RAW COPY
NINTH ANNUAL MEETING OF THE
INTERNET GOVERNANCE FORUM 2014
ISTANBUL, TURKEY
"CONNECTING CONTINENTS FOR ENHANCED
MULTI-STAKEHOLDER INTERNET GOVERNANCE"
04 SEPTEMBER 2014
16:30
WS 49
INTERNET STANDARDS: IMPLEMENTING & RESPONSIBILITIES
***
The following is the UNEDITED output of the real-time captioning taken during the IGF 2014 Istanbul, Turkey, meetings. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record. The following is UNEDITED.
***
>> WOUT DE NATRIS: It's working now. Thank you. Ladies and gentlemen in the audience, dear panelists, thank you very much for joining workshop 49 on Internet standards and best practices and the implications of known implementation of cyber security. Last year we organised a workshop number 90 which was on critical infrastructure and incident involving that in cross border cooperation. One of the topics that was brought up there was standards implementation standards and non‑implementation standards. It was a colleague of Jari who brought that up. And that stuck to our mind as a potential topic for this year. And when the ministry of economic affairs published their vision at the end of 2013 they also stated that the implementation of two standards add Internet best practices is critical for cybersecurity but also that they notice that very often they were not implemented by industry and they wondered why. But also they noticed that the first advantage was not always there, it's not your interest to move first in fact it may for industry partners be a negative thing to move first. And that was enough to within an LIGF decide we are going to move this forward as a topic for 4014 here in useful Istanbul and here we are. What we are going to do is go over a couple of topics looking at what Internet standards and best practices are, also we are going to look at several parties that work this drafting these practices. Also look at parties who actually may have to work or do work with them, do not work with them, find out reasons behind that and look at the future or the stakeholders and the right stakeholders on this table to discuss this in the future. And I think that the answer may be yes but we will look into that and look finally into recommendations how this topic would actually be changed and perhaps come up with a topic for 2014. I'm going to start with introduces the panel which I will do for sake of time. I'm going to start with Aparna Sridhar who is with Google as counsel. Michael Riordan, Thomas mass De Haan who is senior consultant (?) Adam Sedgewick who is IT policy professional at the national institute of standards and technology in the United States. You have Utley (?) But also active in the global community. I have Jari Arkko who is working with Erricson and. Where are you? It's the wrong order, of course. I've got Chiara Giovanni who is with the European association for the coordination of consumer representation and standardization and Chip Sharp who is with kiss co systems. And we have another person on the list who apparently was unable to make it from Africa which we haven't heard from so maybe he's a remote participant. If Seedy Bensouda is there, we will hear from him.
What I've asked and I'll introduce myself, my name is Wout de Natris I'm a consultant. You can find me with many hats here at this IGF this year but now I'm the moderator on behalf of INIL IGF. I've asked Jari to come up with what Internet standards and best practices are and to set the scene. So Jari, the floor is yours.
>> JARI ARKKO: Thank you. I was talking to a colleague before this session and he said people are not implementing standards. Well I thought I should probably go into a little bit more depth. Actually I think people are implementing standards, maybe not in all cases though and there's more to it. So the think I want to emphasize is the need there's a need for broad approach for dealing with something like cybersecurity issues so we need technical standards, industry and vendor best practices, corporate and individual best practices, and we need legal and law enforcement frame works. As an example employing a secure service needs both the technology, the application of that technology in a network, careful users that employ the tools in a safe manner and ways to deal with problems if they arise. It's usually not productive to place the burden on one of those aspects. We cannot fix all problems with technology nor can we fix them with just more Internet Governance for instance. But I wanted to talk about the best practice a little bit and I want to talk in particular about how standards organisations such as the ITF deal with this. We write technical standards and RFC's. We sometimes provide guidance on the best ways to use these technologies or how to deploy them. In call them best current practice documents or RFC's. An example of what we have been working on quite recently because of surveillance we were working on more Internet security as much as possible from the various parts of Internet trafficking would be secure and using TLS in applications and we have a working group that is trying to figure out how to use TLS, recommend these things to be turned on because they prevent new attacks from being launched against you. So that's one example ever the kinds of things that we are doing. But these types of recommendations are not just limited to IETF and also document them sometimes in documents. ISIC is running a new programme for what they call best current operator practice. Or BCOPs. I think we shall be making more recommendations to the engineer approach. It's up to you how to use it. I think it's beneficial in most cases to provide far more information when it is useful and suitable for the configuration. So we could provide far more guidance than we currently are. But it's also not always easy, there are plenty of examples of slow deployment of new technology and so it's easy to convince people to take it on because of first mover issues and other things. And of course most of the Internet standardization all of it really is operating in this voluntary adoption principle that we are doing standards but we are not forcing anyone to use them. Which is actually the only practical and sensible way of operating but the down side of that is that then people need to be motivated to take into account or take into use something new. The other thing I wanted to mention that most major new things have some complexities. They may come with tradeoffs, okay you can turn on security but it could affect something. One example of that we have been talking about the use of TLS in web browsing or HTTPS. And there's a lot of discussion about what is the role of proxies and cash and other similar things like that in that context. So it usually not possible to say that it's all good for you in all possible cases and there will be no down sides. That's not the reality that we live in. So I think I'll stop here and let others to talk more. Thank you.
>> WOUT DE NATRIS: Thank you, Jari. One more comment from my side which was meant for you which I forget. This is not a panel with long presentations and slides as you know. This is going to have an interactive one and what is even worse you're supposed to interact with it so if you are able to and want to ask any questions to the panelists, please feel free to doe so, just raise your arm and I'll walk over to you.
We have several people in the panel involved in standards, the creates and drafting of standards and from many different angles just go from left to right. Mike, you do a lot of work describe in a few words what do you and what the implications are.
>> One of my goals is to work for a group, it's rather long wind with you if you think about it's it an operational security community for some of the largest ISP's, mail senders on the planet and we come together to address the operational problems we encounter. The one that comes readily to mind is spam. Spam is one of those things that not everybody there, are some people who seem to be quite keen on not fighting spam but most people actually believe that spam is a universally bad thing. And so we come together and we use the standards quite often that have been or we encourage the use of the standards that have been adopted at the IETF or promulgated by the IETF. Particular examples things like SPF which is actually a great example because those were a great example of technical standards that came out and on their own they had marginal use but by the time they got to the operational community people look at them and went if we were to write best practices and ‑‑ well there's an element of technology but it's only minor, that sits on top of this, we can use the technical standards that have been generated at the IETF and the example of this is something called demark which is a way of reporting on how e‑mail is disposed of.
I mean, standards get adopted when their useful. They also get adopted when they're adopted voluntarily. You don't want them rammed down your throat and they have to be reached by a consensus process.
>> WOUT DE NATRIS: Adam Sedgewick from the standardization agency, please explain your work.
>> ADAM SEDGEWICK: Sure. I'm with national institute of standards of technology which is part of the US department of commerce. And we really have two roles that relate to this issue. One is an overarching responsibility that the US has in partnering with international standards bodies. So the US is actually unique in that with everything we do we are supposed to rely on voluntary consensus standards first. So we have a whole process called incorporated by reference where instead of setting up something that's government unique we work with the standards bodies if there is an existing standard or work with them to props develop a new standards when the need there is. And that's not just for technology, that's for all sorts of things. So that's one of the roles. And the operate role is the responsibility we have under the federal information security management act which we develop standards and guidelines for federal departments and agencies so that's a responsibility we have to ensure what the US government and the roughly $80 billion that we spend a year for information technology can rely on commercial off the shelf technology. So in our laboratory programme we have people studying the technology and figuring out where the guidelines are which are pretty much equivalent to best practices and then in some limited cases we will develop standards. All of that is done in collaboration with industry with the very open transparent process. And then one thing we worked on just last year that was very consistent with is this a good example of when we went to industry and said we have this need, what is out there, what can the market provide? And that was issue with critical structure for cybersecurity. And it goes to a problem that policy makers saw that is at the heart of this session that policy makers saw there were a good set of standards and best practices out there but we didn't see up take sufficiently. We had an open process to look what was out there, and then to help develop a structure so they could be used voluntarily and really help with some of the issues we saw which included fragmentation due to different regulatory and legal regimes. So that's something we developed over the course of a year through open workshops. It's out there we are assessing now the extent at which industry is using and we really saw our role in that as a convener bringing together these diverse stakeholders. And in the future we would like too figure out a way that our role as convener ‑‑ figure out what is a non‑governmental way for these practices and standards to grow in the future.
>> WOUT DE NATRIS: As a question, when you develop a standards, is that obligatory one to adopt with everybody or is it still voluntary process because I'm trying to find if there's a difference between your organisation and the others?
>> So it's obligatory if you're a federal department and agency. They are all based in risk management so it's basically the heart of those standards are how do you categorization information systems and develop the risk management processes on top of that to best manage those risks.
>> WOUT DE NATRIS: Thank you. Utley, you're active in the RAR, the regional Internet registries, you work on standards and best practices also. Can you actual us a little bit about them?
>> Utley: Thank you very much. So I just have a couple of points to add. From the IR perspective what Jari mentioned in participating in developing technical standards that's one of the things we do we have colleagues come into the meetings and discuss. And I know it's very critical because our membership when we have meeting and have discussion with them they will have a lot of questions on how the technology works, the limitation, how does it impact security and things like that. So from one end that sort of participation is very critical. Of course to participate in this kind of discussion there is a prerequisite in terms of the technical knowledge that you must in terms of the technical standards. The work we do with our members is we go and spend some time to work with the NOG's with their meetings and this writes the exchange of information takes place. One things that takes place is normally people will be discussing issues, I have issue from spam and things like that. So naturally the next thing that people will ask is what are some of the best practices that you apply to make sure that your customers are not affected or you can be resilient or you can mitigate this risk. So the discussion on best current practices is always something that we see and something that people always need and there's a demand for this type of thing. So lately one of the things that we have been trying to promote with people in the security community are things like BCP 38 and this will prevent attacks that exploit the ability to be able to spoof IP addresses in carrying out these attacks. And in some instances it's just an awareness thing. But in if you look at from another angle these are the things that people need so they can look at it and have some reference so it is not just enough to tell them that you must do something about this, but then they will ask how do you do it then? So to come out with best current practice that is relevant and applicable and useful is something that the network operatus groups are looking at. The other thing is that from the IR perspective. We have the who is database. The who is database is fairly useful a at times when people want to find out who is the proper contact point when it comes to abuses. The issue is many of the network operators, many of our members will just put contact point but when we meet them and have discussion with them they will then ask how do other people do incident response? What are the reasons that they use? What are the procedures? So this shows that there's a need for this best current practices and for the discussions to be frequent so that these things are up to date from time to time. I think I'll just stop at those two points. I have some other things but maybe in a different round. Thank you.
>> WOUT DE NATRIS: Thank you, Utley. Taking away an important point that you have to have some technical proficiency to be able to join the discussion and that may then also inhibit from people joining these discussions. So that's a topic that we will probably come back to later but thank you for mentioning it. Jari, we had you, of course you already explained what the IETF does, thank you for that. But Chiara Giovanni you are also involved in Internet standards and best practices but from a completely different point of view from the consumer. So what is your role when they are create and what is the role of the consume enter the discussion?
>> CHIARA GIOVANNI: Yes, indeed. ANICA is a special consumer association because our specialty is standards. You may wonder why at the European level standards are used to complement public policies and legislation and this is why it's important to have all stakeholders around the table so went a consensus is reached it's a real consensus. We are covering many fields and the Internet and the Information Society is one of the fields we are covering. At the European level there is quite a lot of discussion on cybersecurity standardization, there is a strategy going to be developed together as well with the institutions the European institutions as I mentioned there is rarely a complimentary about it and consumers goer to follow this work. There is also very interesting work going on on electronic signatures and certificates which I think it's very much more relevant in this context of cybersecurity from the consumer point of view. Generally we have experts participating you just mentioned how important it is to have technical expertise. It is half of the problem but the other part of the problem or issue is leading to a real consensus and it is something which is very important and depends on a lot on the standardization we are mentioning. Our experience is nor the so‑called former bodies because there you have a consensus. There are other standardization bodies where the consensus is differently reached and from a consumer point of view it is almost impossible to have an impact in those standardization bodies.
>> WOUT DE NATRIS: Thank you. We have herd the side of the people creating the standards of participating in the process of creating standards and Internet best practices. Let's have a look at how this impacts industry because all these standards are made but to implement them must have some sort of implementation and let's start on the other end and come back. Let's start with Chip. You work with Cisco.
>> CHIP SHARP: Cisco systems is a company founded around 1988. It builds much of the infrastructure that the Internet runs outs right now, the router, switches and also developed many collaboration systems such as WebEx which we are using here for the IGF is also a Cisco product as well so we are proved in many of not only the product but some of the applications and services that run over the Internet. One think a little bit just for my own purposes I've been in the industry for over 30 years and 20 of that at least is spent developing products and working on standards activities. In ITF, TIA, ITT, a number of standards organisations. So just to give you an idea now Cisco is involved in around probably over 75 standards organisations and fora that we have people engaged in. Picking around from 2,002 to 2,004 we have people involved in over 400 standardization efforts globally. I have something on the screen that goes with what I was going to say here. But the industry is based on voluntary and international standards developed by bodies such as ITF, worldwide web consortium and we want to stick to building security globally. Stow industry builds products based on these standards with a currently build one cell globally business model as much as possible. That drives innovation, efficiency and products and services in the ability to do that. In terms of cybersecurity standards these global standards are critical for inoperability and developing the global markets but as well as improving cybersecurity posture globally as well. One thing we can get into is poorly designed or implementing on conflicting national standards can actually add risk to that posture and global efficiency. So the way we look at it is if modern global standards exhibit principles. Look at your power strips now and see the converters that are plug in. Each of these is a national standard. So when you go to a different country we have to lug around a different power converting. If we can go to the next slide ‑‑ oh, I can do that. Which button do I push? So if you remember these, did anybody here travel globally in like the 90's when you access the Internet via dialup modems and do you remember carrying around a bag of converters so you can plug into every country? Every day you had the figure out if you can actually connect to the network somehow. And this is an example of a national based standards ‑‑ oops, I think I just turned something off. What do I do? So as we move forward and the Internet is grown what we have settled on we now have more global standards. So with ethernet you have cat five, you have a standard connector that you can carry one cable with you to plug in. Even better nowadays we don't have to take connectors at all because there's wi‑fi. One standard you go to IGF globally and don't have to carry bags of connectors around with you. So these are very simple examples of why global interoperable standards. In general, you can work globally with the single standard. And I think hi one more. Jari might recognize some of this. A number of years ago Steve Der ring came up with a hour glass model of the Internet. As we add more and more applications the hour glass expanded to now it looks like a martini glass is the way we look at it. Why it's so ubiquitous is we have a stable middle right now with TV over IP, acts a stable middle protocol so no matter what network you're on top of, wireless, GS, WI, it doesn't matter what net or sub net you're running over, you're always running IP over what the infrastructure is. And then over IP there's a standard set of protocols or you can develop protocols on top of so all you have to do is run on top of TCP and don't have to worry about all the stuff at the bottom. You don't have to worry about that. And you have some number ever protocols, HTTP is a web for web browsing, SMTP for e‑mail. And now application providers or application writers don't to have worry about all that mess underneath. All they have to do is write to the API for any of those protocols and then they can access anything in the world. So they don't to have worry about the details of the underpinnings in order to actually expand and scale globally and that's part of the power that has allowed the Internet to grow globally and allows you had to do what we do here today. I'll stop and there's one thing ‑‑ I'm actually done so we can turn this off. I figured out how to turn it off I think. One thing that's interesting is in being involved in standards for a number of years is there's a senator from the United States that after he retired somebody asked him about passing legislation and what he thought about passing legislation. I think what he said was applicable to all the work I've done. Over all the legislations he's done over the decades, probably about 20%. It was useful and 80% could be thrown away, was a complete waste of time. The problem was you didn't know which was the 20% until about 5 or 10 years later. You didn't know one was a waste of time or which one was useful until years after you've spent the time doing it and that's a problem with developing standards in terms of working within standards organisation. So thank I appreciate it.
>> WOUT DE NATRIS: Thank you, you actually quite well explained there are standards on the Internet that actually make it work and are essentially to make it work and economically grow so I think that's very important to understand. Thank you. I'm going to move back to Mike because you're an industry organisation. When you discuss jury best practices then they have to go back to your members. How do they implicate the members, what does it mean for them when once this new practice comes out?
>> Mike: Given that the we are certainly working at more given the best practices we come out with have arrived voluntarily in a consensus manner generally what happens is they get applied, they get used because they're the sensible things we all need to do. We are at standards‑we are not a standards body per se but we generate best practices but we do it in a spirit because we are working in an area which is an area of mutual nuisance. One day a reporter from the newspapers in DC in the hill rang me up and found out I was working closely with a guy from at and. And ask me if I fight with him a lot and I said no we go out drinking occasionally. We are addressing what are mutual problems that impede all our businesses and I think that's where you we see where we go forward because we are dealing in an area which is a commonly problematic area so it's in everybody's interest to work together. Very interestingly we also work with a bunch of illegitimate e‑mail centres. And there's been a very irritating process for most of us I expect which is where they imply they have permission to send you e‑mail because they have the right send you postal male. Our senders got together and we are going to suggest that e pending is a really bad thing n the trade press it was basically interpreted as MORG (phonetic) bans e‑pending. Generally now it's stopped. So standards with be cooperatively reached with have pretty drastic effects on business practices.
>> WOUT DE NATRIS: Going to switch to Thomas for one second before going to Aparna. An argument that we hear that when companies come to discussion more secret things or open things on standards that these people telling me things sometimes say what about the car tell and anti‑trade people.
>> MICHAEL O'RIORDAN: You raise something I feel I need to interject is dot not play any role and there are a number of bodies ranging from MORG to the cable labs which have very strict constitutions and approved to work in this manner.
>> WOUT DE NATRIS: I think to say this was Michael O'Riordan saying something not Thomas De Haan in the transcript. That was one of the questions asked what does happen when my governance said something about the cartel problems around this topic and that's why I'm very much afraid in my country to participate in that. The division of economic affairs is presiding over telecoms and anti‑spam law and the ACM what is the word in English, the ‑‑ in English.
>> Competition authority.
>> WOUT DE NATRIS: Competition authority. Thank you you're preceding over all three and in the Netherlands there's no problem to precede over all. Any advice for governments that this has nothing to do with competition or ‑‑
>> I would say this is not a real point of debate which is affecting let's say the market or the standardization elaboration. I think we have seen this power circuits. I mean, if it's for the efficiency for the let's say economy of scales and for let's say better and cheaper products, then things can be done so I don't think competition element is such a big thing. I would say there's other things which I find very pressing but you are the moderator.
>> WOUT DE NATRIS: Thank you for that, Thomas, I think that's an important message to perhaps other companies where these concerns do play and it's also a matter of going forward because it was started by trial and error in the beginning probably and trust was built through the years to work together in a better way I suppose, Mike, because that's the way it happened. Speaking for what I do it was a very deliberate process to come together. Back in 2004 when we started when Mr. Gates just told us that spam was going to be sorted two years before and 2004 was the year we came to sort spam and its been ‑‑ I think this is a very ‑‑ this is the first time I've heard this argument postulated or this being an important point. I'm a bit surprised to be honest with you because there's an awful lot of these organisations that work in this matter and aren't seen as anticompetitive because they are seen as having the virtues that Thomas just elucidated.
>> WOUT DE NATRIS: I was surprised myself but I bring it up because it was brought up by other parts of the world that were seen to cooperate in this way. So perhaps it's in those countries but the government may need more explanation but at least it's on the record. Aparna, Google it's a very large company a affecting much of the Internet so you must be dealing with a lot of standard and best practices, how does that affect Google?
>> APARNA SRIDHAR: Thanks for the question. I think we as a company ‑‑ well let me state the obvious first. Standards are obviously critical to our business, especially Internet standards although not only Internet standards developed by the Internet engineering task force. And I think the way that we look at the standards setting process as a whole has a couple different components. The first is the original set of Internet standards is the reason that Google has been able to exist and flourish in the first place. The fact that we could connect computers with TCPIP and that any person could deliver an application on top of this common protocol is what has allowed the Internet to grow into this sort of global platform and it's what has allowed innovators to come up with new products and ideas and it's also what will enable the next person who has an idea like Google to be successful. So for us it's part business necessity and part philosophy. The second is that obviously we are a global company so interoperability is an issue. So imagine if we had totally different standards to do search in every country across the world that would make it much more difficult to deliver information to our end users. Obviously there are local discrepancies in some circumstances but in general the fact that it is one Internet and that one Internet is enabled by Internet standards is incredibly powerful. The third is I think that we view standards critical to ensuring the resiliency and security of the Internet. So without sort of redundancy in networks and a distributing architecture that the standard setting process enables we really would not have the Internet that we have today and we wouldn't be able to deliver services to our end users in the way that we are today. So I think overall we say to ourselves the current model for standards setting has worked really well for the Internet. And what are the sort of characteristics of the current model that are important? Number one, it's voluntary. So the reason to use a standard that is people think it's useful and it enables connection and sort of enables many people to access the same information or use the same infrastructure. The second is they should be consensus based. And the third is the standard setting process should really be driven by the technical community. So I think you see great collaboration in places like IETF precisely because even if people are competing vigorously in the economic marketplace, they realize that interoperability and other standard setting processes are valuable for enriching the entire ecosystem. I'm not sure if that exactly answers your question but...
>> WOUT DE NATRIS: It's a good start so thank you very much. We have almost down our first round because we are going to look at the consumer and the government side in a short while. First I want to ask are there any remote participants, Sophie? No. Okay. If there's a question let me know, please. Are there any questions so far from the audience? Anyone would like to ask a question? Two? We will start in front and then come to you.
>> AUDIENCE: So I don't need to introduce myself. The title of the workshop is the impact of non‑adoption of Internet standards so I will be interested for instance to hear from Jari how happy he is with the adoption of proven standards that improve the security of the Internet on any level. You can choose your own scale if you want the answer for your country, four Europe, for the world, but I would like to move the discussion towards how are we doing on the implementation of standard that are really important for our future.
>> WOUT DE NATRIS: Thank you. Jari?
>> JARI ARKKO: Yeah, that's obviously different answers based on what we are looking at. In some cases I think we can be happy with I think there's a lot of up take on HTTPS, TLS, that kind of thing. There are other areas where even with standards being available for a long time we are not that far yet or at least not completely ‑‑ take PCP 38 as one example. For those that don't know what it is this is the standard or the BCP that says I should do status filtering to prevent spoofing. And the problem that has ‑‑ and it's very widely deployed but not universally deployed. I don't of the numbers but it could be 1/3 or 1/4 of the world not implementing take but it would be really important to implement that because it reduces the a amount of attacks in the world or at least make them a little bit harder to launch. But the trouble with why that is the case is that there's no immediate benefit to you, only benefit to the society or the planet as a whole but it's not necessarily a benefit to you. In fact in some cases it could be more work. You have to turn it on, it could even be one line command in some cases or more. So that's a really difficult situation. I think that's one example where maybe some processes written in the IGF and cooperation across not just standards by the people or techies getting together saying hey this BCP 38 thing is great but also going around saying hey you all should actually be talking to your local business to make sure that they are doing that. So I'm not entirely happy with all of this deployment obviously. And we have another discussion. But there's clearly work to be done.
>> WOUT DE NATRIS: Thank you, Jari. I'm going to jump ahead a little of the questions that we have. What is the implication ‑‑ let's stick with BCP 38 for this example because there are many ours. It comes out of the IETF I think in two thousand something and it's adopted or not, it's voluntary. We have assessed that. Let's go to Cisco or to MORG, whoever wants the answer, what is actually costs at the moment that something like that comes on your door step. We have a new standard or best practice implemented. What happens within a company at the moment that you start deciding on it? And could there be reasons, very logical reasons for not doing it? So there's two questions. Chip?
>> CHIP SHARP: This may not be a good example for us because we are the coauthors of a BCP 38 Cisco fellow was in our group when did he it soap it was based in experience in developing networks. So in that case we had already built the capability into the router and delivered to the customers so it was a matter of convincing customers to turn it on. And ink Jari hit the nail Monday the head. What I look at is the benefits do not accrue to the organisation that's incurring the expense and that's a common issue with a lot of best practices and standards is the organisation today, the network provider, whatever, that has to actually implement it does not see the benefit of it. He's doing it for the good of the Internet and many organisation do implement these things because they understand that the more and secure and stable the Internet is, the more it will grow and business will grow but some don't. Stow that's just a common issue. I think spam has some of the spam thing has some of the same issues in terms of the benefits and expense tradeoff. Another thing I want to point out in terms from a equipment point of view or network provider point of view is that it's one line, yes, but when you're managing a network of hundreds or thousands of devices, you generally do not go in and configure each device. So network providers build subscription that manage the devices, configure it. And even you're even adding one lines sometimes can cause unexpected issues in the network, right? And we have had cases for, I don't know if anybody remembers this but there's a feature called IP directed broadcast which was in the IP standard, general part of the standard which allows you to send a Packet to a local network and then the router on that network will broadcast it to every end point on that network. Seems like a good idea but then came along smurf attacks where people would send one Packet to a network. It would expand to it all points on that network that would reply. It took 3 or 4 releases several years to convince to get the default of that feature turned from on to off. It seems like a very simple change, right? Even some of us working didn't understand why we couldn't do it. What we found was if you change the default on a configuration you've now broken everybody's scripts, config scripts, that is how they configure their networks so you have to work very carefully to migrate the customers over to this, educate them, let them know you're doing it so they can be in sync with the vendors so one day they don't actually load a new version of software in your equipment and your network goes down. That's generally seen as unfriendly.
>> WOUT DE NATRIS: Thank you, Chip. I think you mentioned a couple things, one that it's costly. That it involves work within the company. Obviously a lot of resources. It involves technical implications that you can't always see answered it's not that easy because you have to get a whole community moving along with you and understanding why you're doing it so that's I think three points summarizing that make implementation of a standard not something that you just do. Aparna or Mike would you like to add to this example?
>> APARNA SRIDHAR: I'll make a more general comment which is I think sometimes the challenge is not ‑‑ sometimes there is a true miss mapping between the who incurs the benefits and who bears the expense but a lot of times it's more broadening the view of what the benefit is is really the key. So for example just take security standards for an example you might say for security in e‑mail or best practices with respect to e‑mail, well it's going to be a cost that Google incurs to make G‑mail more secure but the benefit to the user of G‑mail but that is not how we think of it and I would say that's not how any e‑mail provider should think of it. The benefit for us is we are providing a more secure service which hopefully means more people will use it then be gaining trust from the end user which will make them continue to use our surface which is what we want. Sometimes there is a misalignment of incentives but equally as often it's just a matter of sort ever figuring out what the benefit is for the person who has to adopt the standard.
>> I would say what it's about is a sort of mutuality of benefit. Google may do something really smart that benefits us because we see less spam from them, we may reciprocate to do something equally start that means we send them less spam. When you she mutuality of benefit. But talking about the barriers to entry to some extent, one of the things I was involved in a couple years back was ‑‑ and I don't know if you call it a standard but it's certainly best practice was the what became eventually published by, the anti‑bot net code for ISP and there what you found one of the biggest challenges was working through the barriers for entry. For the larger organisations for the larger ISPs for the larger mail senders it's a relatively small amount of cost and it might be something they're already doing because they have seen it as deriving to their benefit. But for the smaller players there's just the pure economic barriers, the cost of implementing services, implementing data feeds, for example. Customer education, customer notification in the case of botnets. These things can be relatively expensive and just that can be some of the reason there is a resistance to entering into in this mode.
>> WOUT DE NATRIS: Well, I'm going to go to your question next, I'm going to jump again I think because we of identified something which is probably a crucial topic here. It is a matter of economics whether you make a decision to implement or not. And the speed with which you do it whether it's beneficial or not to a company. We have other parties on the table, for example a government, could that be a role for a government to assist somehow in having the implementation go faster or better without legislation, just by aiding the process in one way or another? Thomas?
>> THOMAS DE HAAN: Thank you Wout. I think exactly what was mentioned here that probably in the beginning of the Internet and still now new standards it benefits to all so let's say externalities have a big role here. But we are now in a situation which I think not adopting some standards will not not benefit somebody else but will even damage others. And I think that's I think the new era you're living in which of course the Internet is inherently insecure network. We are facing these kind of challenges. And then I would say from the government's perspective I will even consider that as a kind of market failure meaning you have a role as a government. Went you see that certain parties or certain actors in the market are not doing something, and by that as a consequence others are having disadvantages, then there's something wrong with the way these standards are adopted. And it doesn't mean that you should turn around the whole system of voluntary standards which ‑‑ participation ever stakeholders but for certain indications I think as a government you should really pick the ones which are essential in this game. In these kind of standards which if actors don't implement them it will have an external effect on many others in society. So I don't think it's the answer you were looking for.
>> WOUT DE NATRIS: It's the answer you wanted to give and I was going to go to you Adam because you work for the government also. You told us about the processes that you got into last year. Could you tell us something about the motivation for your organisation to step into Internet standards and best practices and what do you see listening to Thomas and to your other panelists?
>> ADAM SEDGEWICK: So I think I would build off some of the earlier points that were made about the challenges of getting multiple parties to act when the confident might be diffused. I think it does go to a theme of the IGF which is sort of the multistakeholder and how do you get a lot of these solutions require a lot of players to come together and decide on collective action. And often it might not be because there isn't a standard or best practice, there might be too many of them or for a variety of reasons it might be difficult to choose. The market might not be there. Or it does require all these different stakeholders to come together in a unified way especially from the case of malware all the way down to the end user, the person sitting on the computer. So we have taken this on in a variety of different ways to work closely with industry to look at the solution for these problems. I would say the way we approach core Internet standards would be different than some of the other standards just to insure that we can protect the growth and the vitalization of the economy and the innovation that those standards provide. But I do think that there are a number of different mechanisms that government can use so I spoke about the example of what we do with the cybersecurity framework for critical infrastructure. But in those other sectors, we have called them the Internet information innovation sector, we have looked at projects such as the national strategy of trust and identities of cyberspace and that's an either we still have on going where we pull together people to form a nonprofit identity ecosystem where they are the ones figuring out the rules of the road and the government figures out uses of authentication through grants. So it's an ongoing project, anyone with participate. We think it is already having an impact on the market to the benefit of all consumers and will continue to in the long run.
>> WOUT DE NATRIS: Thank you. I'm going to go to the gentleman who wants to ask a question, please introduce yourself.
>> AUDIENCE: My name is Eric Jarden, I'm with the centre for international governance innovation. I'm a political science major so some of this is outside of my wheel howls. I do have a question, recognizing that this whole process is a very organic system and reacts or evolves, I'm wondering from a cost management point of view for the system as a whole, do you think the universal adoption of security standards is the best outcome we should be pushing for sneer my thinking behind it is in a rough sense the aggregate sense is related to the probability there's a vulnerability multiplied by the people using that standard. The probability might be low but if you had everyone using the same standard then everyone becomes vulnerable and the system might suffer tremendous cost of results. I think there's a degree of resiliency and cost management that comes in when you have multiple standards. So I'm wondering anyone's take on that particular issue. Thank you.
>> So that actually might go to kind of how we started this session with Jari's point ‑‑ maybe he would disagree, about the variety of standards that are necessary and are not just technical standards. So the things we talk about often with our industry about the practices they should adopt to better protect themselves, it's largely about risk management so that's developing the processes and procedures so you can deal with those emerging issues when they come out. So it's not about a prescriptive technical set of standards but about developing the capacity so understanding there will be incidents and changes based on new technologies you're using, new vulnerabilities so it's not only about the underlying technical standards but also making sure that rigor is there for organisations to understand how to manage new risks.
>> AUDIENCE: I'm, I'm Paul Visky. I wanted to follow up on Chip Sharp's point about smurf attacks. I once will a T‑shirt that said no IP directed broadcast, that's what we were all typing into our router then because Cisco had not made it the default because they were afraid they were going to break everybody's config. So I had a long talk with Fred baker who is Cisco's distinguished fellow of some kind so I had many chances to argue with him about BCP 38 and the defaults. And I remember him explaining how many configurations that would break. So I have a story and observation. My story concerns open recursion and bind because for many years bond would by default answer any recursive theory that came to it with no default ACL. In other words if you had a name server and it could be reached through your firewall and eventually we realized that was a problem and we fixed it. And first we created the ability for people to change their configs and then we added some config warnings. And a couple years later we announced we were going to change the default. And a year after that we changed the default and it broke everything because five years was not enough nor the community to adapt and we got a lot of complaints. But it was the right thing. Now the difference is ISC is a nonprofit company and does the right thing because it’s into shareholders. Cisco has slightly different priorities and I understand that. I don't want to seem ignorant of that. However just as you ought to reboot your Linex server at least once every three years before the up time can get to four digits, in case it would not reboot because of some config change, you want to reboot things periodically just to see if they can, the same is true of our configurations. And I think that anybody who is on the receiving end have a 400 giga bit per second D‑dos has absolutely no sympathy for your shareholders. Thank you.
>> WOUT DE NATRIS: Do you care to respond?
>> Thank you.
>> WOUT DE NATRIS: Okay.
>> If may I would like to respond from a consumer point of view you introduced two very important notions, the default setting, the privacy or security or default settings on whatever configuration or requirements or interface we are discussing about being a web page or an app whatever. This is something that is extremely important and the impact of testimony lack of adoption of certain standards of course has the affect of total lack of trust from consumer's point of view. This is not only because the of the lack of standards. There are also other elements but the recent securities scandals online scandals really have quite an important negative impact. And the solution for us is the default settings so to provide the higher default setting from a security or privacy point of view so the consumer applications ‑‑ so the consumers can choose to downgrade than to have lower levels and it is especially because of children and young people using the technologies sooner and sooner for everything it is important to protect them by default. This is not only for the Internet but in general. And then more users or professional users this is a totally different discussion, can better adapt to the levels of security of their own needs. But I had like really to remind all of us that children online up to the age of 3, 4, already, and they also represent a very important market for certain developers and it is something that needs to be carefully taken into account when also discussing security. Thank you.
>> WOUT DE NATRIS: Thank you, Chiara and thank you for answering the question. I'm going to make this very black and white and not personal, please don't take it that way but I see a group of people very happy with themselves and the work they do and the measures they take, they make it very black and white and I see people raising concerns this is perhaps going not in the direction we wants it to go. So there is divide or whatever you want to call it in the panel and that's a good thing because then you can have a debate and not everybody agreeing with each other, yes we are on the same track.
If we are moving slowly towards the end of the panel of course by now. If we look at these concerns and the work that is being done which is obviously being done good because the Internet works, let's not forget that. It works, everybody accesses it and look at in this room how many people are on the Internet in this whole building and go on from there. It works. But there are also grave concerns. For example Jari, I heard a story last year from somebody from the ministries of economic affairs who went to the ITF for the first time, everyone went into a room and he was standing there on his own saying okay I want to learn what is happening here and if you make it black and white again, four days later he saw everything come out of the room and thought why was I in Berlin for four days? Is there a way the change that? It was not Thomas, it was one of his colleagues. But how can you engage better so governments get to understand what you do but perhaps also that the technical community can learn perhaps from concerns that governments have that after that the technical community can pick up and come up with solutions and let's start there and from there perhaps look at what roles of governments and consumer organisations could be because it's could be for Chiara the same story as it was for this person. So let's start there Jari.
>> JARI ARKKO: I wanted to touch on this black and white thing first. I don't think anyone on the panel is saying that we have no problem. We certainly have a major, major problem, many issues going on it's just that we are trying to characterize the problems and understand why they occur with some fundamental reasons we talk about that with Chip and others. So we do have a all right of work ahead of us. So that's clear. We are trying to understand how to do that work best. I'm a firm believer that we just need to be more connected and understand more of this space, not just with a small group of engineers the corner or the government meeting somewhere but we together need to understand and interact more and there's multiple places for that. We have some programs in the ITF to try to do more we are learning how to do that. It's not always easy but we are trying, drawing more participation from non‑engineer circles. I think this meeting at IGF is a great place to do some of that but it can't stop at that. We have to find this like‑minded people in these meetings and go off and do something about some of these tasks whether it's BCP 38 which is an old topic or something newer, spam. Maybe some more things can be done more widely. So I urge all of us to try to actually go and do something about it and write with your government colleague and document or recommendation for people to do more.
>> WOUT DE NATRIS: Jari, thank you for this because you're reaching out and also I heard you last year because that's why we basically have this panel, you are reaching out. Utley?
>> Utley: Yes the Internet works but the problems are getting bigger and bigger and nasty at the time. This is also where the user standards but maybe not in the form of technical ones. We have a lot of work like Adam is doing in the cybersecurity framework, addressing security problems. So it's not just that I'm a grade of D‑dos but there's other threats or insider threats or malware. There is where cybersecurity framework and in many places at least in Asia Pacific that I'm aware of many of the government from the regulator standpoint of viewed and similar organisation are encouraging people to look at security from the bigger picture and make sure that you have done everything that you can do to make sure that you are safe from these threats and minimize the risk of things happening in your network so this is where I think not only looking at it from the perspective have we should get everyone to do this or make it mandatory but also supporting work. And in some countries they extract some parts of that to make sure that at least these are the basic stuff that organisations must do so that when you have these things in place you are aware of what resources you need to commit to ensure security or you can assure security or achieve resiliency when things happen because we know that things may happen whether you have done your best or not. And also when you have similar organisation in a particular sector adopting this kind of standards then you can also start benchmarking and measuring one another and then you can compare notes and from there you can make more improvement. So I think it is not that government are not doing anything, I think there's a lots of work being done already in this end trying to get people to look at security from the bigger picture. And there are many guides or standards that are in place that we can actually start using and looking into.
>> WOUT DE NATRIS: Thank you. Aparna?
>> APARNA SRIDHAR: There's also one other aspect that we vice president really discussed which is the way that we can also work together to sort of improve security which is building awareness of what users can do themselves to insure security online. So I was doing this work for a while but I think in the last year I've read or been sent a link to probably ten articles on two factor authentication. I've been using it for a long time but I literally don't think before this year I had ever seen anything in a mainstream newspapers about it. So that's one example of something that has gained greater a awareness in the user community but there are lots of other start of best practices for user empower meant that we can do a better job of sharing.
>> WOUT DE NATRIS: Thank you. Thomas?
>> Sorry, I just would like to totally disagree what you just said and it is contrary to what I just said myself. You need to provider the higher and highest level of protection by default so I think this is really something you need to rethink.
>> APARNA SRIDHAR: I completely disagree. So I think the idea of mandate ‑‑ so I think two factor authentication is a great idea, I use it all the time. But the idea that you should mandate that when it relies on having access to a model phone that may or may not be something that somebody has. So you can be creating a huge cost to get on to our services by mandating that as the default. It could make it impossible if all you have is a land line connection, think of a grandma in where ever, not my grandma but in some rural small town in where ever, all she might have is a land line connection to the Internet. This is going to do her no good whatsoever and increase our costs. So I don't think that it's right to say that we should always have the highest standards as the default.
>> WOUT DE NATRIS: So we have some disagreement here which is good. Probably also somewhere in the middle. That the end user cannot do anything himself because they don't understand the deeper implications, perhaps need training, a driver's license of the Internet, you can hear that one. But did other one is he can't find everything by himself and that's where the awareness starts and you find each other on reasonable ground. Thomas you want to respond also?
>> THOMAS DE HAAN: I think the adoption by practices or let's say the way people are connecting themselves and using their equipment that's another thing. I think the thing which we because we have programs in the Netherlands sponsored by the government which let's say in subsidize also lessons at school, giving a kind of let's say youngsters also a kind of diploma for I did a very good course and now I have my diploma safe Internetting. So these things should be done by all means. I think well the topic of this setting is more, the adoption of Internet standards and on specifically I think security standards by companies, by networks. And there I think at least we see in the Netherlands that we don't see a role by enforcing standards or by making new regulation for which 80% will not be effective. Especially not in the environment which is so quickly is the Internet when we make a ruling in a year's time it's finished and then some other requirement is ruling the markets. I think what I just said before I think there's a question of market failure, neighbor that's a strong term but there is something hindering because of the externalities facts that market parties are not adopting standards because it's too high, they don't get the benefits, it's only long‑term benefits so there somebody something done in which I think the government could do something.
>> WOUT DE NATRIS: And what are the thoughts of the anyone industry at this stage?
>> First have all I think an enabling facilitating function that you get parties together which maybe out of themselves will not let's say take these efforts. And secondly you can what we did with other projects you can let's say not subsidize some project but give a kind of first subsidy for setting up a system or setting up a secretariat or something that market parties themselves own. And themselves working it out. As a government we don't want to be involved, only if it's purely necessary. So I think that basically there's something which and there's also a very much benefits of at least we saw this in our own strategy or division you talked about in the Netherlands, there's a synergy in getting let's say all parties together about the whole set of security standards which you have ‑‑ (?) others are a part of. And to treat this as a kind of suite (?) But it's more practice, you should use as ISP to try to have a kind of concerted action as a national stakeholders.
>> WOUT DE NATRIS: To Michael oh Riordan, MORG is already involved in getting parties law enforcements in to discussion, you've worked on government on the bot net for example, would that work in this case the US? We also work with morph in other continents could that be an example of a way forward, first mover, stimulus, let's call it that way.
>> It's not something that we run into and we haven't run into the necessity for it. The kind of thing that we do in a cooperative manner hasn't ‑‑ that hasn't really been necessary for us that they ‑‑ the nudges had to be given. But I think it also depends on the local environment. For example, a number of years ago we had some of the MORG members come from Japan they came and presented on the project had been nudged by the Japanese government to block 25 and it was successfully successful in terms of blocking outbound spam from Japan. The outbound spam had fallen off a cliff, it suddenly disappeared. So I think it depends ‑‑ it's certainly depends on the national environment that you're working within and what my work for example in a more cooperative or with a different cultural understanding won't also work in certain other countries and that I think is a significant differentiator, it's not a one size fits all.
>> WOUT DE NATRIS: That is a good conclusion that is completely true, of course. We are moving really towards the end of the session. We haven't had touched upon all the questions but that's usually the case. I think everybody had the chance to speak his mind. Let's look ahead. What if we a year from now what would you like to have achieved on this topic? Are we still addressing the same challenges we are facing right now? Or what would actually change that we turn left instead of in the right discretion, the straight direction. Let's start with you, what would the advice for the coming year be? Let's start with Cisco and perhaps move it from there if you would like to be more general also because we touched upon a all right of topics now.
>> I think whatever it is, on your wish list of things if we could get the best current practices actually deployed even within our own network and in with our products, all of our products supporting it, fanned I could have a wish it would be that all of our applications and products support a secure IPV six implementation, that would be a wish list as well. But as we roll out IPV six we discover more new things that come up and then we have to fix them. So it will be an interesting deployment and as the world deploys it even more so I think that would be kind of a wish for the next year as to that we can get that straightened out, get our development straightened out so that we are moving down that road. Thank you. We are working for it. Also I would say that in terms of the Netherlands, is a member of the common criteria recognition agreement. So that's one thing that is done is we have the common criteria testing that has ‑‑ Netherlands is one of the countries that does recognize this. We are happy about that. Thank you.
>> WOUT DE NATRIS: Chiara?
>> CHIARA GIOVANNI: Yes, thank you what we would like to have in 1 or 2 years to have sound and legitimate standards for authentication for consumers to have confidence to be able to use with apps or what. And this requires a lot of international collaboration. And solutions have to be found.
>> WOUT DE NATRIS: Thank you. Jari?
>> JARI ARKKO: Yes, I will continue saying that this further cooperation is needed. I wanted to pick up one example. I think you said earlier it's difficult for the consumer opinions to show up in standards or in all types of standards bodies. I think it should be possible and it can be possible and we look forward to your input. So why don't we try to establish channels where that's actually possible. I think we all do care to build things that relate to end users that they actually work well for the end user and no so much for the company?
>> WOUT DE NATRIS: Utley.
>> Utley, two points. One is this sort of discussion could be useful if you can take to it the regional land in national IGF session because probably we can get more input and feedback and sort of present the issue that is relevant to the various communities out there. One particular topic of interest out of the discussion is the question of basic settings for end users. I like that. People must do a lot of things to achieve security so maybe we can look at it from a different angle why don't we make it easy for them to do security so I think maybe this is probably another type of discussion that I would definitely like to get involved with moving forward.
>> So awareness raising important topic going towards 2015?
>> Awareness raising but looking at the standards side of things as well, what are the basic standards we expect normal user tos use.
>> WOUT DE NATRIS: Adam.
>> We didn't really make a good distinction around performance standard and the more technical standards. When we think about the authentication discussion it's possible that more panelists degree. So I think that's kind of the right approach that we think of, it's less about ‑‑ it's really looking at the outcome you're trying to achieve and that allows the companies to innovate how you get this. So inning the course of the next year I would eco increased participation, the standards bodies increased awareness of what consumers should do increased adoption of risk management practices across all sorts of industry would be good to see.
>> WOUT DE NATRIS: Thomas?
>> THOMAS DE HAAN: I think what I would like the see is the kind of in a couple of years that operators of networks and services information services in governments all actors would in one way or another made more accountable for what they are doing. Because we have seen, one of the hardest things we have in the Netherlands is for example we are talking about our ISPs and I think five years ago they said okay we will implement IPV six and the next time they say no you will implement it but it will be later. So I don't enforce it but I would like to see not only ISP, maybe that's only one example about standards and how they manage the networks, the openness of the networks. But also better hosting for example which introduces a lot of bad things into the Netherlands and also in the rest of the world. Just ways of by self‑organisation or other ways in which market parties including governments could be made much more accountable of the security of their users.
>> WOUT DE NATRIS: Michael?
>> Michael: Some extent I'd echo Adam in as much as I'd like to see increased participation in people on standards bodies. I cannot think of an standards body that I've entered with trepidation thinking how could I possibly contribute. Speaking about your colleague I'm not surprised that he was a bit nervous. And they do obsess about cookies. It's an interesting place to begin but it's a very functional organisation but it does take getting stuck in. If you don't get stuck in you're not going to get to be part of the process so it's a very harsh thing to say.
>> WOUT DE NATRIS: Aparna?
>> APARNA SRIDHAR: Going last place is the best ideas usually are out there. I conclude by echoing a number of folks who have said in the coming years if we could build awareness and understanding of how the standard setting process works especially for Internet standards through not only a technical community but with governments with non‑governmental stakeholders who aren't traditionally involved that would be real progress.
>> WOUT DE NATRIS: The five has introduced best practice forums on five topics. The first reaching out happening but everybody is still searching for its place into that reach out. Could it be an idea to have a best practice forum or whatever they're going to call it next year because not everyone is happy with the term on this topic and that you can actually start talking the each other through WebEx calls, through a comment list to have a paper drafted that could be a head start into getting to know somebody better, what topics you would like to have discussed better and maybe you can easily reach out within your own communities and invite other people in that they can start acting on the right topics straight away. Would that process which IGF is going to facilitate in another year and at least after that be of use to this topic? Yes or no?
>> When I look out at this room there are a number of faces I recognize from all sorts of standards properties. We are already talking on then a basis. Yeah, we met so‑and‑so. There's a big bunch of people that you know anyhow that you have been working with. Maybe what happened is some of it has now moved to the IFG and made it a little more real. I don't know whether that's the case. This is my first IGF so I don't know what the norms are and I didn't know what to expect but I was pleasantly surprised pie the fact that a lot of real people turned up.
>> WOUT DE NATRIS: That is the same for you Thomas or for you Adam?
>> I eco what you were saying Michael. The point is that we are looking very quickly around. I think there are still a lot of usual suspects now meaning that what you are saying now is a little bit restricted to our own ears. And the impact of non‑adoption of standards security standards is one basic element of let's say prospering the Internet, making it more safe and secure. So I would say having such a workshop or I don't know if making a paper is okay that I can judge now but to try to get more attention for standards and the way you can faster progress them something which is definitely something which I would like to see. But then in a broader audience.
>> WOUT DE NATRIS: Adam?
>> ADAM SEDGEWICK: I know the question would be what would be the appropriate scope and how would that be relevant to the IGF so perhaps the scope won't be to trying to reinvent some of the good work that happens in other forums but this question we were talking about earlier how do we inform policy makers about what was going on in those standards bodies in more technical forms.
>> WOUT DE NATRIS: If you thought that would want the reinvent the wheel that's a good comment. I'm trying to find something that may be overarching which brings the right people to the table, brings the issues or challenges they face and from there go back the your own communities and could the IGF help with the identification of those challenges and people that you perhaps are missing at the table right now. Chiara?
>> CHIARA GIOVANNI: For our discussion for welcome but discussions are not enough. Actions are needed and therefore if there are no world maps with deliverables and way to check how they are implemented and really enforcement as far as cybersecurity is concerned I'm afraid there are other fora of discussion with the discussion are already taking place so they would not ‑‑ I'm not familiar enough about the mechanism behind those best practices forum, so you can tell me but there should another and the other that I see is being concrete and gone an impact on cybersecurity in this place otherwise I wouldn't see another value.
>> WOUT DE NATRIS: Thank you. I want the turn to the room. There are any last questions? I would take two.
>> AUDIENCE: Maybe I can respond to your question, too. And my answer would no it won't help. I don't think talking is going to solve the problem. I don't think talking is the problem either. In the Netherlands we as the national registry spent a lot of money and efforts on getting it implemented from sponsoring the development of signing software, sponsoring the development of registrar software, doing trainings for registrars, implementing an incentive for registrars. So it ended up in almost 2 million for the 5.5 million being signed. Now if we look at the up takes by banks one could easily argue that would be the important domains to sign. They in most cases are their own registrar and then they decided not to sign. And we have been talking to them over the last 2 or 3 years trying to convince them to do so. And they haven't moved. Most of our banks haven't. So what we did is last week we sent them a draft article that we were going to publish which made this clear that the banks are not signing. And now suddenly they became active. I got all kinds of letters, phone calls, reactions to the draft article and now they want to talk to me and to other parties on how they're going to sign. So I think in the end the solution is probably to put a bit more pressure on those organisations, those companies that should implement Internet standards because I think Jari made the remark that quite often they look too little into the future and too much very close to themselves. So they see the cost short‑term, they don't see the benefit fists and the risks long‑term. I don't know why, maybe it's the pressure of the shareholders to come up with quick results but I don't think that talking and explaining is always a solution. I think it has to be pressure. And it can be from other parties, it can be naming and shaming, that would be the worst pressure, a huge security incident with a lot of customers suffering and also I think it can be the government.
>> WOUT DE NATRIS: Okay. I think that's very clear example. Thank you. This is your opportunity to speak. Last question? Everyone happy? Okay. Then I'm going to thank our panel today for your insights and your debate on the topic which I think was quite excellent so please a round of applause.
(Applause)
********
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
********