Internet Standards, Security and Safety Coalition (IS3C)

The IS3C has established a work programme that i) brings the critical security supply and demand factors together; and ii) proposes the best options for the deployment of key standards and best practices on both sides, in the form of policy recommendations and practical guidance. These outcomes will be presented as IGF policy recommendations for dissemination to policymakers and decision-takers worldwide.

Establishment of IS3C working groups in the first phase of its workplan.

Following the launch of the Dynamic Coalition on Internet Standards, Security and Safety at the IGF in 2020, three working groups were established.

Working Group 1: Security by design

At the 2023 IGF in Kyoto the Security by Design Working Group on IoT of IS3C presented its report ‘Saving the world from an insecure Internet of Things’: https://is3coalition.org/docs/saving-the-world-froman-insecure-internet…. This concluded the first phase of the WG.

As we move into 2024-2025, the WG on IoT is adopting a dual-focused approach to enhance IoT security. Our efforts will be divided into two primary areas: educational initiatives and continued research.

Educational Initiatives:

Awareness Campaigns: We will launch targeted awareness campaigns to emphasize the critical importance of IoT security in both the public and private sectors.

Webinars and Courses: Our group will develop and host a series of webinars and develop comprehensive courses specifically designed for government policymakers and regulators.

These educational tools will provide essential knowledge and best practices in IoT security.

Continued Research:

Policy and Regulatory Analysis: We are committed to continuing our research into new policy and regulatory documents from various countries and continents.

This will allow us to stay abreast of the latest global best practices and ensure that our strategies are aligned with state-of-the-art standards in IoT security.

Best Practice Documentation: Alongside our research, we will regularly update the best practice documents to reflect the most recent developments and insights in IoT security.
 

Working Group 2: Education and skills

A major factor undermining the development of a common culture of cybersecurity is that students graduating from tertiary ICT-related educational programmes often lack the skills that business and society as a whole need in order to understand the benefits of security-related Internet standards and ICT best practices. In order for ICT security to be better understood, it has to be integrated into tertiary ICT educational curricula, at all levels. This may result in the structural development of ICT(-related) products and services that include cyber security Internet standards and ICT best practices. The coalition’s Working Group 2 has therefore the following goals:

• To detect and resolve cyber security skill gaps in tertiary ICT education curricula;
• To encourage tertiary educational institutions to include in their ICT curricula the essential skills, knowledge and understanding of security- related Internet standards and ICT best practices, building on current best practices, in order to bring tertiary education in line with emerging workforce requirements; 
• To strengthen collaboration between educational decision-takers and policy makers in governments and industry in order to align tertiary ICT curricula with the requirements of our cyber future;
• To ensure effective collaboration between key stakeholders in order to keep tertiary ICT educational materials in step with new technologies and standards and prevent new skills gaps from developing.

Working Group 3: Procurement and supply chain management and the business case

The focus of the third IS3C working group is the opportunity to promote the business case for cybersecurity through the inclusion of security-related technical standards in public sector procurement contracts and in supply chain management practice in the private sector. Research has shown that this would be a major driver for the adoption and implementation of security-related standards. Organisations , governments, industry and business users generally can demand secure by design ICT-related products and services by stipulating requirements in their contracts for specific standards and adherence to current best practices.

The Internet Governance Forum Dynamic Coalition on Internet Standards, Security and Safety will publish its report on procurement and supply chain management at the IGF in Kyoto. Its draft report aims to document existing policy requirements for public sector procurement contracts and supply chain management of digital technologies and asks whether security-related technical internet standards and ICT best practices are mentioned. It highlights emerging best practice and gaps in an effort to provide high-level guidance at the global level on how procurement plays a role in improving the security and safety of the global internet for all. We close with discussion and suggestions for future work. The document’s current status is open to feedback. We invite you to join this open consultation and share your views and to share links to policy documents, public or private on this topic not mentioned in the report. The deadline is Friday 8 September, 24.00 UTC.This linkleads you to the open consultation.

Working Group 5: Prioritising and listing existing, security-related Internet standards and ICT best practices

Security by design through procurement

In order to become more proactive where prevention of online harms is concerned, organisations will have to demand the deployment of a multitude of Internet standards and ICT best practices, in numerous disciplines, from manufacturers and developers. Over time, they will all have to be deployed, as they all contribute to a more secure Internet and far safer ICT services, devices and products. At the same time the dependency on the mitigation of incidents will decline.

This proposal looks at the issue of procurement from two angles:

1. How can decision-takers and procurement offices be assisted in learning to make decisions with security fully in mind, without being swamped with all standards at once?;
2. What is the full view of the topic at hand?

These questions led to the formulation of two goals:

1. To present to the world a list of the most important or urgent, security-related Internet standards and ICT best practices, that assist individuals in decision-taking position to demand and choose secure by design products;
2. To present an, iterative, overview list with all relevant, security-related Internet standards and ICT best practices.

At the start of this Working Group IS3C will gather a panel of experts from around the globe and engage them in finding a rough consensus on what standards, in what categories, need to be a part of this list. They will be recruited from international and regional organisations in government, Internet institutions and industry.  

An overall list, containing all security-related Internet standards and ICT best practices can be started at any moment, as soon as there is a clear decision on who hosts it and people with editing rights are identified.

Project lead is Wout de Natris.

Document

On 4 December 2023 UN IGF Dynamic Coalition on Internet Standards, Security and Safety (IS3C) published a procurement tool to advance the deployment of security-related Internet standards and ICT best practices: the ‘Checklist of Internet standards for secure communications’.
This list contains the most relevant and critical Internet standards that will assist decision-takers and procurement offices to procure ICT products, devices and services secure by design.

The list was compiled by a multistakeholder advisory panel of independent experts from around the world. It is based on four criteria: interoperability; security relate; open process and; proven track record. It contains the 23 most critical and relevant standards, e.g. DNSSEC, OWASP top 10, RPKI, any organisation should require to be integrated in the design of ICT products, services and devices, to pro-actively close numerous attack vectors in their and other organisations’ ICTs. An open consultation process was an integral part of this project.

The IS3C Working Group 5 report and list are available on IS3C’s website: www.is3coalition.org

The list adds to the IS3C Working Group 3 research report on public and private procurement that was released at the IGF in Kyoto. Both reports have been made possible by a grant of the RIPE NCC Community Projects Fund.

Working Group 6: Data governance

Data and related issues and developments in the public sector have become increasingly important in terms of government analysis and operations, academic research, and real-world applicability and acceptance. Data are now integral to every sector and function of government—as essential as physical assets and human resources. Much of the operational activity in government is now data-driven, and many Governments would find it difficult, if not impossible, to function effectively without data. 

While governments are more connected, they are equally exposed to new and emerging threats. Cyberattacks and incidents such as data leaks highlight the complexity at stake in determining what kinds of responses are adequate from a policy, norms, regulatory and governance when it comes to securing data. Many governments have responded by including such concerns as a core part of their national cybersecurity strategies and data protection regulations. 

This working group will support the development of a global review of data security, identifying emerging trends, sub-topics, and best practices in this area. The working group will place in the coming two months and directly engage in a mapping exercise and then develop recommendations for a data security framework. Activities will include:

1. Mapping data security frameworks and regulations.
2. Developing recommendations for how governments can better respond to data security challenges.

The first results of the activities conducted by the working group will be presented at the IGF in a dedicated Open Forum and in the IS3C workshop. 

The working group’s chair is Louise Marie Hurel. The work is supported by the United Nations Department of Economic and Social Affairs (UNDESA), Division for Public Institutions and Digital Government.

Working Group 8: Domain Name Security Extensions (DNSSEC) and Resource Public Key Infrastructure (RPKI) Deployment

Mission Statement
Two of the fundamental building blocks of the internet are the Domain Name System (the DNS) and the system of routing that allows Internet traffic to flow between our devices and sites. Both routing and the DNS are older technologies from a more innocent age, and neither was designed with any built-in security mechanisms. To help secure the DNS and the routing system from both malicious attacks and unwitting misconfigurations, the engineering community developed two protocols: Domain Name Security Extensions (or, DNSSEC) and the Resource Public Key Infrastructure (or, RPKI).
Wide deployment of these two standards is uneven across countries and regions, and globally remains a challenge. RPKI enjoys relatively good deployment levels. DNSSEC however, has not been widely deployed. Overall, although progress continues to be made, it is to the benefit of the security and resilience of the Internet to continue to strive towards greater general uptake. Internet resource organisations like ICANN and RIPE NCC deem this topic of importance.

This working group focuses on outreach and engagement efforts to increase trust in, and contribute to the wider deployment of, DNSSEC and RPKI. This working group provides a work plan, containing among others a new and different narrative and recommendations for the next phase, including an outreach plan at the global level.

Background
Research conducted in an IGF project in 2019 contains causes of, and recommendations to change, the slow uptake of standards deployment. One of the causes presented in the report, on the basis of input from the internet community at large, pointed to the fact that lack of deployment is perceived as being a technical issue, needing a technical solution. However, it was pointed out that what holds deployment back can actually often be based on financial, economic, or social decisions. This implies that the narrative is insufficiently tailored towards individuals in decision-taking positions in organisations. This conclusion led to two consecutive recommendations: a) to include and engage individuals in decision-taking positions and; b) to change the narrative in such a way, that they will decide favourably on deployment. The working group will provide this.

IS3C has created a tool that assists employees of organisations to convince the decision-takers in these organisations to deploy the newer generation, security-related internet standards DNSSEC (Domain Name System Security Extentions) and RPKI (Resource Public Key Infrastructure) within their organization or to add them as a demand when procuring ICT services.
 
This is of importance because technical teams often focus solely on technical merits when advocating for security standards implementation. This narrow approach has led to limited adoption. Deploying these standards creates inherent security benefits for an organisation's entire ecosystem - protecting customers, suppliers, employees, and internet users by safeguarding their vital information, including its own.

This tool provides decision-takers with essential arguments for implementing security standards. It covers security requirements, regulatory compliance, data protection controls, commercial benefits, and ethical considerations.
 
The report can be downloaded here: https://is3coalition.org/docs/how-to-convince-your-boss-to-deploy-dnsse… or IS3C's Internet standards Deployment Tool

Chair: David Huberman, ICANN
Vice-chair: Bastiaan Goslings, RIPE NCC

Working Group 9: Governance of Emerging Technologies: Quantum & AI

Breakthrough developments in dual-use technologies, such as AI & Quantum, led to recent global policymaking efforts and discussions regarding the governance of these domains. The critical security implications of these technologies require further attention of the stakeholders as the advancements continue towards further maturity and commercialization. This working group aims to offer a roadmap for anticipatory governance strategies for the field of emerging technologies, initially focusing on AI and Quantum technology. The proposed governance roadmap will be addressing the relevant roles of the state, the private sector, and civil society stakeholders based on lessons learned from past governance efforts concerning complex technology domains. 

Deliverables for this working group will include:

1. Mapping current risks and opportunities associated with these domains 
2. Policy recommendation report with input from diverse stakeholders
3. Standardization guidelines based on the policy recommendation report

Potential future Working Groups

It is possible to establish new IS3C working groups on the additional issues (new or mentioned below) relating to the adoption of security-related standards following stakeholder consultations during and following IGF 2021 in Katowice. Those interested in constituting a new working group can contact the IS3C’s leadership.

Identified policy issues for the Dynamic Coalition

The following topics have been identified for research at the start of the IS3C but have not been taken up.

• Assessing the value of involving non-technical stakeholders in standards development and accreditation processes through i) extending invitations to participate; ii) establishing a liaison system; and iii) providing explanations in non-technical language of why the urgent deployment of finalised and agreed standards is necessary and beneficial.
• Assessing the importance of consumer protection testing.
• Assessing the need for a fair system of faming, naming and shaming.
• Assessing the value of global testing of ICT products and services and a vulnerability reporting modus to ensure their security and safety.

Mailing list address: dc-isss@intgovforum.org

Subscribe to the mailing list: http://intgovforum.org/mailman/listinfo/dc-isss_intgovforum.org

• Nicolas Fiumarelli, Uruguay, technical community 
• Sam Goundar, Vietnam, academia 
• João Moreno Falcão, Brazil, private sector
• Janice Richardson, Luxembourg, civil society 
• Awo Aidam Amenyah, Ghana, civil society 
• Elizabeth Orembo, Kenya, private sector
• Frank Ogochukwu, Nigeria, technical community
• Raymond Mamattah, Ghana, civil society 
• Selby Abraham, Ghana, private sector
• David Huberman, United States, technical community
• Bastiaan Goslings, Netherlands, technical community
• Elif Kiesow Cortez, Turkey, academia
• Maarten Botterman, Netherlands, private sector

• Annual Report 2024 (January 2025)
• IS3C's Internet standards Deployment Tool (November 2024)
• IS3C and the Sustainable development Goals: At the IGF in Kyoto Selby Abraham, chair of the IS3C SDG sub working group, presented on the group's research into how IS3C's work contributes to the SDGs. The group found that "By advancing wider deployment of Internet standards that establish greater online security, safety, and data privacy, IS3C supports the establishment of a digital environment that empowers individuals and communities, fosters innovation, and accelerates progress towards a more sustainable and equitable future. Much of the coalition’s work is accordingly directly relevant to achieving several SDGs, as explained in this paper." The full report can be found here on IS3C's website. 
• On 4 December 2023 UN IGF Dynamic Coalition on Internet Standards, Security and Safety (IS3C) published a procurement tool to advance the deployment of security-related Internet standards and ICT best practices: the ‘Checklist of Internet standards for secure communications’. This list contains the most relevant and critical Internet standards that will assist decision-takers and procurement offices to procure ICT products, devices and services secure by design. (December 2023) 
• In just three years IS3C has grown to comprise eight working groups, with remits to produce reports, recommendations, guidelines and toolkits that will contribute to making the digital world more secure and safer. You can read a summary of our reports and learn of our plans for 2024 and beyond, including the development of an IGF Cybersecurity Hub here: Annual Report 2023
• Procurement and Supply Chain Management and the Business Case (October 2023)
• Saving the World from an Insecure Internet of Things (October 2023)
• Report from the 8th General Meeting (April 2023)
• Annual Report 2022 (February 2023)
• Meeting notes – IS3C 6th General Meeting (September 2022)
• Annual Report 2021 (January 2022)
• DC-ISSS governance document(April 2021)
• Annual Report 2020
• The final report of the IGF’s Pilot Project in 2018-19 entitled Setting the standard for a more secure and trustworthy Internet explained the reasons for the slow and limited deployment of these standards, and identified the key decision-takers in society that as points of pressure would be able to accelerate the processes of deployment globally.
  The Report presented a range of recommendations and solutions that on the demand side would ensure that the right decisions are taken within large organisations relating to the deployment of these standards. On the supply side, the Report recommended leaders in the ICT and Internet industry should integrate security-enhancing standards and best practice in their products and services.

Wout de Natris, coordinator, wout.denatris (at) is3coalition.org

Mark Carvell, senior policy advisor, Mark.carvell (at) is3coalition.org