How to Enable Rapid Cybersecurity Standards Implementation for Impact – FA 02 Sub 02 2022

From EuroDIG Wiki
Revision as of 17:39, 20 September 2022 by ConstanceW (talk | contribs) (→‎People)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

21 June 2022 | 15:45 - 16:30 CEST | SISSA Main Auditorium | Video recording | Transcript
Consolidated programme 2022 overview / Day 1

Proposals: #12 #26 #63 #67

You are invited to become a member of the session Org Team! By joining a Org Team you agree to that your name and affiliation will be published at the respective wiki page of the session for transparency reasons. Please subscribe to the mailing list to join the Org Team and answer the email that will be send to you requesting your confirmation of subscription.

Session teaser

Is there a practical approach for coordinating cybersecurity standards implementation and who should be driving this – regulators to drive adoption, industry to drive implementation or consumers to drive demand?

Session description

Cybersecurity standards help improve the security of IT systems, networks and critical infrastructures. They typically define both functional and assurance requirements within a product, system, process or technology environment, and well-developed cybersecurity standards help enable consistency among product developers and serve as a reliable metric for purchasing security products. Plus, they need to address user needs, but must also be practical since cost and technological limitations exist. Additionally, a standard’s requirements should be verifiable; otherwise, users cannot assess security even when products are tested against the standard. In this complex landscape, along with increasing complex cybersecurity challenges and complex regulations, once a cybersecurity standard is developed, how should industry, governments and the consumer approach its implementation so that there are strong safeguards and the fundamental rights of people are kept in the forefront? In this session, participants will address:

  • How do standards intersect or interact with regulations and frameworks?
  • How do they contribute to private-public driven innovation?
  • What does a strategy need to contain in order to speed up deployment of standards?
  • What might be holding the industry back from deploying standards?
  • What might be holding government institutions back from actively supporting existing standards and related best practices?
  • What might be holding back consumers from demanding trustworthy solutions backed by collaborative standards?

Format

The moderator will briefly set the stage for the discussion, putting on the table various challenges and factors at play. Following this, there will be a lightning round of questions and scenarios provided to the key participants to unveil various perspectives and diverse thoughts, which will flow into an interactive dialogue with all participants where tangible suggestions surface that stakeholders can consider as they work to implement cybersecurity strategies and solutions.

Further reading

Links to relevant websites, declarations, books, documents. Please note we cannot offer web space, so only links to external resources are possible. Example for an external link: Main page of EuroDIG

People

Focal Points

  • Karen McCabe

Focal Points take over the responsibility and lead of the session organisation. They work in close cooperation with the respective Subject Matter Expert (SME) and the EuroDIG Secretariat and are kindly requested to follow EuroDIG’s session principles

Organising Team (Org Team) List Org Team members here as they sign up.

The Org Team is a group of people shaping the session. Org Teams are open and every interested individual can become a member by subscribing to the mailing list.

  • Riccardo Nanni
  • Vittorio Bertola
  • Constance Weise
  • Roberto Gaetano
  • Alève Mine
  • Karen McCabe
  • Wout de Natris
  • Fotjon Kosta

Key Participants

  • Chiara Giovannini, Deputy Secretary-General, Senior Manager Policy & Innovation, ANEC (remote)

Chiara Giovannini has been working for ANEC since 2002, first as Programme Manager and presently as Senior Manager, Policy & Innovation and Deputy Secretary General. Apart from deputising for the Secretary General, she leads ANEC’s works on Accessibility and Digital Society and is responsible for horizontal and strategic policy issues. Prior to joining ANEC, Ms. Giovannini worked at Swiss Consumers Organisation. She holds a Master degree in European Law. Ms Giovannini represents ANEC at high-level events, committees and research Advisory Boards. For example, she was a member of the European Commission High Level Group on Artificial Intelligence and Ethics. ANEC is the European consumer voice in standardisation. ANEC defends the European consumer interest in the creation of technical standards and European laws and public policies making use of standards.

Alex Leadbeater.jpg

Alex spent over 25 years working across the Communications and Cyber Security industry. Alex specialises in bridging the gaps between communications technology evolution and regulatory requirements (Security, Privacy, Public Safety) placed on the communications service providers. Alex has been involved in standardisation for 20+ years and currently chairs ETSI TC Cyber, ETSI ISG NFV SEC, ETSI ISG AI and 3GPP SA3-LI. Starting his career in satellite communications, following a Master’s degree in Electronic Engineering from Warwick University, Alex has held a range of technical, design and regulatory governance roles since joining BT Plc in 1999. He is a regular speaker on Cyber Security and Regulatory issues at Communications Technology events.

  • Esteve Sanz, Head of Sector, Internet Governance and Multi-stakeholder Dialogue, European Commission (onsite)

Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance. Please provide short CV’s of the Key Participants involved in your session at the Wiki or link to another source.

Moderator

After his PhD in International Relations with a thesis on the influence of Chinese stakeholders in Internet governance, Riccardo Nanni is now researching the concepts and practices of "dataspace" and "data governance" at Fondazione Bruno Kessler.


The moderator is the facilitator of the session at the event. Moderators are responsible for including the audience and encouraging a lively interaction among all session attendants. Please make sure the moderator takes a neutral role and can balance between all speakers. Please provide short CV of the moderator of your session at the Wiki or link to another source.

Remote Moderator

Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.

Reporter

Reporters will be assigned by the EuroDIG secretariat in cooperation with the Geneva Internet Platform. The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:

  • are summarised on a slide and presented to the audience at the end of each session
  • relate to the particular session and to European Internet governance policy
  • are forward looking and propose goals and activities that can be initiated after EuroDIG (recommendations)
  • are in (rough) consensus with the audience

Current discussion, conference calls, schedules and minutes

See the discussion tab on the upper left side of this page. Please use this page to publish:

  • dates for virtual meetings or coordination calls
  • short summary of calls or email exchange

Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.

Messages

Video record

https://youtu.be/u8R-1Vpx948?t=21256

Transcript

Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-482-9835, www.captionfirst.com


This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.


>> CHAIR: We’re about to start the next session.

This is sub topic 2, How to Enable Rapid Cybersecurity Standards Implementation for Impact.

I would like to welcome our online moderator. Riccardo, please, you have the floor.

>> RICCARDO NANNI: Good afternoon. Can you hear me.

Let me try. Is it working better without the ear phones?

>> CHAIR: We can hear you but now you can’t hear me.

>> RICCARDO NANNI: Yes. Can I go ahead? Can you hear me.

Okay. Thank you.

If you see my moving my head, it is just that I have a video on one screen and camera on the other because it is easier for me to keep track of the questions and the notes as well.

Good afternoon, everyone. Thank you for being here. Thank you also to the organizers of EuroDIG and to the whole team that put together this topic in particular.

Thank you to the panel participants also, in particular, we are going to explore how to – how to look at the rapid rollout of the cybersecurity standard and what do we mean by impact, impact for whom? That’s why we brought together a multistakeholder panel, bringing in together three experts from three very different backgrounds.

To start with, in no particular order, we have Chiara Giovannini from ANEC. She is a consumer representative in standardization processes.

We have Alex Leadbeater, Alex Leadbeater is from British Telecom, from the industry and he has several roles within the European telecommunication standards institute, ETSI, in particular, he’s the Chair of the technical community on cyber.

Finally, third panelist, it is Stefano Fantoni, head of sector for Internet Governance and multistakeholder dialogue at the European Commission. If you have questions, do write on the chat or raise your hand or raise your hand if you’re in the room, on site, I would guide the conversation with three questions and I will ask the panelist to keep their answers within 5 minutes.

The first question is, how to guarantee the highest degree of compliance by the industry to the national and European cybersecurity standards.

Given that this is a industry-oriented question, I will leave it to Alex Leadbeater first. Alex, the floor is yours.

>> ALEX LEADBEATER: Thank you. Waiting for the host to unmute me.

Yes, good afternoon, all.

Apologies I couldn’t be there for face-to-face this week. It would have been great to have participated directly.

Yes, as Riccardo Nanni say, I’m Alex Leadbeater, I work for British Telecom in the UKCIS representing ETSI.

To go first as they say, let’s take it in basic building blocks.

I think it is fair to say that there are some areas of cybersecurity in Europe and globally that are very, very strong. If you look at fundamental Internet protocols, things be like TSO, other things, we have some good tolls and building blocks. If you look at things like mobile networks, the fundamental cybersecurity backbone of those is incredibly strong, incredibly mature. If you take a quick example of GSM, obviously the mid-80s design mobile standards, while they’re beginning to rock and weaken, they have survived 30, 35 years of fairly constant attack. What this demonstrates is we can do cybersecurity in the industry and we can get it right left to our own devices.

However, as I suspect the comment from the consumer side, there are clearly some areas where the industry is not getting it right left to its own devices.

If we take to things like IoT cybersecurity, which tends to be the common source of bot nets, other weak cybersecurity in the industry, clearly there is something not quite right in the way that industry, the regulators, Civil Society come together to set that bar in the right place.

In terms of how we achieve a higher level, a first thing to consider, it’s how to achieve a basic level of cybersecurity in order to get everybody up to the same level.

When it comes to a high degree of cybersecurity, high-level, the national cybersecurity, nuclear power station end, I think that we already have most of the building blocks we need to meet the levels that we have got. Where we actually have to start from, it is that basic level of cybersecurity, trying to drag the bar up, now, there is an interesting trade-off between setting that bar very, very high, the Commission is obviously setting a high bar in terms of its expectation CSA has the flexibility of three level, which is on its side, red is a bit more difficult, it only has one, to the first thing is to establish what can we do to raise every devices bar to a decent level of cybersecurity.

We do get a lot of push back when people say, well, what about, you know, this device, cybersecurity doesn’t really matter, I think that the thing we have to remember is that all devices together form an ecosystem so just because the device doesn’t provide a cybersecurity risk to the user, it doesn’t mean it is the same for the network. That’s what we have to keep in mind with rapid compliance and whole system cybersecurity, how do we protect the users, protect privacy, how do we protect Civil Society. We have to consider both the direct effect on the users and the effect of those devices should they be a bot net. So, I think we have great tools, building blocks that IGF, others produce, we have the ISO framework standards that can allow you to develop strong cybersecurity.

What we don’t appear to have, it is the drive actually to achieve that cybersecurity feeing everybody to implement it and the users to understand the cybersecurity journey. I think that the other challenge that we have in this space is getting to the point where a user goes in and says I want to buy the device tore cybersecurity, I want to look at the box and differentiate, to say this product is better because it has been made in Europe and it has high quality cybersecurity versus a chief product I brought in. At the moment users don’t it unless we’re a cybersecurity professional, we may be the odd 1% that looks at the back of the box. That’s a factor, there has to be user demands to do this, then you will see a more rapid adoption.

There is no silver bullet magic answer to that question certainly from my perspective.

>> RICCARDO NANNI: Thank you, Alex. This is definitely very interesting perspective with which to open our debate today so I will give the floor to Chiara Giovannini for a consumer perspective. The floor is yours.

>> CHIARA GIOVANNINI: , NEC represents consumer, why do we have consumers in standards, because the standards, they’re used to complement legislation at the European level.

They can be useful. Cybersecurity is one of the examples where standard are useful. To reply to Alec, we need the drive to have cybersecurity at all levels of the market, also the consumer market, our answer is very clear, we need legal obligations to do so. We have been testing products for the last 7, year, connected products and the test results, they’re that the cybersecurity is not improving and sometimes it is worsening and I’m referring to products such as connected cameras, doorbell, connected doorbells, all of the products that are supposed to be intrigues the physical cybersecurity of consumer and in reality they’re exposed to both cybersecurity problems and lack of physical cybersecurity.

Now, looking at the world of standard, we see that we have legislation making use of standards, we support this approach. We need a baseline obligation of cybersecurity, however technical this is happening, it is the role of the standard to decide and to operate.

The market alone is not delivering, the consumer markets, it is not delivering, and we need to have legal intervention, we’re having that, so we’re very pleased about it, but it takes time. We regret that meanwhile, there is a lack of trust of consumers in the consumer market for IoT. I have been working on IoT for the last 12 years and it is very much a concept that’s not realizing. I remember even 15 years ago we were working on smart homes. Can we say we have a smart home? Any of news I don’t think so.

The concept is not realizing and that cybersecurity, it is one of the main obstacles.

>> RICCARDO NANNI: Thank you. On this note, on the need for regulatory intervention, we are going to move to a more public authority perspective with who I understand Stefano Fantoni is present on site. The floor is yours.

>> STEFANO FANTONI: I hope you can hear me well.

I am present, a privilege, I have to say, it is my first time in Trieste and EuroDIG and both experiences are paying off. Thank you very much for inviting me to this panel and to EuroDIG in general.

This is a crucial question, standardization in general, cybersecurity in general, they’re topics that the Commission is looking into very closely. There have been in recent years two very important communications that deal with this, cybersecurity strategic communication and the Internet standardization, communication, communications are official documents from the Commission, thus they’re endorsed by the college of commissioner and they really show where the Commission thinking is going on the issues. In parallel, there are already a series of regulatory instruments at the E.U. level dealing with the standard more generally with cyber standards, with Internet standards that are more the topic of concern of my particular unit. This is something that we’re looking into and indeed we have our concerns and also our premises. I would say that one major premise that drives our work on a standardization, it is what I would say a reasonable premise that standards should be voluntary in terms of deployment or adoption, and the process of designing a standard should also be bottom-up process, a multistakeholder process and this particular area applies to the Internet standards with a strong cybersecurity component, but we think that’s the motto and we start from that premise, we think basically that within this consensus, within the consensus created by industry players, by all sorts of players, including states, that the system, that the system is so complex with so many technical, interoperability elements, should involve, and we should not forget that in general, the Internet has evolved very successfully and there are those premises. These are premises that regulations, communication, you will not see a change of premise on that front from the point of view of the Commission.

This does not mean that we’re not worried about standard deployment.

We are.

We are really following closely at different levels and in different sectors how this is going.

In my particular field, on Internet standards that my team is working on, we have commissioned a study, it is really more of a framework of collaboration with the scientific branch of the Commission, the joint research centre, the JRC to help us understood how the deployment of critical Internet standards that have strong cybersecurity implications is going.

The results are not fantastic. The full study will be published soon. We will publish a website. We will reflect in relation to those results. I just wanted to give you a few examples of the results coming out of this study.

For example, in terms of a crucial standard to avoid basically many attacks on the Internet we see that 9 2% of the top-level domain names that are operating in the E.U. have DNS that could deploy and at the same time only 5% of second level domains are signed as well which actually paralyzes the whole protection.

Another type of standard, the manners of standards, the manner, it is not only about the set of standards but also practices that deal with Internet routing. Internet routing is absolutely fundamental, problems in the Internet routing system may bring serious hiccups on the overall Internet structure, the Internet may go down if there is a serious problem with the Internet. Here we see in the study, it is that there is generally good adoption among network operators in the E.U. We have between 90 and 100% of network operators deploying in the proper standards. When it comes to the level of validation of the routing advertising that is again a crucial component of the overall routing system, the GDP system, then we see the level of obligation is below 50%.

Then, when we go into operators that also play a role in routing, the fundamental part of the infrastructure of the Internet, we see that less than 50% of ISPs have done their homework in terms of Internet routing. These are serious issues because the implications of not having cybersecurity, the levels, it is very serious at the same time.

We looked at email cybersecurity, these are very long lists of acronyms, you have to confess that probably the copanelist also know more about them than myself, the start ELS, others, DMARC, they’re all cybersecurity standards for the email. This is very important. The email these day, it is a form of identification and it compromises our confidentiality and our authenticity and our integrity. Here we see that between 80% and 60% – 60% is relatively low, it is quite low, to take into account how difficult it is. How important it is. Of the new operators of email, a representative sample of operators, they’re deploying the standards. Just let me finish with IPv6.

It is debated whether it has a stronger cybersecurity component, we think it does relate with cybersecurity, IPv6 and here again we have looked at the data and we see that in E.U.28% for clients, only 12% for server side have deployed IPv6 which is the Internet standard. The standard that’s a huge consensus that needs to be deployed or otherwise you could have a serious bottleneck in the development of the Information Society. It is slightly above the wall average, but it is still extremely low.

So voluntarily, voluntary adoption of standards, multistakeholder standards, in the case of Internet standards, IPVF is the place to go, we’re defending this in front of ITU to deal with Internet standards. It is very clear to us. We really as policymakers need to understand what’s behind this low level of deployment, what are the cause, they’re not easy to identify. We’re also looking into them.

Also, develop what’s already on the table and discuss later the funding instruments to help with the deployment, the participation of the stakeholders in these issues and also to start a reflection about what else can be done.

>> RICCARDO NANNI: Thank you. After these opening statements, I would like to leave the floor to the audience in case there are questions before moving forward with the discussion.

I see a hand raised online by Andrew. Andrew, please.

>> ANDREW: Thank you for your introductory comments. Two points I would like to make just briefly.

One, I don’t think it is right to assume that all standards are good, nor indeed that they even complement each other.

For example, problem time doesn’t permit going into the details. There are some standards that supposedly haunt privacy but can we – cybersecurity, but – that includes standards currently on development within the IGF. I don’t think there is a general assumption that just because something is a standard it is good and therefore people should be encouraged to implement it without proper consideration of the implications.

Briefly, my second point, which is sort of touched on in the opening comments, again, I pick on Internet standards. Most of those are developed within the IGF and there’s minimal involvement in the IGF by stakeholders other than the tech sector so there is certainly virtually no involvement of Civil Society legislators and end users even, there is virtually no voice of the end user within the IGF which is deeply worrying.

In my view, if you want to really push for the adoption of the selected standards, certainly if you want to make that adoption mandatory in some way, that should really be on the condition that standards are developed by a true multistakeholder body in the first place, not gifted to society by the tech sector without proper discussion of all of the implications of the standards as they developed, including the policy impact that standards may have. Yeah.

By all mean, encourage the adoption of standards but have them developed by much broader group of stakeholders if you will push for that is my suggestion.

Thank you.

>> RICCARDO NANNI: Thank you, Andrew.

I see there is also a question from the room.

>> I’m the policy advisor with the IGF Coalition.

Looking at this issue of lack of deployment of cybersecurity-related standards. It is called IS3C, Internet standards for cybersecurity and safety. We set it up two years ago and have research going on into specifically standards related to the Internet of things, education and vocational training about security standards in cybersecurity and we have a Working Group looking at the potential drivers for the adoption of Internet standard related to procurement, supply chain management. We have research projects underway.

I’m relating to the drivers, procurement in supply chain management, we haven’t gotten the funding yet for our research project on that but it is ready to roll if you like.

There is a discussion, there is a forum within the IGF for doing this and it is year around, an international coalition and we’re looking for partners and data, I was very interested to hear about this study on the lack of adoption and implementation and whether there is any thinking on how to correct that through identifying drivers such as procurement, the procurement agencies for governments and supply chain managers in the private sector knew enough about cybersecurity standards, could they then actually require them through their purchasing and supply chain decisions.

That could be a significant driver.

I’m not aware of any studies into that particular area. From our discussions, a lot of people have said yes, that’s an interesting line to pursue in terms of bringing back more effective implementation of standards that are coming out of the standards developing organizations.

Interested to hear any reactions to that.

Thank you.

>> RICCARDO NANNI: Thank you, Mark. I don’t see any questions from those present. I would like to go back to the panelists to see if they would like to react.

Andrew mentioned the point of the lack of involvement of stakeholders outside of the tech industry in the IGF. Perhaps on this we could go back to Chiara Giovannini from a consumer perspective. Would you like to react to any of the comments and questions?

>> CHIARA GIOVANNINI: Yes. Thank you very much.

Standardization is a private and commercial activity so there is competition about the standards to be developed. There are many discussions. As consumers, we’re extremely under resourced as you can imagine as all NGOs and we have to pick our priorities. Unfortunately the Internet standards and the bodies developing them, they’re not one of them. Like, for example, ITU is not one of them. This is not for criticizing the work done there, but it is just a question of being effective with the funding. We have very limited funding.

It comes into play not only the subject that’s being standardized but the rule of procedure, the rule of the game. What we see at the European level, in the European organization, the rule of the game, it allows us to be there and to have our voice heard. In other standardization organization, the rules of the game are taking a toll, that also needs to be taken into account, in the use of the standard, not only the technical content but also how the decision making is taking place.

>> RICCARDO NANNI: Thank you.

Would you like to add something.

>> ESTEVE SANZ: Can you hear me? Yeah. You want me to comment on the two questions or.

We agree there are barriers of entry into the IGF as an organization, that’s been growing overtime. And that, if you look at the level of participation, you see that there are very big company, normally from Chinese, an American origin, that done mean that the IGF is only driven by these organizations. Here we have engaged with the IGF into such discussions and they have very concrete statistics. We see that the European companies are also present in IGF and they have substantial contributions. We see that the IGF, has a very significant contribution from the academic community, from the technical community from the E.U. and we have an eye on IGF, policymakers have an eye on IGF as well as other standardization organizations, precisely because standards are not only a technical endeavor, they do have a public policy and this is a role of policymakers participating in the standardization organizations to keep an eye on them and to contribute to see if the public interests are not there.

The diagnostic of IGF has high-levels of entry and that we may need to enter fine so that we can facilitate, to promote the inclusion of other stakeholder, not only European by the way but speaking with African countries and they’re worried about IGF and the potential lack of participation in the Developing Countries in IGF and that’s clear. We think that institutionally speaking the IGF system has shown itself to be perfectly capable of developing such standards. The deployment is the other thing, even if you’re with the IGF prominent figures, institutional responsible, from the very begin, deployment was not a concern of the technical community of the companies that were developing those standards there. They wanted it create the best standard to solve one particular problem but the structure of incentives attached to the deployment of the standard has not received proper consideration. This is something that’s been recognized and IGF is working on it.

You have mentioned ITU, and we are the European Union in general, it is not only the Commission but the E.U. Member States, radically opposed to move Internet standardization to ITU.

The situation, it would be much worse than IGF. Basically ITU is a state-centric organization where bureaucrats like high self from all sorts of Member States who hardly know what the acronyms mean will be discussing technical issues we don’t properly understand.

We will take the decisions that will drive to what the first speaker mentioned, it is basically the compulsory adoption of standards that may not be adequate or beneficial. That’s why it is so important that the standards in general, the standard deployment, the standard development continue to be voluntary, and we should look at, really to keep a close eye on the exceptions. This may be exceptions, especially on those standard such as IPv6 where everybody agrees it is something that we need to develop and for some reason, it is not working.

>> RICCARDO NANNI: I see more questions coming online.

(Poor audio quality).

There is a question on the implementation in the chat. This is a very good topic for a number of industries. Alex, the floor is yours if you would like to follow-up with that comment?

>> ALEX LEADBEATER: Yeah. Picking up on the theme of IGF, what’s implemented and what doesn’t, IGF clearly works. The Internet has managed to achieve sort of a scale of deployment that little else has. We also have to remember that there is a difference between standards applied to end users, so for example, as talked about, the poor implementation of cybersecurity in IoT, I think we have to some degree, we have to separate that out from the fundamental protocols that run the Internet.

The IGF clearly has handled that well and continues to do so. We have all of the building blocks we need actually at that level to both have cybersecurity, 1.3, it does what it says on the tin and 1.2 is fine with the mutual presentations, not so great without, so we have all of those things.

I think that as commented in the chat by Peter and Andrew, the thing we’re mixing up in part here is the operation of the Internet, which is largely done for freebie the underlying telcos and the infrastructure providers and interoperability of users. If we look at the U.S., Western Europe, part of the reason that IPv6 is not rolled out heavily is that we have plenty of IPv4 address, most of the drive for IPv6 is in parts of the world where there is a lack of IPv4 available and also as noted in the chat, one of the paradigms that IPv6 was driven to provide was direct connectivity, everybody in the world being able to have their own IP address and all of the rest of this. What you find when you overlay the privacy concerns on that is that we actually end up applying carrying that in a lot of cases in order to look at the IP addresses, you don’t want for privacy reasons for them to be able to be there and end up with 4. Clearly the industry will shift, I’m not sure on the 4/6 debate there is much of a cybersecurity implication around that in that you can run DNS, others, various other things regardless of the transport protocol.

The other thing that affects the IPv4, IPv6 debate, in low power mobile devices for example in IoT where the actual payload of the packets is quite small, IPv6 is a little bit bandwidth hungry. IPv4 packets tend to be smaller. There is interesting dynamics in there, IPv6 is great for fiber or broadband in some cases for mobile deployments, in the low bandwidth IoT, industrial qualities, it is not really that great because of some of the overheads and its packet sizing.

All of that is an operational issue, not a cybersecurity issue.

So in terms of in a contribution to IGF has noted, IGF is an interesting body for me in that while yes, large companies contribute, you contribute as an individual. Yes, large companies can send more individuals, and in that sense, it is not actually dominated I think as the representative pointed out in that it has a lot of experts, it does a lot of good things.

I think in terms of those aspects we need to separate the free access to the Internet and the ability to provide cybersecurity with the sort of application of cybersecurity.

In terms of adoption of those standards, I think actually Chiar makes a good point, the reason that the standards have not been adopted is because regulation has not driven companies to adopt. We look at the large West Coast, U.S. company, the large Europeans, they have the regulation saying we need more privacy on the Internet or more mandatory cybersecurity or want access for law enforcement, other sort of regulatory purposes, that drives an adoption of standards that are already – that already exist. That is the angle that plays in in terms of are they deployed, are they not deployed. Also, if there is a regulation that says you’re going to have to have cybersecurity in a certain area, that will in turn drive IGF to adopt new standards or to tweak the ones it has got.

So in that sense, there is that feedback loop. At the moment, there isn’t that sort of mandatory requirement, and therefore some of it doesn’t get done. Regulation on its own is not going to cause adoption of certain things in the Internet also because we have to remember there is lots and lots of legacy devices out there. We could easily go and say from a CSP or an ISP perspective we’ll rollout full IPv6, mandatory to 1.3, mandatory DNS, orbits and pieces, absolutely great. Everything would be secure.

The users would have to go and look at 99% of the equipment as would large parts of the industry. They would have to go to the bin, massive environmental waste. Although that’s a little bit mellow dramatic, that’s the other factor we have to live with, yes, there is a drive for user consumer privacy, yes, there is a drive for better adoption. It is always that tricky balance of what do we do with the legacy and the stuff that people have got that works which will not be compatible with some of that and it will not be upgradeable? I think it is also important, and perhaps this is something that the E.U. and others can think about more, that regulation journey, so where do we want to be in ten years’ time and how do we get there, not here is a regulation now. You know, how can we make people adopt it. I think if you can say to the industry, here is the journey, here is a longer time scale, and this is what we want you to achieve, also including the user involvement, everything else, that will drive adoption, step change, it is difficult to accommodate when things change from binary State of no cybersecurity to we want lots. A longer time scale. You know, driving manufacturers to provide support for longer periods for the products, that’s probably again a lot of the way we’ll address some of this.

>> RICCARDO NANNI: Thank you.

I see a debate is going on in the chat and in person and we have around 5 minutes left. Perhaps there is time for one more question from the audience in Trieste so each of the panel participants can give a quick answer.

>> CHAIR: Would you like to come forward to make the – no, he has said to go to the next question.

>> RICCARDO NANNI: We can take the last question online.

Over to you.

>> I’m the coordinator of the IS3G, Mark spoke as well and the IGF Dynamic Coalition. The origins of that Dynamic Coalition, it was a pilot project under the IGF into the deployment of the Internet standards and they were not deployed massively and widespread. I think what we have been hearing right now, it is a couple of things.

One, as has been said, we’re not going to regulate or legislate these voluntary standards and related Best Practices. It does come down to other decisions. It is going to be either of the two, because if it progresses like we do now probably we’re having the same discussions ten years from now but I may be retired by that time and you, Riccardo Nanni, you may be grayer!

Having said that, it is that we have a few options and we have to start driving them. One, procurement. If governments around the world would start demanding when they procure certain standards to be in place and have some rules around it set by the national government, it would mean that it would be demand for cybersecurity. I think that would be a positive driver for industry.

The second, is that industry would do the same, the management of the supply chain, and that product, that they buy themselves, it as second strong driver to actually get more cybersecurity.

Chiara already mentioned about the consumer testing, and perhaps it should be better somehow compared to what it is now. You said it is not making – we’re not seeing any difference, but perhaps with studying it all again, it could make a difference in the future.

That’s something which I would just say from the sideline, another thing that we could do, it is relentless testing of the projects, making sure that there is a responsible disclosure and when things do not change, that there is a few bodies around the world that could do the naming and shaming, and then it will become known who is on the side of repair ourselves and those that don’t.

It is also, we have talked about regulation and often we have said we’re not regulating, but is it really true? Are we just not doing it as regulators? I’m not a regulator any more, I can’t say.

What is in the wall actually at this point in time, we’re talking about consumer protection, talking about a GDPR, would that give a handle to actually regulate safer products? That’s something that perhaps needs to be researched.

I will stop here, otherwise I’m talking tomorrow morning, but the fact is, there are many, many options to follow with IS3C, we’re starting on the first ones. We’re hoping to start something on data cybersecurity and data governance very soon. We’re also working on consumer protection in Latin America and hopefully that will start later this year and it will depend on finding the funding which we’re now discussing..

In other words, we tried to walk all of these avenues and come not only with a piece of paper, but then we’ll work hard at providing the guidelines and the toolkits and capacity building programmes to actually deploy the recommendations and that may change the course. It is something that we need you on board for because otherwise we will not be able to do this and we need the support not just financially but also experts being onboard and making sure that we say the right things when we make the recommendations which are widely supported.

Let me stop there. Thank you for the opportunity.

I’m looking forward to hear a small reaction in a minute if you have one.

>> RICCARDO NANNI: Thank you.

It is half passed the hour, the time for this session is over.

I actually had a list of questions that I had shared with the panelists and then I only managed to make the first one because so many questions came from the audience and this is fantastic because it is a sign of the very enticing topic, good speakers and a lot of interest from the participants. I’m really happy with how the panel went. Thank you to the organizers of EuroDIG, to the org team and to the three panelists, Alex Leadbeater, Chiara Giovannini and Esteve Sanz. I will give the floor back to Nadia for preparing the next session. Meanwhile, I wish you all a good EuroDIG.

>> NADIA TJAHJA: We will now go for a break, sub topic 3, looking at International Cooperation on Criminal Justice in Cyberspace: Where we are and where are we heading to? we hope to invite you back here at 4:45.

See you then.