people who are going to explain why it is important. We will hear from Benoît Ampeau. We have IOCC and online e life and then we close the session with potential actions. So, first, let me give the floor to you explaining why the topic was important to take on.
>> BENOIT AMPEAU: Thank you. So I'm Benoît Ampeau. We are very happy supporting this report. And I will explain why and give you some elements of context. We're a French internet industry is pleased with the outcomes from this report.
We have been working for over 15 years on the internet of things. Particularly on the technical aspects and the identification of objects, as well, on security and privacy issues for civil R & D projects. More recently, like many technical organizations, we need anticipation or technical transition. And we have begun to gather the impact of post quantum on more operational aspects. As early as 2016, we organized a conference with our scientific council to raise awareness about its impacts on our increasingly digitalized societies.
Since then, many things have evolved. As part of our commitment to R & D, we also have observed there are too few cities on social impacts of technologies. This is a shift for us. Trying to integrate which relevance the important dimensions into some of our studies. Which makes sense. Particularly here at the IGF. It's a unique place where all stakeholders can dialogue.
This report was born from all the contextual elements. Quantum computing is no longer a distant dream. Confined to the page of sentence fiction. In a way, it's still a distance since we don't know when the threat will be available and ready to crack the global crypt graphic scene on our digital services.
It is a rapidly-evolving field with some significant investment from both the public and private sectors.
While quantum computing provides revolutionary advancements, it's also poses a substantial threat to our current crypt to graphic systems. The algorithms that secure our digital communications today could be rendered obsolete by the competition.
It's particularly acute for IOT devices, which are increasingly integrated into our daily lives and critical infrastructure. Ensuring the security and privacy for the long-term is crucial.
This report as will be presented by the security and safety coalitions will has been submitted to the community for comments. Is I'm very grateful that to the others and contributors of this report, I think it's offering a comprehensive analysis of existing vulnerabilities. An assessment of political frameworks, and last but not least, strategic recommendations to enhance security at national, local, and also global levels.
In conclusion, even though a quantum computer are capable of breaking current cryptography doesn't exist. It's complex of the transition necessitates emergent action plans. Adapting infrastructure revising trust chains, updating software, testing interoperatability. It's adding some brake lights for your car. Sometimes there are costly evolutions that require coordination among many actors and rigorous planning. Past experiences in technological transition as a deployment of internet security extensions shows how this changes can extend even more than a decade.
We must collectively anticipate an individual transition. Thank you.
>> MODERATOR: Thank you. I think you set the stage, Benoît Ampeau, ideally. Why is it important for registry? You can take the floor, please.
>> SANDOCHE BALARICHENAN: Thank you. I'm head of R & D partnerships at AFNIC. Thank you. Thank you for setting the stage for my talk. The next five minutes, I'll try to explain why a domain registry is involved in the study about IOT and post quantum.
So here, if you see in the image here, we have different stakeholders involved in connecting a domain name. Or sending it to different stakeholder -- different users. So if you see a technical perspective, we have IETF that standardizes the IP addresses and the domain names. From a governance perspective, for example, in the domain name sector we have ICANN. In the ip address governance, we have regional internet registries. For example, in Europe it's called RIPE. All the different stakeholders are involved in setting up the stage for translating the domain name to IP address. And the system that is used behind it is called the domain name system.
But when we see in IOT, we have different stakeholders involved, also, but they're working in silos. So what AFNIC is trying to look at, is the multi stakeholder system that has been working quite effectively in the internet for the last 40 years, can it be applied in the IOT. That's what we're working on.
And we are not just telling it. We are walking the talk. We had, for example, what were the different stakeholders on French government and European projects. For example, we started with the supply chain industry in the consumer goods to look at how RFI could be used in the DNS and the service. Then be used with the LORA, which is the LP band technology
we started seeing whether the identifiers can be added. Then these identifiers, like RFID could be evolving the services. Then we add the the next layers like security and privacy. We had considerable experience in the last 15 years working with IOT stakeholders on how to use DNS.
So the report here, that is the objectivity of the talk, looks at the pain points in IOT and how it is amplified by the advent of post quantum. This report looks at it in detail, which will be explained.
So from a policy and standards landscape, what happens? In the U.S., for example, NIST just published different algorithms, like four or five. The federal government is saying by 2035, all federal systems classified and unclassified must be using full quantum resistant cryptography. For example, in the EU, we have different standard activities going around use. The EU road map also says that by 2035, transitions should be largely complete for all practical systems. From a domain name perspective, you see at the IGF, there is also ongoing work on how the DNS system could be getting ready for a quantum-secure future.
So our role as a registry what are we going to do? We want to look at technical and policy perspective on how to transition PCU readiness infrastructure for real-world use. For example, with PCU, we have cryptography that can be large. And there's energy consumption. Then, finally, our objective as a registry for IOT. Our call for action is that as multi stakeholders, let's work to ensure that when the deadline arrives like in the 2035, the IOT can resolve. The algorithm for securing access could be quantum resistant. Thank you.
>> MODERATOR: I think that shows that it is an urgent topic. And we focused on IOT -- we focus on IOT because rather than limit our research, of course, it could be on many different topics. The banking system will their their own. The routing the internet will are their problems. But we face the IOT challenge. We're going to go into that and then ELIF will come up with the post quantum part of the report.
Joao, the challenges we face today. Thank you.
>> JOAO MORENO FALCO: Hello everybody. Thank you for being here. So in this part of the report, we did a literature review to understand the emblematic IOT security instance because we wanted to understand. We started to look after the emblematic incidents to see the reach of this attacks and how they are factored to the public. And, well, later we started to investigate and evaluate a policy framework and global standards. That are active today. And with this, we discussed and thought about how to assess readiness for post quantum cryptography. Here. It's not a question whether we are prepared or not. But how can we prepare.
So to this, we create at the end of the report, a proposal to actionable and inclusive mitigation. Including mitigation strategies. Since we know the internet is made out of billions of devices, and a huge part of them will not be able to be patched.
So to start looking over the landscape, we need to look into the IOT devices and see what are they. So they are resource-constrained devices, which is our first challenge post quantum. Cryptography is way more complex and way more resource intensive technology to be used. And we also are here using a devices with fragmented protocols. So we have devices with flora that uses a bandwidth different. And protocol different than the IP protocol that we are all using. So how can we go after it? How can we protect this other devices that talk in different languages? So it makes us feel like in the '70_s_ when we had a couple of devices talking different languages. But we need to harmonize them to protect all the ecosystem. Not just a part of the ecosystem against the quantum threats.
Of course, the other part of the landscape we have is the low-user awareness. So we have an inertia in patching these systems because most of the people even don't -- it's difficult, actually, to look after all your devices that you have in your home or in your factory or in your company. Because they are intended to be automated. They're intended to be devices you're going to drop into the system and you will never think of again of this individual device.
So, how can we highlight that we have this entry points that we have this devices. They are a risk. And use this to protect. So the case studies, I brought three here. One, is the Jeep Cherokee hack. It happened in 2015. They were able to change the steering wheel of the device and interfere with the braking system. So this was a huge turning point. Because a physical -- an online hack would be able to cause immediate harm to the user. So you can think, like, okay. It was in 2015. So now we are better. Well, no. In 2024, Kia had an instance where you could change the device owner and with this be able to unlock the car and also see the history of the car. So anyone with a Kia car could be hacked in this way and have its privacy violated.
So the Saint Jude cardiac implant showed it's not specific to a specific industry. You talk about medical devices that can risk the life of the impact. So the cardiac implant had a flaw. The device could be discharged remotely. And then making it unusable to the patient.
And one thing that we saw very concerning is about the botnets. So the Mirai botnet is one of the most prominent. Because it was created in 2016. It was, actually, a proof of concept. So a couple of guys in the college said, "I think this kind of attack is feasible. So we will write up some code and publish on the internet showing how we are vulnerable." Well, this, actually, created a trend. A base in their code. There are more than 30 active variants of this running around. And they have a huge impact in the privacy of the users and, also, to cause harm. So we saw other examples being used. And we need to look after this kind of threat. It's global.
So the policy landscape we went through, it's pretty interesting. We have ISO and they are based in very foundational. They are based on foundational knowledge about how we can secure the devices. We have the EU Cyber Resilience Act, which mandates the security by design, including an IOT. We have the NIST. APAC labeling systems are pretty interesting. They try to bring awareness to the user by validating the devices. And, also, we looked up into the PQC part. We saw the UK created a roadmap to plan the transition up to 2035. Which it looks promising. But we need to work on it.
And, also, we saw the role of IETF in the PQC standardization. Because the main source of communication of the devices is the internet. And we need to have devices to tackle this. People to tackle this communications.
So, yeah. The strategic recommendations. We saw that we are coming in a good path, but we need to think further on it. And create a mandate secure-by-design, harmonize global labeling and certification, and invest in lightweight post quantum resistant solutions. And, of course, train the users and the programmers to be able to use this kind of technology. Thank you.
>> MODERATOR: Thank you. Elif, what are your findings in the research where the post quantum part and the cryptography is concerned. The floor is yours, Elif. You have nine minutes.
>> ELIF KIESOW CORTEZ: Yes, thank you very much. Just making sure my slides are up, as well. And, of course, we are happy to be presenting today the findings of our report and you see the sociopolitical and technical impacts of IOT and PQC. And in the report, already my colleagues mentioned that we will be focusing on, also, giving strategic guidelines. So for me, I think, to complement what has been already said, let me just maybe jump to the PQC part. Because it's more detailed.
So what we wanted to cover here with our coauthors was both giving the advice on the importance of the PQC migration. But, as well, briefly mention we wanted to make sure it's on concrete subject. And for this case, we'll be referring to IOT when it comes to our recommendations.
So, first, we wanted to understand what is the current status of the discussion on these issues. And when it comes to PQC, it's important to mention, also, for our audience, we, we are talking about a threat by a quantum computer. And this particular quantum computer we referred to is defined as a cryptography relevant quantum computer. It has a focus. It has the capacity. And it can be utilized for breaking the currently valid encryption, including RSA. And I don't have to explain why this is a significant threat, but I'm just going to picture for you one version of this threat that has been discussed a lot.
This is called harvest now decrypt. And this is to say even when we are thinking that our highly sensitive data, such as government communications, are currently encrypted, this discussion -- this particular risk is highlighting that this encrypted data can be recorded right now. And those recordings can be decrypted once malicious actors are able to utilize a cryptography relevant quantum computer. That's to give a concrete example of why we say the risk is a big one. And the other indicators, of course, to understand how this is a current and relevant risk is to look at the policy landscape.
We're already seeing and analysing in our report the actions by NIST. It was briefly mentioned by my colleagues they already have guidelines that is on PQC algorithms are recommended. That, also, the fact that they set 2035 as a target for all federal systems to migrate to PQC encryption.
So, again, this can sound like -- right. We're talking about 2035. Has been communicated by NIST strongly it's important to start migration process as early as possible so that we can really guarantee that we are going to be making sure that this data is really secure.
So they gave the target of 2035, but then it can be said, we have to start today all of the migration plans. Why am I highlighting this? Maybe some of you saw in the news, maybe not, but EU just announced a few days ago that their ambitious target for all high-risk use cases that the PQC migration should be completed by 2030. So now we are already looking at five-year deadline. But let me make it a bit more pressuring. By explaining how they actually said that for achieving this timeline of making the switch by 2030, EU is now requiring the PQC transition planning and pilots to be initiated at least by the latest by the end of 2026.
So if you walked into our lounge thinking that we will be talking about this issue about the future, I guess that was wrong. We are launching today this report that is directly relevant to what needs to be done now. And not later. So let me just stress that there are also other EU member states, including France, Germany, and the Netherlands that already launched their PQC migration guidelines. So in our report, you will be finding more explanations on this, as well.
And this was, again, mentioned by my colleagues very briefly. Our report also looks at the societal impact angle, as well. For example, if they're talking about this, like, harvest now decrypt later attacks. Then we have to preserve the long-term privacy of the citizen, as well, against these kind of attacks. And we have to secure critical services when it comes to societal impacts. And when we're thinking about the legal impacts. Now, for example, we're saying the PQC migration plans must start latest by 2026, the regulations like the GDPR should be, also, compelling the user of quantum resistant encryption in the near future.
And when we look at the economic impact, of course, that will be significant calls for upgrading systems and hardware that this also why we're urging for the migration plans to be started early. It has been mentioned, again, that we will be also covering in our report the environmental impact, as well. I think we made the reference to it about how the algorithms can be, also, energy intensive. And making sure that we are thinking about the environment. We will need to be working toward a lighter, possibly working very well algorithms, as well.
So now I will be jumping into the recommendations. Again, already highlighted that this could be on different levels. We'll be giving recommendations in this report that are both on the national and organizational levels in detail. But we also made a call for global cooperation, as well. And we have different levels of recommendations. Again, you will find all of this in our lengthy report that we are looking at, for example, some more timeline perspectives in more detail on how to handle PQC migration. And we're, also, explaining in detail how organizations should tackle this. But another added value of our report, is we got a chance to apply it to a particular case. Particular study, which is on this IOT security. For this, we also gave international-level guidelines global standardization and interoperability that is focusing on international R & D as well as capacity building. And we are also very happy that we managed to give this very concrete national-level recommendations, as well. Starting from government initiatives for awareness and R & D. Continuing with making mandatory the PQC compliance. Because, again, now I think it's clear that the risk, the threat, is there. We know now better than, let's say 20 years ago, to not to ignore cybersecurity. So in that sense, we're also highlighting that has to be already educational training programmes, as well. But, also, we need to be thinking from things like national synergies, things like supporting, for example, product developers in PQC, so that we're covering 360 aspect of this migration issue.
Again, we said that we gave complete guidelines. Also when it comes to IOT and PQC Intersection. You can see in the report we'll be explaining step-by-step how a company and organization can also work toward or move towards the PQC migration. Starting from a cryptography asset inventory for their IOT systems to, of course, getting to the data privacy policies in line with that. As well as the supply chain engagement.
So, again, I already said we're happy to be launching this report. So I think that we also have a few printed out copies, as well, but you can scan this QR code, as well, to download our report. And if you are interested in working with us, of course, our colleagues are on stage. If you want to learn more on our report, like I said, you are provided this free and publicly accessible link to download and benefit and cite this report in your future work, as well. Thank you very much.
>> MODERATOR: Thank you very much, Elif. And very much on time. I think what Elif shows we have an option. And that option is stay to start acting now and be secure in quantum. But other thing is that we have a Dutch saying the donkey does not run into the same stone every time.
So where cybersecurity is concerned, the world is proving to be a donkey. We made the same mistake with launching new products insecure by design. Of.
This is a chance to do it differently. I think, with that, I open the floor for questions. Are there any online questions? No. There's a question in the room. Because the experts are here! Who would like to ask a question? There are microphones. So please move to the microphone. Please introduce yourself and your affiliation.
>> SPEAKER: Thank you very much. I'm the cyber investor for the Netherlands. I'm not a specialist on quantum computing and really thank you for the presentation. I will read the report with interest.
First of all, I was hoping that in the presentation there was reference to the cyber resilience act. Because it was especially important during procurement from the governments. Well, actually, that's already too late. I mean, it should already be in the products anyway. Because of the Cyber Resilience Act. I hope many other countries outside the European Union will look at the legislation and, also, try to copy it what is relevant for their own legislation to ensure it will come to world standards to include cyber resilience in the products of the companies.
For me, the risk in quantum and IOT new angle is interested to learn about it. I discuss, also, quite often with specialists, professors from universities the risk of post quantum computing. And I must say, there is also some different discussions. They say, you know, the organizations for which is really relevant. You know, the harvest decrypt later. They're already aware of it and busy with it. So, like, the intelligence agencies. For example, if you look to the small and medium -sized companies, data that is more than five years old, to decrypt it. So they say an encryption or the whole development of new encryption is going on anyway all the time. So it's not a topic for the wider audience to be really concerned about. Because, I mean, the product development in places in -- through the products. I'm wondering what your view is on that. Because you read a lot it makes big risk. And at the same time I speak to professors that say, you know, it's we already have post quantum encryption. Those organizations really need it, they are already aware of and use it. Also, companies they are truly aware of the need to secure the data. I'm curious about your view.
>> MODERATOR: Okay. Thank you. We'll take your question and then we answer both at the same time.
>> SPEAKER: Thank you. Very exciting and interesting session. Can you hear me now?
>> MODERATOR: Yep. Introduce yourself.
>> SPEAKER: Thank you for the nice interesting session. It's certainly an exciting topic. But, also, quite complex. I can imagine it's not super easy to grasp all the challenges here. And probably most of our normal people leading the everyday lives don't really think about much. Or even know they are using RSA or other encryption systems.
So I'm wondering what are your recommendations about the global labeling or certification. It would be interesting to hear a bit more what that could look like. And what would it be like in practices. It sounds like something a bit challenging. Because if you want to promote this kind of label, you also are, I believe, promoting these challenges. Like with this store now decrypt later. How do you balance raising awareness and not just worrying people or how to create trust without making it all way too complex. Thanks.
>> MODERATOR: Thank you. Thank you for your questions. Who would like to answer?
>> LUCIEN CASTEX: So the first one, is it a problem with most of the devices? So, yeah. I argue in this favor because when we think of cities, the intelligent cities. It has embedded several IOT devices all over the realm. And these devices are not secure enough for the kind of we make our society as a whole vulnerable to these kinds of attacks. So if you're able to fake the ownership of a specific device that it's crucial to the working of a transportation system, for example. And if you break this chain, you can cause real harm.
About the labeling part, well, we already have labeling in cars. You can see like, oh, this car is rated safety A. This car is rated safety D. I believe people buy them knowing this. And for their restrictions, they're unknown or not to take this risk. But it's good to take this decision informed. So I don't think it will cause, like, some kind of make them afraid unnecessarily.
>> MODERATOR: The example I heard where is the data stored and see what people voted 25 years ago when there's been a regime change. In other words, there are vulnerabilities that we need to consider that we're not even thinking of. It's about the things that lie there for 20 years or 40 years. And what happens with it. It's far more complex, I think, than just big companies or big banks will probably be able to deal with it. So that's sort of the thing we have in the back of our mind.
We have time for one more answer.
>> SPEAKER: It's NIST and the other organizations are trying to quantify the algorithms production could use. I would like to take an analogy of what happened, for example. People are saying the security. So the intersect was a solution but nobody was adopting that. I think in the quantum world, for example, things like that would help to easily add adoption.
>> BENOIT AMPEAU: To add an end-user perspective and raise awareness. Some countries are also thinking about developing, like, a cyber score label. So it could be, also, a way to directly give information to the end users and consumers about the level of security.
>> MODERATOR: Thank you very much. 45 minutes are over before you know it. We're closing.
I liken this topic to the millennium bug. All though everybody worked for nothing, it seemed. Everybody was able to act at the same time. Take the same measures that were agreed upon up front. I think that is something that we need to do with this topic. That the whole world starts acting. That nobody is left behind. The developing nations are assisting in the steps they need to take. If they're vulnerable, we're vulnerable.
So I think that the IGF in 2026 I'm confident we'll continue would be an ideal place to bring this together. Because we have so many different stakeholders that will have to take their own actions. And they have to agree upon these actions.
So what if we start later this year with an action plan bringing important stakeholders together and start discussing what is the issue. What are the actions. What is the quantum cryptography that we agree upon. And start to make action plan. And then it goes outside of the IGF. And from that moment on, hopefully everybody starts taking the same decisions. And Nico, you can have a short comment. Please introduce yourself. We have one minute left and they switch us off. Please introduce yourself. I would like to thank everybody, first. And then see how far we go. Thank you guys. Thank you over there. And the Norwegian organization. You've been absolutely brilliant these days in the reporting!
Very, very brief.
>> SPEAKER: Yeah. From the Finish Green's Party. I feel the largest actor on the risk here is not the private companies. Not the city. Not the ICT private operators, but the critical public infrastructure that is being quite harmed by austerity. And the current --
>> MODERATOR: You've made your point. Sorry, so Nico can make his point.
>> SPEAKER: Very quickly. I'm Nico. I want to know how many governments you have, at this point, participating in the initiative. And how they can -- can you hear me?
>> MODERATOR: Zero. That's your answer. We want to bring them in as fast as possible. I've heard you.
>> SPEAKER: You heard the question. Okay. Sorry.
>> MODERATOR: It's zero. We want to bring them in into the project.
>> SPEAKER: So they can still participate?
>> MODERATOR: Yes, of course.
We have 30 seconds. Can you share in one sentence what is ... the mic is there. There. Mic is there. One sentence. What is the conclusion of this session?
>> SPEAKER: Yeah. A few very good points. And I'll be brief. First one, and I have two. Is that it's quite important to keep in mind that IPC6 or the adoption we need to be faster.
And the second one, well, we launched this report at the IGF, which is a key multi stakeholder forum. We need forward thinking.
>> MODERATOR: Okay. That was very brief. Thank you very much for the synapses.
I want to thank everybody again for showing up so early on the last day an for your interest. Thank you, again, everybody! And hope to see you at the next IGF!
[ Applause ]
