Internet Standards, Security and Safety Coalition (IS3C)

Motto: Making the Internet more secure and safer

Introduction

At the IGF in Katowice, the Dynamic Coalition on Internet Standards, Security and Safety announced its name change into Internet Standards, Security and Safety Coalition (IS3C). It remains an IGF Dynamic Coalition that brings together key stakeholders from the technical community, civil society, government policymakers, regulators, and corporate and individual adopters, with the shared goal of making online activity and interaction more secure and safer by achieving more widespread and rapid deployment of existing Internet standards and ICT best practices.

Internet and ICT security is an issue that is high on the agenda of governments, industry and individuals alike. The COVID-19 pandemic has brought into sharp focus the rapid increase in society’s dependency on the Internet, communications technologies and networks, the interconnectivity of devices, and the vast array of online services, networks and applications that permeate all social and economic sectors, and on which every aspect of daily life, including our health and financial welfare, increasingly rely.

It is also widely recognised that many Internet-related products and services are increasingly vulnerable to security threats and the spread of online harms and criminal misuse. However, if relevant security-related standards and best practices are more effectively adopted and deployed worldwide, these risk can be reduced significantly. This will foster greater trust in the Internet and its related digital technologies and applications and the positive social and economic benefits of these transformative technologies for sustainable development will be fully realised for communities worldwide.

The IS3C aims to ensure that standards and best practices play their full role in addressing these cybersecurity challenges through establishing the conditions for their wider, more effective and more rapid adoption by key decision-takers throughout the standards implementation chain in both the public and private sectors.

This can be achieved only if there is a shared commitment by stakeholders worldwide in a new comprehensive and strategic approach.

Action Plan

The IS3C has established a work programme that i) brings the critical security supply and demand factors together; and ii) proposes the best options for the deployment of key standards and best practices on both sides, in the form of policy recommendations and practical guidance. These outcomes will be presented as IGF policy recommendations for dissemination to policymakers and decision-takers worldwide.

Establishment of IS3C working groups in the first phase of its workplan.

Following the launch of the Dynamic Coalition on Internet Standards, Security and Safety at the IGF in 2020, three working groups were established.

Working Groups

Working Group 1: Security by design

At the 2023 IGF in Kyoto the Security by Design Working Group on IoT of IS3C presented its report ‘Saving the world from an insecure Internet of Things’: https://is3coalition.org/docs/saving-the-world-froman-insecure-internet…. This concluded the first phase of the WG.

As we move into 2024-2025, the WG on IoT is adopting a dual-focused approach to enhance IoT security. Our efforts will be divided into two primary areas: educational initiatives and continued research.

Educational Initiatives:

Awareness Campaigns: We will launch targeted awareness campaigns to emphasize the critical importance of IoT security in both the public and private sectors.

Webinars and Courses: Our group will develop and host a series of webinars and develop comprehensive courses specifically designed for government policymakers and regulators.

These educational tools will provide essential knowledge and best practices in IoT security.

Continued Research:

Policy and Regulatory Analysis: We are committed to continuing our research into new policy and regulatory documents from various countries and continents.

This will allow us to stay abreast of the latest global best practices and ensure that our strategies are aligned with state-of-the-art standards in IoT security.

Best Practice Documentation: Alongside our research, we will regularly update the best practice documents to reflect the most recent developments and insights in IoT security.
 

WG 1 Mission Statement | February 2024

  • The sub-group's mission for 2024-2025 is to:
    foster a well-informed community equipped to implement robust security by design principles in IoT, driven by both educational initiatives and ongoing research.
    (a) Continuously monitor and analyze new global IoT security initiatives, policies, and regulations, incorporating these findings into our strategies and best practices.
    (b) Actively disseminate this information through various channels, including educational webinars, specialized courses, and awareness campaigns, ensuring a broad and effective reach to stakeholders in the IoT ecosystem.
Working Group 2: Education and skills

A major factor undermining the development of a common culture of cybersecurity is that students graduating from tertiary ICT-related educational programmes often lack the skills that business and society as a whole need in order to understand the benefits of security-related Internet standards and ICT best practices. In order for ICT security to be better understood, it has to be integrated into tertiary ICT educational curricula, at all levels. This may result in the structural development of ICT(-related) products and services that include cyber security Internet standards and ICT best practices. The coalition’s Working Group 2 has therefore the following goals:

  • To detect and resolve cyber security skill gaps in tertiary ICT education curricula;
  • To encourage tertiary educational institutions to include in their ICT curricula the essential skills, knowledge and understanding of security- related Internet standards and ICT best practices, building on current best practices, in order to bring tertiary education in line with emerging workforce requirements; 
  • To strengthen collaboration between educational decision-takers and policy makers in governments and industry in order to align tertiary ICT curricula with the requirements of our cyber future;
  • To ensure effective collaboration between key stakeholders in order to keep tertiary ICT educational materials in step with new technologies and standards and prevent new skills gaps from developing.

  WG 2 Mission Statement | November 2022 

  • The document describes the group's focus on examining how tertiary educational curricula at all levels need to adapt to ensure that school and college-leavers are equipped with sufficient knowledge and understanding of how deploying security-related standards helps individuals and businesses be secure and safe in the digital economy. The group intends to develop recommendations and guidance in this regard.

WG 2 Report | December 2022 

  • In its workshop in Addis Ababa IGF Dynamic Coalition IS3C officially presented its first report to MAG chair Paul Mitchell and the representatives of our sponsors. The report contains the results of a global research to better understand the skill shortage in the cybersecurity sector. The report provides recommendations on how to improve and better align the skill gap between industry and society's demand for and tertiary education facilities' offer in the cyber security curriculum. Finally, the report presents the next steps the Education and skills working group (WG2) proposes for 2023 on how to turn the theory of the report into the practice of adoption. You can download the report on IS3C's website: https://is3coalition.org/docs/study-report-is3c-cybersecurity-skills-gap/.
Working Group 3: Procurement and supply chain management and the business case

The focus of the third IS3C working group is the opportunity to promote the business case for cybersecurity through the inclusion of security-related technical standards in public sector procurement contracts and in supply chain management practice in the private sector. Research has shown that this would be a major driver for the adoption and implementation of security-related standards. Organisations , governments, industry and business users generally can demand secure by design ICT-related products and services by stipulating requirements in their contracts for specific standards and adherence to current best practices.

The Internet Governance Forum Dynamic Coalition on Internet Standards, Security and Safety will publish its report on procurement and supply chain management at the IGF in Kyoto. Its draft report aims to document existing policy requirements for public sector procurement contracts and supply chain management of digital technologies and asks whether security-related technical internet standards and ICT best practices are mentioned. It highlights emerging best practice and gaps in an effort to provide high-level guidance at the global level on how procurement plays a role in improving the security and safety of the global internet for all. We close with discussion and suggestions for future work. The document’s current status is open to feedback. We invite you to join this open consultation and share your views and to share links to policy documents, public or private on this topic not mentioned in the report. The deadline is Friday 8 September, 24.00 UTC.This linkleads you to the open consultation.

  WG 3 Mission Statement | June 2021 

  • The document outlines the group's goal of developing actionable and practicable policy recommendations and guidance to ensure that public sector procurement and private sector supply chain best practice and related professional training takes into account Internet security and safety requirements.
Working Group 5: Prioritising and listing existing, security-related Internet standards and ICT best practices

Security by design through procurement

In order to become more proactive where prevention of online harms is concerned, organisations will have to demand the deployment of a multitude of Internet standards and ICT best practices, in numerous disciplines, from manufacturers and developers. Over time, they will all have to be deployed, as they all contribute to a more secure Internet and far safer ICT services, devices and products. At the same time the dependency on the mitigation of incidents will decline.

This proposal looks at the issue of procurement from two angles:

  1. How can decision-takers and procurement offices be assisted in learning to make decisions with security fully in mind, without being swamped with all standards at once?;
  2. What is the full view of the topic at hand?

These questions led to the formulation of two goals:

  1. To present to the world a list of the most important or urgent, security-related Internet standards and ICT best practices, that assist individuals in decision-taking position to demand and choose secure by design products;
  2. To present an, iterative, overview list with all relevant, security-related Internet standards and ICT best practices.

At the start of this Working Group IS3C will gather a panel of experts from around the globe and engage them in finding a rough consensus on what standards, in what categories, need to be a part of this list. They will be recruited from international and regional organisations in government, Internet institutions and industry.  

An overall list, containing all security-related Internet standards and ICT best practices can be started at any moment, as soon as there is a clear decision on who hosts it and people with editing rights are identified.

Project lead is Wout de Natris.

Document

On 4 December 2023 UN IGF Dynamic Coalition on Internet Standards, Security and Safety (IS3C) published a procurement tool to advance the deployment of security-related Internet standards and ICT best practices: the ‘Checklist of Internet standards for secure communications’.
This list contains the most relevant and critical Internet standards that will assist decision-takers and procurement offices to procure ICT products, devices and services secure by design.

The list was compiled by a multistakeholder advisory panel of independent experts from around the world. It is based on four criteria: interoperability; security relate; open process and; proven track record. It contains the 23 most critical and relevant standards, e.g. DNSSEC, OWASP top 10, RPKI, any organisation should require to be integrated in the design of ICT products, services and devices, to pro-actively close numerous attack vectors in their and other organisations’ ICTs. An open consultation process was an integral part of this project.

The IS3C Working Group 5 report and list are available on IS3C’s website: www.is3coalition.org

The list adds to the IS3C Working Group 3 research report on public and private procurement that was released at the IGF in Kyoto. Both reports have been made possible by a grant of the RIPE NCC Community Projects Fund.

Working Group 6: Data governance

Data and related issues and developments in the public sector have become increasingly important in terms of government analysis and operations, academic research, and real-world applicability and acceptance. Data are now integral to every sector and function of government—as essential as physical assets and human resources. Much of the operational activity in government is now data-driven, and many Governments would find it difficult, if not impossible, to function effectively without data. 

While governments are more connected, they are equally exposed to new and emerging threats. Cyberattacks and incidents such as data leaks highlight the complexity at stake in determining what kinds of responses are adequate from a policy, norms, regulatory and governance when it comes to securing data. Many governments have responded by including such concerns as a core part of their national cybersecurity strategies and data protection regulations. 

This working group will support the development of a global review of data security, identifying emerging trends, sub-topics, and best practices in this area. The working group will place in the coming two months and directly engage in a mapping exercise and then develop recommendations for a data security framework. Activities will include:

  1. Mapping data security frameworks and regulations.
  2. Developing recommendations for how governments can better respond to data security challenges.

The first results of the activities conducted by the working group will be presented at the IGF in a dedicated Open Forum and in the IS3C workshop. 

The working group’s chair is Louise Marie Hurel. The work is supported by the United Nations Department of Economic and Social Affairs (UNDESA), Division for Public Institutions and Digital Government.

Working Group 8: Domain Name Security Extensions (DNSSEC) and Resource Public Key Infrastructure (RPKI) Deployment

Mission Statement
Two of the fundamental building blocks of the internet are the Domain Name System (the DNS) and the system of routing that allows Internet traffic to flow between our devices and sites. Both routing and the DNS are older technologies from a more innocent age, and neither was designed with any built-in security mechanisms. To help secure the DNS and the routing system from both malicious attacks and unwitting misconfigurations, the engineering community developed two protocols: Domain Name Security Extensions (or, DNSSEC) and the Resource Public Key Infrastructure (or, RPKI).
Wide deployment of these two standards is uneven across countries and regions, and globally remains a challenge. RPKI enjoys relatively good deployment levels. DNSSEC however, has not been widely deployed. Overall, although progress continues to be made, it is to the benefit of the security and resilience of the Internet to continue to strive towards greater general uptake. Internet resource organisations like ICANN and RIPE NCC deem this topic of importance.

This working group focuses on outreach and engagement efforts to increase trust in, and contribute to the wider deployment of, DNSSEC and RPKI. This working group provides a work plan, containing among others a new and different narrative and recommendations for the next phase, including an outreach plan at the global level.

Background
Research conducted in an IGF project in 2019 contains causes of, and recommendations to change, the slow uptake of standards deployment. One of the causes presented in the report, on the basis of input from the internet community at large, pointed to the fact that lack of deployment is perceived as being a technical issue, needing a technical solution. However, it was pointed out that what holds deployment back can actually often be based on financial, economic, or social decisions. This implies that the narrative is insufficiently tailored towards individuals in decision-taking positions in organisations. This conclusion led to two consecutive recommendations: a) to include and engage individuals in decision-taking positions and; b) to change the narrative in such a way, that they will decide favourably on deployment. The working group will provide this.

Public Consultation
IS3C's WG 8 on DNSSEC and RPKI deployment holds a public consultation on how to convince your superiors to deploy Internet standards. IS3C consults on an alternative deployment narrative. Please share your views here, so IS3C can present the most convincing arguments. The consultation runs until 5 April 2024.

Workplan
A multistakeholder group will:

  • Define the issue;
  • Evaluate current content;
  • Define current gaps in argumentation;
  • Work on (redefining) best practices and recommendations for a new target audience;
  • Write the  narrative in line with this target audience;
  • Present a plan for outreach;
  • Present (interim) outcomes at the IGF in Kyoto, 8-12 October 2023;
  • Present the outcome report, November 2023.

Chair: David Huberman, ICANN
Vice-chair: Bastiaan Goslings, RIPE NCC

Working Group 9: Governance of Emerging Technologies: Quantum & AI

Breakthrough developments in dual-use technologies, such as AI & Quantum, led to recent global policymaking efforts and discussions regarding the governance of these domains. The critical security implications of these technologies require further attention of the stakeholders as the advancements continue towards further maturity and commercialization. This working group aims to offer a roadmap for anticipatory governance strategies for the field of emerging technologies, initially focusing on AI and Quantum technology. The proposed governance roadmap will be addressing the relevant roles of the state, the private sector, and civil society stakeholders based on lessons learned from past governance efforts concerning complex technology domains. 

Deliverables for this working group will include:

  1. Mapping current risks and opportunities associated with these domains 
  2. Policy recommendation report with input from diverse stakeholders
  3. Standardization guidelines based on the policy recommendation report

WG 9 Mission Statement | February 2023

Potential future Working Groups

It is possible to establish new IS3C working groups on the additional issues (new or mentioned below) relating to the adoption of security-related standards following stakeholder consultations during and following IGF 2021 in Katowice. Those interested in constituting a new working group can contact the IS3C’s leadership.

Identified policy issues for the Dynamic Coalition

The following topics have been identified for research at the start of the IS3C but have not been taken up.

  • Assessing the value of involving non-technical stakeholders in standards development and accreditation processes through i) extending invitations to participate; ii) establishing a liaison system; and iii) providing explanations in non-technical language of why the urgent deployment of finalised and agreed standards is necessary and beneficial.
  • Assessing the importance of consumer protection testing.
  • Assessing the need for a fair system of faming, naming and shaming.
  • Assessing the value of global testing of ICT products and services and a vulnerability reporting modus to ensure their security and safety.

Mailing List

Mailing list address: [email protected]

Subscribe to the mailing list: http://intgovforum.org/mailman/listinfo/dc-isss_intgovforum.org

Stakeholders

  • Nicolas Fiumarelli, Uruguay, technical community 
  • Sam Goundar, Vietnam, Academia 
  • Janice Richardson, Luxembourg, civil society 
  • Awo Aidam Amenyah, Ghana, civil society 
  • Mallory Knodel, U.S.A., civil society 
  • Raymond Mamattah, Ghana, civil society 
  • Louise-Marie Hurel, Brazil, academia 
  • Elif Kiesow Cortez, Netherlands, academia 

Documents/Reports

  • IS3C and the Sustainable development Goals: At the IGF in Kyoto Selby Abraham, chair of the IS3C SDG sub working group, presented on the group's research into how IS3C's work contributes to the SDGs. The group found that "By advancing wider deployment of Internet standards that establish greater online security, safety, and data privacy, IS3C supports the establishment of a digital environment that empowers individuals and communities, fosters innovation, and accelerates progress towards a more sustainable and equitable future. Much of the coalition’s work is accordingly directly relevant to achieving several SDGs, as explained in this paper." The full report can be found here on IS3C's website
  • On 4 December 2023 UN IGF Dynamic Coalition on Internet Standards, Security and Safety (IS3C) published a procurement tool to advance the deployment of security-related Internet standards and ICT best practices: the ‘Checklist of Internet standards for secure communications’. This list contains the most relevant and critical Internet standards that will assist decision-takers and procurement offices to procure ICT products, devices and services secure by design. (December 2023) 
  • In just three years IS3C has grown to comprise eight working groups, with remits to produce reports, recommendations, guidelines and toolkits that will contribute to making the digital world more secure and safer. You can read a summary of our reports and learn of our plans for 2024 and beyond, including the development of an IGF Cybersecurity Hub here: Annual Report 2023
  • Procurement and Supply Chain Management and the Business Case (October 2023)
  • Saving the World from an Insecure Internet of Things (October 2023)
  • Report from the 8th General Meeting (April 2023)
  • Annual Report 2022 (February 2023)
  • Meeting notes – IS3C 6th General Meeting (September 2022)
  • Annual Report 2021 (January 2022)
  • DC-ISSS governance document(April 2021)
  • Annual Report 2020
  • The final report of the IGF’s Pilot Project in 2018-19 entitled Setting the standard for a more secure and trustworthy Internet explained the reasons for the slow and limited deployment of these standards, and identified the key decision-takers in society that as points of pressure would be able to accelerate the processes of deployment globally.
    The Report presented a range of recommendations and solutions that on the demand side would ensure that the right decisions are taken within large organisations relating to the deployment of these standards. On the supply side, the Report recommended leaders in the ICT and Internet industry should integrate security-enhancing standards and best practice in their products and services.

Contacts

Wout de Natris, coordinator, wout.denatris (at) is3coalition.org

Mark Carvell, senior policy advisor, Mark.carvell (at) is3coalition.org