IGF 2022 Day 3 IS3C General Meeting: Recommendations to Make the Internet More Secure and Safer

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.



>> MODERATOR: Hi, everyone.  Welcome to the IS3C workshop.  We have a packed agenda for you, and it's also the end of the day.  So I want us to be expedient and get through the agenda.  So just for everyone's awareness, Wout couldn't make it with us.  He's online.  Sorry you're not feeling well, but happy you could at least listen in.  The agenda will be a brief introduction delivered by me followed by the formal presentation of our working group 2 report to the MAG Chair who's kindly joined us.  Janice will be leading on that.  Then I believe we have presentation of the working group 1 draft report, which is going to be delivered by Nicolas.  Then presentation of working group 6, which will be delivered by Louise‑Marie.  And then Allison Wylde will deliver the IS3C digital global compact resolution and then a brief work plan on 2023 and the working group 3, followed by close ‑‑ sorry, Q&A and then close.  Were there any changes or any questions?  All right.  We have a big group, so making sure of their time. 

     All right.  Without further ado, I'll go ahead and read and do introductions.  Wout, if you feel up to it.  It's nice to see you, though. 

>> WOUT DE NATRIS: Thank you.  Let me just say a warm welcome to everybody.  I'm very sorry that I can really not make it over there despite being only 250 meters away.  Thank you, Mallory, for stepping in at such an extremely late notice.  It's very much appreciated.  Thank you for being there.  Unfortunately I cannot hand off the report to you myself today, but I'm very glad that you're there and also that our sponsors who will also receive the report officially today.  So I think it's best, Mallory, if you just take over and that I will try to listen. 

>> MALLORY KNODEL: Of course, yeah.  A pleasure to do so.  So welcome, everyone, again.  Thanks to everyone for their time.  So this is just a general intro of the IS3C sessions for your awareness.  So at the virtual IGF in 2020, the Dynamic Coalition on Internet standards safety coalition or IS3C was launched.

This coalition brings together key stakeholders from the Technical Community, Civil Society, government, policymakers, regulators, and corporate and individual (? ) With the shared goal of making online more secure and safer by achieving (? ) Of existing Internet standards of ICP ‑‑ a bit of background.  Can everyone mute?  Brilliant.  Internet and ICT security is an issue that is high on the agenda of governments, industry, and individuals alike.  If anything, the pandemic has shown us how dependent we all have become of the Internet and the ICTs for many aspects of our daily lives.  It is widely recognized that many Internet‑related products, devices and services are increasingly vulnerable to security threats and the spread of online harms and criminal misuse.  However, if relevant security‑related standards and best practices are more effectively adopted and deployed worldwide, these risks can be reduced significantly.  This will foster greater trust in the Internet and its related digital technologies and applications in the positive social and economic benefits of these transformative technologies for sustainable development will be fully realized for communities worldwide. 

     The IS3C aims to ensure that standards and best practices play their full role in addressing these cybersecurity challenges through establishing the conditions for their wider, more effective, and more rapid adoption by key decision‑makers throughout the standards implementation chain in both the public and private sectors.  This can be achieved only if there is a shared commitment by stakeholders worldwide in a new comprehensive and strategic approach.  The IS3C has established a work program that first brings the critical security supply and demand factors together, and second proposes the best options for the deployment of key standards and best practices on both sides in the form of policy recommendations and practical guidance.  These outcomes will be presented at IGF policy recommendations for dissemination to policymakers and decision takers worldwide.  In this networking workshop, two more working groups announced their start for the 1st of January and two or three announced their intention to start work in 2023.  

     One more may follow later in the year.  Two already active working groups present their plans for 2023.  All need volunteers and funding.  Funding to run the coordination of IS3C and funding to researchers when needed.  We hope your organizations may contemplate participation and/or support in 2023.  But before we get to 2023, let's have our colleagues present, one by one, their work on the report from 2022.  So going back to our agenda, I believe I'm handing the mic over to Janice first.  For working group 2. 

>> JANICE RICHARDSON: Good afternoon, everyone.  I'm calling in from Australia, and I am going to share my screen, try to.  I think that I have a problem.  Can someone in the room please share my PowerPoint?  Do you have that, Mallory? 

>> MALLORY KNODEL: I don't, but, yeah.  You're in good hands.  It's coming. 

>> JANICE RICHARDSON: Okay.  Super.  So first of all, a great thanks to NAST and to Sidden Fund who allowed us to implement research in 2022.  What was this research about?  Well, our objective was to understand why is it so difficult to recruit young people or recruit people, recruit talent in the cybersecurity sector?  What's happening in the tertiary education sector?  Are we striving for the same goals?  Is there a gap?  This is the objective of our research that we conducted throughout the year in 2022. 

     We managed to reach ‑‑ and I'm not sure if you can see my PowerPoint presentation.  Can you see it or not yet? 

>> MALLORY KNODEL: Because I think you might need to stop sharing so that we may share for you. 


>> MALLORY KNODEL: Or if you click your window where the ‑‑ that's fine.  I think we can solve it now.  Thanks. 

>> JANICE RICHARDSON: Okay, super. 

>> MALLORY KNODEL: Are you able to see it as well, Janice, so that you know what slide we're on? 

>> JANICE RICHARDSON: No, I can't.  Yes, I can see it.  Great.  Super.  Here we are.  So our objective was closing the gap between the needs of the cybersecurity sector and the skills of tertiary education graduates.  And we managed to reach 66 countries in our study.  Our study was broken down into two parts ‑‑ well, three, I could say.  We began by interviewing seven leaders in various countries throughout Europe to really understand what is the issue?  What is the scope?  And what are the key transfers of competences and professional competences that are expected of people entering the cybersecurity sector? 

     Then we developed a survey, on the one hand, and reached more than 230 people in 66 countries with our survey, but at the same time we had the great pleasure of working with young people in the IGF youth and the APR youth across many different countries.  What did we do with these young people?  We showed them how they could conduct interviews with people in their own country, and from there we were able to gather granular information as well as the results of our survey.  And, of course, the survey is available to you if you would like to roll it out in your own country.  Next slide, please. 

     I don't see the next slide.  Not surprisingly, there was a huge difference in the number of females that answered.  73 males and 26% of females, and we also had great difficulty in reaching the under 35.  This is really not surprising because this totally reflects the issues that are being encountered in industry.  Diversity was underlined by all people who participated in interviews as being extremely important and yet from this we see that there simply isn't diversity in the field.  Next slide, please. 

     What did we discover?  First of all, we created a model which comprises ten competences, what we call transfers of competences.  If you look at the green, these, according to industry and according to education, are absolutely critical skills which need to be taught in education.  So critical thinking, very important.  Creativity, problem solving, teamwork, oral communication skills.  How do you convince people in an organization that they really need to take ‑‑ pay attention to cybersecurity if the people preaching this message don't have the right oral communication skills?  Handling complexity for industry was extremely important, and here you can see quite a bit of divergence with the education sector who really don't place the same importance on critical thinking, who don't place the same importance on handling complexity. 

     On to the next slide, please.  We also asked about professional competences.  Does industry and education consider the same professional competences are important in and once again, you see some discrepancy.  Security risk assessment, really important for industry, far less for education.  Understanding of system logic is almost totally neglected in the education sector.  So here we see in green the very important skills considered by both sectors.  In red, the skills that really they don't think is so important, and it's not really having an impact on industry. 

     Next we asked for an assessment about the capacity of young graduates in these areas.  Next slide, please.  In terms of transversal competences, once again, we see quite a bit of difference.  And surprisingly, it's actually industry that assessed the skills higher than education.  Problem solving.  Education.  Think that 78% of graduates actually have a high‑level year.  Industry, slightly lower.  Written communication skills.  Once again, a slight discrepancy but not so much when we look at the level of tertiary education graduates.  Next slide, please. 

     If we look at the professional competences, we do see quite a few differences.  The security risk assessment, but only 56% according to industry actually have the required level.  You can see these figures are considerably lower.  We found our examination of these issues, of the assessment of competences and of the importance placed on competences, we did come up with a number of findings.  Next slide, please. 

     Next slide, please.  Firstly, we can see ‑‑ oh.  Next we also ‑‑ these are the interviews that were conducted, and we're just showing you this table of interviews to show you that really we did reach out.  We did interview a lot of people.  But maybe there are people in the room right now who would be willing to continue with us and take part in a one‑hour interview so that we could continue to build on our findings.  So what did we find out?  Next slide. 

     We found out, first of all, that, yes, there is a real problem, and it's mainly for young people living in Samoa, in Nepal.  They have no means of developing their knowledge in this field.  Therefore, one of our key findings is that it's extremely important that we start developing an online kit to enable young people who are living in some of these countries to actually continue with a training.  Improve education and training. 

     We also discovered that teaching in the tertiary sector must be much less theoretical.  We need a bigger connection to everyday issues.  We have to raise awareness of the importance of cybersecurity at all levels of education.  There really is not enough collaboration between industry and education.  We need to find ways to do this.  One of the good practices that we came up with, for example, is in Denmark where there is now a national hub where industry, the cybersecurity industry, and the tertiary education system come together, exchange ideas, and try to develop the knowledge between them. 

     We need to boost diversity, upgrade recruitment procedures, and here we discovered, for example, in the Netherlands, the Ministry of Health are using social engineering for much more efficient recruitment procedures.  But we also need to scale up knowledge sharing, set up an observatory of good practices.  There are some good practices out there.  How do we scale them up?  How do we ensure that everyone can benefit from them?  What's our next steps?  2023, we are hoping to set up a hub.  We are hoping to raise awareness in industry about the advantages of closer cooperation with education.  We will be focusing on capacity building, to promote knowledge sharing.  We'll be encouraging and supporting participation of the under‑30 age group and especially of women.  And when we look at countries, for example, in Africa, this is a growing economic sector.  We need to train our young people to draw benefit from the economic growth in this area.  We need to support the revision and the update of education curricula at all levels to make us all much more aware of cybersecurity but also to bring up that talent pipeline, so a lot of young people are ready to work in this area.  And we need to set up a training program for the Global South. 

     This is basically all I've got to bring you today.  I hope it's been of interest.  And once more, I do thank our sponsors who have supported the research so far.  And I do hope that there will be other people, other organizations, willing to join us and to support the ongoing work that we are doing in the field of skills and education.  Back to you, Mallory. 

>> MALLORY KNODEL: Thanks a lot, Janice.  Excellent presentation and right on time.  Just to remind the room that we'll have a portion for Q&A at the end.  So if you had questions for Janice, hold on to those.  We're going to go next to Nicolas who is going to present on the draft report from Working Group 1. 

>> WOUT DE NATRIS: Sorry, Mallory.  We now seem to hand over the document to Paul and the sponsors and then we move to Nicolas.  So an official moment with a photo and then we move on with our session. 


>> JANICE RICHARDSON: If I just come in here, we are absolutely delighted to hand over this report.  There are a few printed copies.  We greatly appreciate your support and the SIND Fund.  And I know that our collaboration is going to continue into 2023.  I hope you're satisfied with the work that we've done so far, and we look forward to our continued collaboration.  Over to you, Mallory, to hand over the report.  I don't know if you want to capture us all in the photos.  It's up to you. 

>> WOUT DE NATRIS: Can the camera turn to the handing over of the report?  Is that possible? 

>> MALLORY KNODEL: We've got it on camera.  There it is.  Good. 

>> WOUT DE NATRIS: Great.  Now I see Nicolas again.  So they moved backed the camera. 

>> NICOLAS FIUMARELLI: Hello.  Hello, everyone.  I am here.  So my name is Nicolas Fiumarelli, I am the chair of working Group 1.  This year we started our research about best practices on the Internet of things, security.  The title of the ‑‑ the heading of the research is standards and best practice adopted in national and regional policies and regulations relating to the security of the Internet of things. 

     Here is a little introduction and a little of background about the quantity of IoT devices being connected to the Internet.  And this came from Statista in 2022.  It is expected from this graph to have at least 30,000 media devices connected to the Internet by 2030 for different purposes.  For connected bankers, they are emerging, to IT infrastructure, you know, in industries, IoTs we use in an industry way.  Also payment terminals, different devices or machines, you see industry, inside places and nowadays more remote process control devices. 

     So with this advent of the quantity of these devices being connected to the Internet, there is ‑‑ there are full threats around that because if this quantity is increasing, these security threats are showing up.  So this will result in a spate of online harms online and growth in criminal misuse.  So we have a very strong issue right now.  It's a problem that needs to be solved, how to make sure that these devices (muted) have full security, data, information, personal data, and different kind of things.  So it is important, one of the names of the Working Group 1 is start deploying the best practices on the best technologies around IoT security.  On the different categories of security, you can see here is a picture of the research.  We have analyzed with three researchers ‑‑ four researchers, actually, because we have one research that is (?).  30 policy documents that are from different types like current national government policies, regulatory frameworks and code of practices around the world.  Specifically on for IoT.  We cover more than 20 countries.  Here you can see some of the countries that were taken into account.  It was very difficult for the researchers to find documents that are specific for IoT.  One clarification here, as I said, these documents are policy documents, so we are not taking into account all the best practices that came from the standardizing entities, right?  We start from the policy document, that was, like, a new thing we were trying to do.  So to know what are the actual deployment of technologies or the actual regulations regarding these technologies. 

     So here you can see some of the countries that we took into account.  We tried to find documents from all the regions, equally distributed.  We lack documents for the Latin American and the Caribbean and the African region because there is the creation of these laws or the creation of these regulations is under way.  So we will have something for the future. 

     Just to mention about the research phases very rapidly.  We started in mid‑April in 2022 with preparatory meetings with me as the lead research and the researchers.  Then in late April to early May, we have some desk toll research in trying to find extra documents, because from the last year, we had a repository full of documents, but that repository was full of documents different in nature, as I say, from policy documents but also ‑‑ how to say ‑‑ the standardizing entities best practices.  So we got the documents to have all of these policy documents.  Also this extra desktop research and trying to find more documents.  We also sent messages to the wider community not only to find these missing documents.  And at the end we found from 20 countries where we think it's very well represented. 

     Then you (frozen) we had some briefing.  They are going to be collecting from these documents, different parameters, like, for example, having the reference links, that the documents point, having different research challenges that our researchers defy.  Also we needed to categorize these best practices in different categories.  Then the stronger phase was from May to October where we worked on the analysis of the policy documents captured in collecting all these details on what are the best practices mentioned?  What are the stakeholders' approach in these documents?

Because sometimes it's a document that is for the manufacturers.  Sometimes it's a document that is for consumers, right?  So at the end, there are stakeholders involved in all these requirements.  Some of them are requirements.  Some of them are recommendations from the policy level.  So we needed to capture all these best practices. 

     So in October to November, we did a compilation of these documents in order to analyze and compare and see what are the most best practices being referenced in this policy in the documents around the world?  What are the best practices that are the most close, right?  Because we see there is a strong gap between the practice.  Because IoT at the different standardizing levels, different technologies, we see the advent of the quantum computer, so we need to update what are the items that are being used in this IoT and to have a balance because these devices have constrained memory, constrained batteries.  So at the end it's very difficult.  So these standards are evolving all the time. 

     There are some best practices that were mentioned in more than three of the documents.  So then we have the presentation here this year, 2022, and the next step is to go with the consultation.  We have already started doing this in our networking session.  And we'll collect all the feedback for all the stakeholders globally.  Hopefully in the following weeks we will have in the review platform the report there for all stakeholders to put feedback. 

     So with this feedback we will collect in January and February 2023, hopefully before the deadline of the digital compact, we will have the final report and disseminate this to stakeholders.  I will go a little rapidly because I know this is the last session and I'm sorry I don't have time for all the documents.  But just for you to know that there are four different categories of best practices.  The first one is privacy and exposure.  We really create this set ‑‑ category that is comprised, for example, on encryption, practices on encryption, practices on exposed attack surfaces on the devices but also on the interface.  Then as a secure management of case, right, and with a focus on personal data as well.  Then the second category is about the update.  You know that this is a problem, how to update these devices with the last version of the libraries.  So this category focused on keep software updated, blocking out entities for manipulating the internal (?) Of these devices, about how the device works or how this updates are being done, and about policies as well.  Then the third is about non‑technical work because these are some practices or activities that are considered best practices that not necessarily are technical things.  So, for example, to have vulnerability disclosures particularly on these reports, public, education, things that sometimes ‑‑ in some of the policy document, we have seen that there are education programs for these devices or videos and the material the devices have for the end user, the consumer, to understand how they need to configure these devices and so on.  Also we have seen in Singapore, Finland, USA, and different countries, they are having labeling programs like frameworks.  And also about the communication, to have a space for the users to bring support, channels, et cetera. 

     And the fourth category is about operation and continuity.  This is about not letting the user or the device used to default password, like could be monitored for the users to configure their own password, so these kind of things.  When the connection drops, the device needs to be safely and securely.  It keeps sensing the information.  Then when it's connected again, they send a batch of information to the interface so to not lose that because sometimes these devices can be critical.  We have seen with electric vehicles, different medical supplies, what happens if the Internet is shutting down?  These devices need to at least maintain working without even a connection.  Also in end‑of‑life strategies, they can't maintain the devices forever in their life, so there needs to be an end in time or a parameter to say, okay, we are updating the libraries until this date.  So logging of security, some security thing happens in the device, this could be automatically notified to a manufacturer, also to the end user.  And then allow security boot procedures.  (?) Then the device will not start to scan, or to scan or to sense or whatever the purpose of the device is.  Also the activators.  If the device ‑‑ like if the security check fails, the device is not going to work because (?) Right? 

     This is another picture of the different categories of best practices we found.  The differences is about ‑‑ because some of the documents were open consultations for the countries, and some of them are recommendations for the technology or science institutes in the countries.  For example, sometimes it's not a requirement.  So we needed to (?).  We found that there are more recommendations or requirements.  That is something problematic because sometimes the recommendations are not taken into account, right?  So requirements are something more strong for the manufacturers, the consumers, and et cetera that need to be compliant with these policies.  So then you can see all the types of best practices or more recommendations or requirements. 

     There are different documents here that I will not dip in.  As well, we have found some challenges in finding, like, these top 20 practices that we are still finishing, because, as I said, there are different types of documents.  We tried to pay attention to the documents that establish stakeholder responsibilities.  So that is something that we were very interested to have it as best practices.  Also, priority was given, for example, to practices coming directly for the realtors or the policymakers to have this copy consultation.  A lot of countries have open consultations, but maybe we are biased because we don't know the different stakeholders who were there, so sometimes this is failing in terms of consensus. 

     So that is what we have done this year in terms of this research.  Some conclusions that we finish with.  This has to be evolutionary work because as I said, a lot of documents in 2022 also, in Latin America and Caribbean and in the African region, there are a lot of policy documents being created right now.  So also we concluded that the adoption of the best practices is increasingly urgent, as we have seen less requirements than recommendations at the end.  So there is a strong gap between the practice.  And there are topics of relevance not included, for example, about the quantum computing and different things that are happening right now in the world.  We really didn't find any measured in our policies, so we are really concerned about this.  The researchers were really concerned about not having sufficient knowledge from the policymakers and decision‑makers' point of view because there are strong things nowadays, and this could be very dangerous, right? 

     We will go to the open consultation, as I mentioned in the following weeks.  This is very relevant to the Global Digital Compact.  Also, there are different ‑‑ there are two different key points of the roadmap of the Global Digital Compact.  One is on ensuring trust and safety, a key component, and also about ensuring the human rights on a digital level.  That is the other point of the Global Digital Compact with this research.  So thank you so much.  If you have questions or comments, I am open to answer. 

>> MALLORY KNODEL: Great.  Thank you so much, Nicolas.  Louise‑Marie, are you online to present in the next section?  I haven't seen ‑‑ we will have a Q&A, yep.  So do hold on to it.  I think we will have only really one more presentation from Allison next.  If Allison, you're ready, I think we just have to skip Louise‑Marie.  She's not online. 

>> Allison WYLDE: I saw Louise earlier.  She was in an earlier call.  Let me just share the screen with you. 

>> MALLORY KNODEL: Great.  Go ahead. 

>> Allison WYLDE: And then I've got a PowerPoint for you here.  Okay, great.  So I'm just checking.  Can you see this okay? 

>> MALLORY KNODEL: Yes, we can. 

>> Allison WYLDE: Okay, thank you.  I'm delighted to be here, and I've been working with IS3C on this fairly short piece of work, actually, since September 2022.  So it's fairly new.  It's fresh.  And what I've got for you here is really some progress up to date.  As I said, it's a very short piece of work since September.  So thank you to colleagues for inviting me here, and thank you for the presentations we've seen up to now.  I think this really fits in with what we've seen up to now with particularly the education piece from Janice, you know, we can see that there's lots of interest there, the work from Nicolas, and I'm sure Louise will probably jump in a little bit later. 

     So the Technical Envoy Office released a call for contributions to look at the Global Digital Compact which, of course, arises from other work, central work, for the United Nations, futures work.  And there's lots of background to this which I won't go into, actually.  But the website's there, and there's a call‑out which has now been extended.  The contribution is going to fit into work ‑‑ United Nations work next year in 2023, probably on into 2024.  So I think definitely there's mileage in IS3C taking this forward and really developing what we're contributing here. 

     So the website's here.  You can have a look at the website.  You can look at the idea behind this is looking at the Global Digital Compact and how we can actually create the compact with principles that are agreed and widely participate in it, call to participants globally to contribute to this.  And what we've been doing here is reaching out to our members and trying to generate interest in making contributions into this. 

     And the principles themselves at the moment are here.  So there are eight principles at the moment that are involving connecting everyone and the goals of having a free ‑‑ sorry, skipped a slide here ‑‑ of having a free ‑‑ let me just go back.  Here it is.  So a free, open, and secure Internet.  So I've just highlighted this here.  These are the goals.  So to achieve these goals, what we have is obviously we can't have rules based anymore, so we're looking at principles.  So the eight principles that have been set up to now are the principles of connecting everyone, protecting data, applying human rights, the idea of digital commons as a public good, very much like fresh air, like water, the regulation of artificial intelligence, accountability for discriminating and misleading content, avoiding fragmentation, and this has been picked up in earlier meetings today.  There's been some really interesting discussions talking about accountability, and they are also talking about actually trying to get metrics together, and other areas.  And this is where I come in with my particular interest.  So I have to declare myself as a trust researcher. 

     So I spoke with a senior security practitioner, UK‑based but for a multinational company, and the feedback here was actually very practical, you know, looking from industry.  The comment was we're never going to get to Utopia.  It's not possible.  But the question is what's best for the most?  And this comes back to, you know, ethics, historic ethics, you know, Jeremy Benthum and utilitarianism.  And taking this come forward, and I'll come on to some research that backs this up, so it is looking like the recommendation is going to be trust because it's implicit if we have these principles that people, individuals, organizations, governments, supranational organizations will actually have to trust in the principles.  So it makes sense that we actually have trust as kind of a central, cross‑cutting principle.  And if it's there, then we can actually measure it.  There's empirical research to see how we actually measure this.  And then we look at, for example, connecting everyone.  And then if we say if that has to be a trusted principle, can we assess that, monitor it, and if we have this principle of trust, then actually, yes, we can do that.  So we can look at fragmentation, for example.  We can get a metric for trust and then have a way of actually trying to monitor this.  Protecting data, we've mentioned, and so on and so on.  Around these, there's this equal balance between the principles with this argument. 

     So here's some breaking research for you.  And this is not empirical research.  You know, this is very much discursive.  So I'm a lecturer.  I work in business schools.  And this is some conversations with MDA students, MSC students over the past couple of months.  And what we did was we looked at these principles, and we looked across the financial sector.  So the majority of students are London‑based, but they are international students.  Many, many students, a high percentage from the Global South.  So from India, Pakistan, Bangladesh, Sri Lanka.  This is what we came up with.  We looked at a multinational bank who will be nameless, and then we looked across actually state banks from three Global South regions. 

     As I say, this is not empirically derived, so it's not statistically relevant, but it was very much yes/no.  And what we did is we looked at each of the GDC principles.  So, for example, connecting everyone, avoiding fragmentation and so on and so on.  And in the eighth, other area, we didn't look, but we found evidence, and I'll quickly go through.  So, for example, protecting data, principle number 3.  And the multinational bank, we found it was explicit.  It was there.  We could see evidence in that bank of them having practices in place to protect their customers' data.  They were also going as far to actually have mention of their supply chain.  So that was an exemplar, if you think.  And then we looked across our banks ‑‑ our state banks from the Global South, and we did, in fact, see evidence of protecting data there. 

     Then if we looked at human rights, we saw in a multinational bank, yes, there was explicit evidence in there.  We found from one of the Global South banks, there was nothing explicit.  And the second case, yes.  And you can see in the third one.  And if we go drop down, then, to the other area.  And this came out in our discussions.  We found evidence of trust.  And we found that in terms of the bank saying that they wanted to have trust ‑‑ trustful, trustworthy relationships with their customers.  And, I mean, this is ‑‑ as I say, this is just breaking research.  And I'm going to take this forward and reaching out if there's interest in developing this.  But these are based on conversations with students looking at their websites of these companies.  And, you know, I suppose that in sum, there is some mileage in here in trying to do gap analysis of, you know, once the principles are agreed, then actually we can evidence their presence, and this gives us, then, a metric whereby we can look at, once the GDC is being implemented, we can collect evidence, and we can also build a monitoring tool.  So that's me.  So thank you.  Thank you to colleagues for inviting me.  And there's some contact information there for you.  So thank you. 

>> MALLORY KNODEL: Thank you, Allison.  Has Louise‑Marie joined?  I'm not sure.  That's all right. 

>> WOUT DE NATRIS: No.  This is Wout.  I understand that she's in another session.  So I asked her where she is, but she's not here. 

>> MALLORY KNODEL: All right. 

>> WOUT DE NATRIS: The only thing I can say is that she's working on governance and security and she's preparing legislations on this topic.  Exactly what she's studying at this point, I'd like to hear, just like you.  So let me stop there. 

>> MALLORY KNODEL: Sure.  I think it just means we'll make it to Q&A faster because I know folks are lined up. 

     The last one, I'll keep it brief because it's not a report on work done but rather a preview of work to be done in 2023 from the Working Group 3.  This is on the procurement and supply chain management and the business case.  So the idea being that we would like to first do some scoping and mapping, similar to Nicolas's group's approach.  Just understand what's currently out there in terms of procurement policies that focus on ‑‑ or at least include safety and security standards. 

     So having a full scope of those will also give us an insight into the challenges and opportunities.  So through really sort of best effort desk research leading to more collection and documentation of these procurement policies and supply chain policies.  We would also at some point need to narrow the scope, I believe, to not include every single possible document or policy out there, but just to what speaks to the U.N.'s and IGF's specific spear of influence to actually come up with some relevant and actual guidance that would come out of that mapping and scoping. 

     But based on that ‑‑ or in order to achieve that, I think we would need to also involve researchers in conducting surveys and understanding what some of those challenges are in order to develop guidance.  And all along, throughout the year of work that we've planned out in our work plan, we'd be ideally conducting outreach as well to that the folks who have been interviewed or who we've cited in our work or may engaged and invested in the outcomes of the report. 

     So, again, I wanted to keep it brief because I think that we'll have some discussion and questions from the floor about all of the wonderful work that's been presented today.  So I can do my best to look at the room if there are any questions.  But Nicolas, if you could help me if there's any in the chat, and we can create a queue that way. 

>> Okay.  I think in the chat, we didn't have any questions here.  Let me also check if someone has written. 

>> MALLORY KNODEL: We have one here in the room, Selby, down here.  So go ahead. 

>> Hi.  Dwayne Halls with the USC cyberspace and digital policy.  To Nicolas on the IoT, you're starting to see a lot of motion towards zero‑trust frameworks, which is going to make the IoT issue maybe even more complex.  Does the scope of this report comprehend some of that activity in that direction, especially even down to the kind of semiconductor supply chain issues? 

>> NICOLAS FIUMARELLI: Yes.  Well, there were different approaches that are similar to the (?).  We have found seven of them, but we have not seen data as a common best practice being mentioned in the documents.  But hopefully when more policies will be appealing, mentioned in this framework of security, I think that that is a very good approach that is happening nowadays, to not attach on nothing.  And I think also our researcher wanted to mention something about that because he follows some of the documents as well in that way. 

>> Yes.  Thank you for the question.  I'm one of the researchers of this research.  I did not find ‑‑ we have not found any document talking about zero‑trust, but we have really good documents from ANESA, which is one of the organizations of the (?) That talks about good practices, best practices in cybersecurity by design, supply chain of IoT devices from the design to the manufacturing (?) Chips and so on through the end of the life of the device, so it would be helpful if you want to use that document. 

>> MALLORY KNODEL: Okay.  I think we have no questions in the queue online or in the room.  I don't know if you can come in and close it out.  I haven't prepared anything other than just to thank everyone for coming and thanks to all the researchers.  Yeah. 

>> WOUT DE NATRIS: Mallory, thank you.  I think that, first of all, thank you very much for coming and for joining this session.  And I think that our researchers have shown what sort of impact is going to be made by this Dynamic Coalition.  Also that we plan to have more work coming up in the next year.  This will include two working groups that will actually start, and three that sort of are announced of people wanting to start these working groups.  Two of them are on quantum encryptions, and we'll see whether they will be able to be merged.  They were recently received, and the other one is on specific standards (?).  And anybody interested to work with us is invited to do so.  I've put the link in the chat.  Again, I'm very sorry that I could not be with you today, but I've tried, but I couldn't get to the reception desk, and sitting here in the chair, just managing it.  But that said, I think finally, I want to thank the researchers for their work and the report that is out and has been handed to Paul and our sponsors is online at this moment.  I put the link in the chat as well.  As Nicolas said, there will be an open consultation probably two weeks from now starting for about a month so that people can comment on the Internet of things security by design policy recommendations and best practices that we have found.  And the other work will start in next year.  The data security and governance working group that was not presented, I understand perhaps the report is even there in December, but I'm not totally clear on that.  So please excuse me for not having that information. 

     So let me thank you ‑‑ start thanking the sponsors without whom it would never have been possible.  In the first place, there's a registry in the Netherlands that sponsors us as a coordinative group.  We have been sponsored by SRE Fund and NUSK for education and the skills working group, we have Microsoft who is sponsoring us for the IoT Working Group.  And UNDESA sponsors us for the data security working group.  So there's a very diverse set of organizations, and looking back when we started two years ago at the virtual IGF with no funding, only ideas, and very, very, very slowly picking up the traction that a Dynamic Coalition like this needs.  We were able to announce, after a year, working programs.  And then we found our first sponsors because we were able to become very concrete, and that voluntary work put in by a lot of people is extremely, extremely appreciated. 

     And from there, as you can see, like Janice said, how many people voluntarily joined who come up with this data shows that a lot of people care about the topic of education and skills.  And somehow we will have to make sure that this is going to widen and that more and more people understand that this Dynamic Coalition, but also others, can make a difference in the topics that they work on.  And I hope that next year where we are in Japan, in Kyoto, that we will be able to present our next reports and the second phase of Working Group 1 and 2 so that there actually is going to be a step from the theory of having a digital paper on the IGF website and elsewhere to a practice so that actually we move towards a more secure and safer world which is the goal of IS3C.  So I hope to be able to next year share again with you some major outcomes but also that more people will have become involved by that time as they will see that these are important topics that will protect our society in the next decades. 

     And with that, let me stop there.  I think I've said enough.  If there are any closing remarks from the room or from you, Mallory, as Chair.  Again, thank you very much for stepping up because I really couldn't make it there, and it's very, very much appreciated.  So I hope to see you tomorrow, but there's no guarantee, I'm afraid. 

>> MALLORY KNODEL: Okay.  So I think we have one online. 

>> (?)

>> NICOLAS FIUMARELLI: Okay.  Thank you so much.  I just wanted to add from the Working Group 1, when the open consultation and the document is public, if you know of any documents mentioned specifically IoT security, please reach out to us because we wanted to include it in the research as well for future work as well.  And I have a comment also on a different topic.  I think the future world, I mean, these new working groups such as the quantum post‑encryption or different working groups around different security technologies and the critical infrastructure such as what was mentioned about (?) So this is very important, I feel, from my personal point of view.  I work on the Internet registry, so I think this is extremely important to have this because nowadays these technologies are not enforced in some manner.  I am not saying that is the correct solution, but maybe we need to look into some more work on research along that to see what could be the next step to assure that the Internet is more secure and safer in terms of these security protocols as well.  Thank you. 

>> MALLORY KNODEL: Thank you for coming, everyone.  Thanks so much for all your hard work.  And see you tomorrow. 

>> WOUT DE NATRIS: Thank you.  This is Wout.  Can you please bring the flags and the rest of the report?  Some people that may want it can get it.  Please bring them so I can bring them back home tomorrow.  Thank you very much. 

>> Certainly.  Thank you. 

>> Thank you.  Good‑bye.