Internet Standards, Security and Safety Coalition (IS3C)

Motto: Making the Internet more secure and safer

Introduction

At the IGF in Katowice, the Dynamic Coalition on Internet Standards, Security and Safety announced its name change into Internet Standards, Security and Safety Coalition (IS3C). It remains an IGF Dynamic Coalition that brings together key stakeholders from the technical community, civil society, government policymakers, regulators, and corporate and individual adopters, with the shared goal of making online activity and interaction more secure and safer by achieving more widespread and rapid deployment of existing Internet standards and ICT best practices.

Internet and ICT security is an issue that is high on the agenda of governments, industry and individuals alike. The COVID-19 pandemic has brought into sharp focus the rapid increase in society’s dependency on the Internet, communications technologies and networks, the interconnectivity of devices, and the vast array of online services, networks and applications that permeate all social and economic sectors, and on which every aspect of daily life, including our health and financial welfare, increasingly rely.

It is also widely recognised that many Internet-related products and services are increasingly vulnerable to security threats and the spread of online harms and criminal misuse. However, if relevant security-related standards and best practices are more effectively adopted and deployed worldwide, these risk can be reduced significantly. This will foster greater trust in the Internet and its related digital technologies and applications and the positive social and economic benefits of these transformative technologies for sustainable development will be fully realised for communities worldwide.

The IS3C aims to ensure that standards and best practices play their full role in addressing these cybersecurity challenges through establishing the conditions for their wider, more effective and more rapid adoption by key decision-takers throughout the standards implementation chain in both the public and private sectors.

This can be achieved only if there is a shared commitment by stakeholders worldwide in a new comprehensive and strategic approach.

Action plan

The IS3C has established a work programme that i) brings the critical security supply and demand factors together; and ii) proposes the best options for the deployment of key standards and best practices on both sides, in the form of policy recommendations and practical guidance. These outcomes will be presented as IGF policy recommendations for dissemination to policymakers and decision-takers worldwide.

Establishment of IS3C working groups in the first phase of its workplan.

Following the launch of the Dynamic Coalition on Internet Standards, Security and Safety at the IGF in 2020, three working groups were established.

Working Group 1: Security by design

The IS3C membership agreed that promoting security by design should be a key objective for the coalition and it was decided to focus in the first phase of its work on security by design of the Internet of Things (IoT). Other security by design topics would be selected following the conclusion of the working group’s proposals relating to IoT.

Research has confirmed that there is a large gap between the theory of security and the daily practice of IoT security. The working group is focussed on identifying the solutions needed to close this gap. The first results will be reviewed and published after the 2021 IGF in an open process of consultation with stakeholders worldwide.

WG 1 Mission Statement | November 2022 The document outlines the sub-group's aim of (a) reviewing current security-related IoT initiatives and practices worldwide, and (b) developing a coherent package of global recommendations and guidance for embedding security by design in the development of IoT devices and applications. The report will include the outcome of research questions shared globally.

Working Group 2: Education and skills

A major factor undermining the development of a common culture of cybersecurity is that students graduating from tertiary ICT-related educational programmes often lack the skills that business and society as a whole need in order to understand the benefits of security-related Internet standards and ICT best practices. In order for ICT security to be better understood, it has to be integrated into tertiary ICT educational curricula, at all levels. This may result in the structural development of ICT(-related) products and services that include cyber security Internet standards and ICT best practices. The coalition’s Working Group 2 has therefore the following goals:

• To detect and resolve cyber security skill gaps in tertiary ICT education curricula;
• To encourage tertiary educational institutions to include in their ICT curricula the essential skills, knowledge and understanding of security- related Internet standards and ICT best practices, building on current best practices, in order to bring tertiary education in line with emerging workforce requirements; 
• To strengthen collaboration between educational decision-takers and policy makers in governments and industry in order to align tertiary ICT curricula with the requirements of our cyber future;
• To ensure effective collaboration between key stakeholders in order to keep tertiary ICT educational materials in step with new technologies and standards and prevent new skills gaps from developing.

WG 2 Mission Statement | November 2022  The document describes the group's focus on examining how tertiary educational curricula at all levels need to adapt to ensure that school and college-leavers are equipped with sufficient knowledge and understanding of how deploying security-related standards helps individuals and businesses be secure and safe in the digital economy. The group intends to develop recommendations and guidance in this regard. WG 2 Report | December 2022  In its workshop in Addis Ababa IGF Dynamic Coalition IS3C officially presented its first report to MAG chair Paul Mitchell and the representatives of our sponsors. The report contains the results of a global research to better understand the skill shortage in the cybersecurity sector. The report provides recommendations on how to improve and better align the skill gap between industry and society's demand for and tertiary education facilities' offer in the cyber security curriculum. Finally, the report presents the next steps the Education and skills working group (WG2) proposes for 2023 on how to turn the theory of the report into the practice of adoption. You can download the report on IS3C's website: https://is3coalition.org/docs/study-report-is3c-cybersecurity-skills-gap/.

Working Group 3: Procurement and supply chain management and the business case

The focus of the third IS3C working group is the opportunity to promote the business case for cybersecurity through the inclusion of security-related technical standards in public sector procurement contracts and in supply chain management practice in the private sector. Research has shown that this would be a major driver for the adoption and implementation of security-related standards. Organisations , governments, industry and business users generally can demand secure by design ICT-related products and services by stipulating requirements in their contracts for specific standards and adherence to current best practices.

WG 3 Mission Statement | June 2021  The document outlines the group's goal of developing actionable and practicable policy recommendations and guidance to ensure that public sector procurement and private sector supply chain best practice and related professional training takes into account Internet security and safety requirements.

Working Group 5: Prioritising and listing existing, security-related Internet standards and ICT best practices

Security by design through procurement

In order to become more proactive where prevention of online harms is concerned, organisations will have to demand the deployment of a multitude of Internet standards and ICT best practices, in numerous disciplines, from manufacturers and developers. Over time, they will all have to be deployed, as they all contribute to a more secure Internet and far safer ICT services, devices and products. At the same time the dependency on the mitigation of incidents will decline.

This proposal looks at the issue of procurement from two angles:

1. How can decision-takers and procurement offices be assisted in learning to make decisions with security fully in mind, without being swamped with all standards at once?;
2. What is the full view of the topic at hand?

These questions led to the formulation of two goals:

1. To present to the world a list of the most important or urgent, security-related Internet standards and ICT best practices, that assist individuals in decision-taking position to demand and choose secure by design products;
2. To present an, iterative, overview list with all relevant, security-related Internet standards and ICT best practices.

At the start of this Working Group IS3C will gather a panel of experts from around the globe and engage them in finding a rough consensus on what standards, in what categories, need to be a part of this list. They will be recruited from international and regional organisations in government, Internet institutions and industry.  

An overall list, containing all security-related Internet standards and ICT best practices can be started at any moment, as soon as there is a clear decision on who hosts it and people with editing rights are identified.

Project lead is Wout de Natris.

Working Group 6: Data governance

Data and related issues and developments in the public sector have become increasingly important in terms of government analysis and operations, academic research, and real-world applicability and acceptance. Data are now integral to every sector and function of government—as essential as physical assets and human resources. Much of the operational activity in government is now data-driven, and many Governments would find it difficult, if not impossible, to function effectively without data. 

While governments are more connected, they are equally exposed to new and emerging threats. Cyberattacks and incidents such as data leaks highlight the complexity at stake in determining what kinds of responses are adequate from a policy, norms, regulatory and governance when it comes to securing data. Many governments have responded by including such concerns as a core part of their national cybersecurity strategies and data protection regulations. 

This working group will support the development of a global review of data security, identifying emerging trends, sub-topics, and best practices in this area. The working group will place in the coming two months and directly engage in a mapping exercise and then develop recommendations for a data security framework. Activities will include:

1. Mapping data security frameworks and regulations.
2. Developing recommendations for how governments can better respond to data security challenges.

The first results of the activities conducted by the working group will be presented at the IGF in a dedicated Open Forum and in the IS3C workshop. 

The working group’s chair is Louise Marie Hurel. The work is supported by the United Nations Department of Economic and Social Affairs (UNDESA), Division for Public Institutions and Digital Government.

Working Group 9: Governance of Emerging Technologies: Quantum & AI

Breakthrough developments in dual-use technologies, such as AI & Quantum, led to recent global policymaking efforts and discussions regarding the governance of these domains. The critical security implications of these technologies require further attention of the stakeholders as the advancements continue towards further maturity and commercialization. This working group aims to offer a roadmap for anticipatory governance strategies for the field of emerging technologies, initially focusing on AI and Quantum technology. The proposed governance roadmap will be addressing the relevant roles of the state, the private sector, and civil society stakeholders based on lessons learned from past governance efforts concerning complex technology domains. 

 

Deliverables for this working group will include:

1. Mapping current risks and opportunities associated with these domains 

2. Policy recommendation report with input from diverse stakeholders

3. Standardization guidelines based on the policy recommendation report

 

 

 

The next phase of IS3C in 2022

The IS3C working groups are currently defining research proposals that will be published on the IS3C website and it is expected that the research programmes will conclude in early 2022.

The timeline for the next phase of the coalition’s work is as follows:

November 2021

• Submission of IS3C report to the UN IGF in Katowice with inputs from the three Working Groups, including progress report and initial draft recommendations for consultation.

December 2021

• Discussion of proposed outcomes during the IS3C session at the UN IGF in Katowice. Conclusions and next steps included in the summary of UN IGF outcomes and disseminated to all national and regional IGFs, relevant institutions, IGPs and NGOs. The IGF session will also review the working group structure in line with agreement of the workplan’s next steps in 2022.

January 2022

• Progress report provided at open consultation meeting of IGF’s Multi-stakeholder Advisory Group.

February-May 2022

• Finalisation of implementation and deployment strategies in consultation with key stakeholders including government administrations, parliamentarians and private sector decision-takers.

June 2022

• Progress Report submitted to open consultation meeting of IGF’s Multi-stakeholder Advisory Group.

September 2022

• IS3C members meet to take decision on whether to undertake a further phase of follow-up work in 2022-23 or to dissolve the coalition after the 2022 IGF.

November/December 2022

• IS3C submits its second report to the IGF in Addis Ababa.

January 2023

• Progress or final report provided at open consultation meeting of IGF’s Multi-stakeholder Advisory Group.

 

Potential future Working Groups

It is possible to establish new IS3C working groups on the additional issues (new or mentioned below) relating to the adoption of security-related standards following stakeholder consultations during and following IGF 2021 in Katowice. Those interested in constituting a new working group can contact the IS3C’s leadership.

Identified policy issues for the Dynamic Coalition

The following topics have been identified for research at the start of the IS3C but have not been taken up.

• Assessing the value of involving non-technical stakeholders in standards development and accreditation processes through i) extending invitations to participate; ii) establishing a liaison system; and iii) providing explanations in non-technical language of why the urgent deployment of finalised and agreed standards is necessary and beneficial.
• Assessing the importance of consumer protection testing.
• Assessing the need for a fair system of faming, naming and shaming.
• Assessing the value of global testing of ICT products and services and a vulnerability reporting modus to ensure their security and safety.

Mailing list

Mailing list address: [email protected]

Subscribe to the mailing list: http://intgovforum.org/mailman/listinfo/dc-isss_intgovforum.org

Stakeholders

• Nicolas Fiumarelli, Uruguay, technical community 
• Sam Goundar, Vietnam, Academia 
• Janice Richardson, Luxembourg, civil society 
• Awo Aidam Amenyah, Ghana, civil society 
• Mallory Knodel, U.S.A., civil society 
• Raymond Mamattah, Ghana, civil society 
• Louise-Marie Hurel, Brazil, academia 
• Elif Kiesow Cortez, Netherlands, academia 

Documents/Reports

• Annual Report 2022 (February 2023)
• Meeting notes – IS3C 6th General Meeting (September 2022)
• Annual Report 2021 (January 2022)
• DC-ISSS governance document (April 2021)
• Annual Report 2020
• The final report of the IGF’s Pilot Project in 2018-19 entitled Setting the standard for a more secure and trustworthy Internet explained the reasons for the slow and limited deployment of these standards, and identified the key decision-takers in society that as points of pressure would be able to accelerate the processes of deployment globally.
  
  The Report presented a range of recommendations and solutions that on the demand side would ensure that the right decisions are taken within large organisations relating to the deployment of these standards. On the supply side, the Report recommended leaders in the ICT and Internet industry should integrate security-enhancing standards and best practice in their products and services.

Contacts

Wout de Natris, coordinator, wout.denatris (at) is3coalition.org

Mark Carvell, senior policy advisor, Mark.carvell (at) is3coalition.org