How can collaborative standards development support the European cybersecurity agenda? – WS 02 2022

From EuroDIG Wiki
Jump to navigation Jump to search

21 June 2022 | 12:15 - 13:15 CEST | FabLab / Fibonacci | Video recording | Transcript
Consolidated programme 2022 overview / Day 1

Proposals: #12 #26 #63 #67

You are invited to become a member of the session Org Team! By joining a Org Team you agree to that your name and affiliation will be published at the respective wiki page of the session for transparency reasons. Please subscribe to the mailing list to join the Org Team and answer the email that will be send to you requesting your confirmation of subscription.

Session teaser

Is it possible to promote a global, open, stable and secure cyberspace while strengthening cooperation and motivating industry and governments to embrace cybersecurity standards?

Session description

The European Cybersecurity Strategy, released December 2020, aims to ensure a global and open internet with strong safeguards where there are risks to security and the fundamental rights of people in Europe. It looks to build resilience to cyber threats and ensure citizens and businesses benefit from trustworthy digital technologies, and contains proposals for regulatory, investment and policy initiatives, in three areas of EU action: (1)Resilience, technological sovereignty and leadership, (2) Building operational capacity to prevent, deter and respond, and (3) Advancing a global and open cyberspace through increased cooperation. This session will explore how collaborative standards development and its outputs can help support the European Cybersecurity Strategy and how standards strengthen linkages between European cyber policy and non-government sectors.

Discussion

An interactive discussion will take place on how to approach, integrate, collaborate and develop standards across organizations and interests to support on-going European security/cybersecurity needs and interests.

Participants will address the following questions:

  • How do standards contribute to strengthening cooperation with partners around the world to promote a global, open, stable and secure cyberspace–and their role in the European Cybersecurity Strategy?
  • Is there a need to increase participation in collaborative standards development?
  • Is three a need to raise awareness to EU and non-EU countries with related issues at the intersection of cybersecurity and standards, and how can this be done?

Format

Each panel member will present a brief overview of their views and perspectives on the European Cybersecurity Strategy through the lens of the current cybersecurity standardization, business and policy landscape, as well as share what they may see as possible gaps or opportunities in cooperation and collaboration in the European approach to cybersecurity standardization that should be addressed. This will be followed by an interactive open discussion with all attendees to hear opinions, ideas, concepts and recommendations that can contribute to practical steps as the strategy is implemented.

Further reading

Links to relevant websites, declarations, books, documents. Please note we cannot offer web space, so only links to external resources are possible. Example for an external link: Main page of EuroDIG

People

Focal Points

  • Constance Weise
  • Karen McCabe

Focal Points take over the responsibility and lead of the session organisation. They work in close cooperation with the respective Subject Matter Expert (SME) and the EuroDIG Secretariat and are kindly requested to follow EuroDIG’s session principles

Organising Team (Org Team) List Org Team members here as they sign up.

  • Constance Weise
  • Roberto Gaetano
  • Karen McCabe
  • Pierpaolo Marchese
  • Riccardo Nanni
  • Wout de Natris
  • Alève Mine

The Org Team is a group of people shaping the session. Org Teams are open and every interested individual can become a member by subscribing to the mailing list.

Key Participants

  • Jari Arkko, Internet Ericsson Research and IETF Architecture Board (IAB) (remote)

Jari Arkko is a Senior Expert with Ericsson Research. He has worked on routers, Internet technology, software development tools, cellular networks, and security protocols. He likes to personally build and use the technology that he works with. Today he works on internet evolution and 6G. He is a frequent contributor on matters relating to internet architecture, trends and administration. He has also served as the Chair of the Internet Engineering Task Force (IETF), the Internet technology standards development organisation, and is a current member of the Internet Architecture Board (IAB).

  • Sławomir Górniak, Senior Cybersecurity Expert, European Union Agency for Cybersecurity (ENISA) (remote)

Thorsten Katzmann is the head of IBM’s Compliance Engineering and Standards team in Germany providing direction in product compliance (HW & SW), also in the related standards development and support to all IBM business units and geographies.

As a Standards and Compliance Program Manager, his internal role includes coordination and direction of IBM’s of certification activities, standards, and policy development. He also serves as program manager for the standards development at ISO and CEN/CENELEC for IoT, digital twin, cloud computing, artificial intelligence, and e-accessibility with more than 10 years of experience. Driving IBM's activities as a focal point for information on the procedures and work programmes of international standard development organisations.

External to IBM, Thorsten serves on numerous standards development organizations within Germany (DIN/DKE), Europe (CEN/CENELEC) and internationally where he is a nominated expert to JTC1 and other ISO committees.

Thorsten maintains leadership roles within several trade associations (BDI, Bitkom) promoting better regulation, standards, and the international harmonization of requirements in standards.

  • David Tayouri, Chair, IEEE SA Cybersecurity for Agile Cloud Computing Industry Connections program, and ELTA Systems, Israel Aerospace Industries (IAI) (remote)

David Tayouri is the Cyber R&D Manager in Cyber Division, ELTA Systems, Israel Aerospace Industries (IAI). David has been one of the cyber activity leaders in IAI. During the last 19 years, he has been developing intelligence gathering systems for defense organizations, in different layers, mastering the cyber domain in the last 10 years by heading cybertechnology and business units and developing innovative cyber solutions.

David is experienced technology leader with business understanding, having a demonstrated history of 30 years as software developer, team leader, system engineer, project manager and system architect in various domains. He is professional with a MSc. with Honors in Computer Science from Bar-Ilan University, and is a PhD. student in Ben-Gurion University of the Negev, specializing in network and system risk assessment with attack graphs.


Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance. Please provide short CV’s of the Key Participants involved in your session at the Wiki or link to another source.

Moderator

  • Vladimir Radunovic, Director, E-diplomacy and Cybersecurity Programmes, DiploFoundation (remote)

The moderator is the facilitator of the session at the event. Moderators are responsible for including the audience and encouraging a lively interaction among all session attendants. Please make sure the moderator takes a neutral role and can balance between all speakers. Please provide short CV of the moderator of your session at the Wiki or link to another source.

Remote Moderator

Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.

Reporter

Reporters will be assigned by the EuroDIG secretariat in cooperation with the Geneva Internet Platform. The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:

  • are summarised on a slide and presented to the audience at the end of each session
  • relate to the particular session and to European Internet governance policy
  • are forward looking and propose goals and activities that can be initiated after EuroDIG (recommendations)
  • are in (rough) consensus with the audience

Current discussion, conference calls, schedules and minutes

See the discussion tab on the upper left side of this page. Please use this page to publish:

  • dates for virtual meetings or coordination calls
  • short summary of calls or email exchange

Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.

Messages

Video record

https://youtu.be/EOL6M655fkI?t=6928

Transcript

Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-482-9835, www.captionfirst.com


This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.


>> VLADIMIR RADUNOVIC: I guess it is a structural Mediterranean time. We can wait for a few more minutes for others to join in this room and then physically start.

>> Sure.

(Pause).

>> VLADIMIR RADUNOVIC: Okay. Shall we start? And anyhow there will be a recording and we – people will join in the room at some point. We should probably read the session rules just as a reminder to everyone.

Enter your full name and raise your hand if you want to ask a question or signal in the chat. It is easier to raise a hand so I can spot it. You can get the chance to speak when appointed. Switch on the video if you can. Remind yourselves of who we are, particularly for those in the room.

Chat will not be saved but we will bring in things from chat. So use chat extensively, even to run separate discussions. And do not share the links in the Zoom meetings, not even with your colleagues. That’s the rule of EuroDIG. Give us a hint and then we can find ourselves if there is a need.

Welcome to the workshop called How Can Collaborative Standards Development Support the European Cybersecurity Agenda. It seems to be a mix of two topics. One is the regulatory framework – policy framework and strategic framework. And the other one is standards, more a tech issue and that’s what we want to try to cover this time. Commonly, when this sphere even dealing with digital issues, somehow understand the standards are rather for geeks, which is not far from true. On the other hand, when we see the news like the EU agreed on the standard for mobile phone flag we are all happy. We understand. This is precious and this is needed.

And, of course, I mean standards underpin all of our technologies and other products. Speaking about the wine, I’m sure there are quite some standards over there as well. What is important in digital it is standards are an important part of cybersecurity or staying secure and safe. And it is not just about products and protocols as we’ll see. It is about procedures, about organizational policies. There are many, many aspects of standards that we are going to try to reveal today more.

And maybe standards were not that visible or important for many beyond standardization communities and maybe cybersecurity narrower communities. It was – it is done mainly by the engineers. That seems to be changing more and more. Also because of politicalization, many of the digital issues, including standard setting processes in cybersecurity. And at the same time we have Europe which is basically leading the front on cybersecurity regulatory frameworks, policy frameworks. There are a number of mechanisms, instruments popping up in Europe which are touching on cybersecurity. And any of them in one way or another related to standards.

There is a number of questions that we want to open today. See how far we get. For instance, how does that regulatory framework in Europe connect with standards. What is the role of standards. What is the role of regulations and how do they interplay together. How should be involved and how do we work together in both regulatory shaping standards and standard shaping to help the regulatory framework. How do we get onboard different parties from legislators to the open source community. And if you imagine putting them together, it is already quite a schizophrenic situation on how geopolitics impacts. Try to go through that.

My name is Vladimir Radunovic from the DiploFoundation. I will be the Moderator of this session. And I have the great pleasure to introduce my core panelists. But the discussion should be interactive. I will start with the list I have here and read the positions just to be sure I don’t miss or misinterpret.

Jari Arkko, Ericsson Research and IETF architecture board. Slawomir Gorniak, senior cybersecurity expert, European Union Agency for Cybersecurity, welcome. Thorsten Katzman, cybersecurity standardization at IBM. And David Tayouri, Chair IEEE SA cybersecurity for agile cloud computing industry connections program. What a pity it is that it is – it seems that we are missing ladies here.

And I hope we’ll get some more ladies from the panelists and others in the room. The format of this discussion should be interactive. Feel free at any point to raise a hand and jump in. I will try to make sure I give the floor to anyone at any point. There are two subquestions, what is EuroDIG doing in terms of regulatory framework that touches upon standards? And the other one, what are the standards currently? What are the advances and pros and cons or gaps when it comes to standards in cybersecurity?

I will start with this first question and where are we when it comes to the regulatory framework. And there is a number of acronyms. If you allow me, you have someone who is official from the European Union. Can you help us map what is on the table of regulatory or strategic setting of views? How does that touch upon standards?

>> SLAWOMIR GORNIAK: Thank you. It is a very broad question I would say. That probably could be a subject of the whole half an hour of presentation. But to summarize it somehow, well, the policymakers at the EU level have a number of instruments at disposal to improve cybersecurity in general. So we can start by the top going from the international Treaties and agreements, going through EU legislation and national legislation passing by policy statements, strategy, and then starts the standards on this. It is good practices and awareness raising.

So there is – it is important to choose the correct instrument for the correct – for the concrete problem. And here the standards are well suited for those problems that require a normalized approach. This is something that’s important to mention. So at this moment, well, the cybersecurity standards, it is a very kind of tricky name because basically the question is still open like what is a cybersecurity standard. Because we have a lot of standards that somehow cover or touch the area of cybersecurity, but well, until very recently these standards were mainly directed to safety, not security. Not cybersecurity.

But standards when it comes to regulatory framework, standards were, of course, used for some time. Europe has the whole regulation, 1025 that’s touching upon, that is setting up standardization framework. And how it is – how the standards let’s say help all the areas covered by legislation, but then here when it comes to cybersecurity itself for a long time we did not have a lot of regulatory acts that are – that were related to cybersecurity.

Only recently we start seeing these regulatory acts popping up here and there. So it started with a nice directive. GDPR to some extent touches upon cybersecurity and other ones that were following. So cybersecurity, the act, that’s setting up my agency, ENISA and the certification framework. And now we have a plethora that’s under development. There is EI version 2. So regulation on electronic identities and antitrust services. Chips Act and this new pieces of legislation actually mention in many places, first of all, requirement of certification of services, products, and processes. But also they mention the importance of standards as the basis of this certification.

So all of these acts that I mentioned actually somehow mention the standards. And mention the necessity of applying specific cybersecurity related standards in order to fulfill some of the Articles (no audio).

>> VLADIMIR RADUNOVIC: You got muted. Unmute yourself once again. There was some background noise of the keyboard coming from you. So that might be. Can you unmute yourself? Or if anyone can unmute him? Let me see. Can you unmute Mr. Slawomir Gorniak? Should be okay now.

>> SLAWOMIR GORNIAK: Yeah. Now?

>> VLADIMIR RADUNOVIC: Yes, it is good. Thanks.

>> SLAWOMIR GORNIAK: Sorry. I don’t know what I touched here.

>> VLADIMIR RADUNOVIC: It is okay. No worries.

>> SLAWOMIR GORNIAK: Yeah, what I was saying was that I – so we have this situation that actually finally after many years European legislation starts being kind of – started forming an ecosystem. So from like an ocean of cybersecurity and some islands here and there, we start having like a common line of regulations that regulate cybersecurity issues around Europe. And all of these acts are mentioning standards and the importance of standards. So there is a really big challenge now for us, policymakers, and facilitators of implementation of policies. And on the other side to the developers of standards to make this ecosystem somehow move in the correct way.

>> VLADIMIR RADUNOVIC: Thanks. We will get to more of this interplay between legislation and particularly EU standards. And you raise an important question which is probably the right one for Jari and Thorsten maybe to start with. You said that we don’t know, what is cybersecurity standards exactly today, right? It is sort of not a new thing but not so clear what it is.

So maybe Jari, that’s a good question to start with you from your side from the standardization setting communities. What are cybersecurity standards exactly today? What are we talking about? Just unmute yourself or maybe they will have to unmute you, try to unmute yourself. Yeah.

>> JARI ARKKO: I thought – anyway, so that is indeed the beef here. Like what exactly do we need. And what is this technology that we need to standardize and how does it then – we can separately discuss how it interplays with Government and so on. But what do we need. And I want to start from sort of personal angle on this because I have been working hard on sort of the communications ecosystem on various fronts. And, for instance, in the Internet community, we spent the last seven or eight years improving the communication security and turning on encryption and confidentiality and integrated protection and all the communication.

Actually it was a pretty spectacular change. It happened for various reasons, many motives happened to align at the right time in the early 2010s and then in a matter of a couple of years we went from 20% encrypted traffic to 80%. Now we are closer to 100%. I’m really proud of that achievement actually. And we can also be happy about that.

But it has for me at least personally highlighted like where are we and what do we need to do also. And, of course, like different communities they focus on different things. Internet community works on Internet standards. Mobile works on mobile standards. I think we are sort of on the way towards protecting communications.

But maybe there is more in gaps in other areas, like how do we protect like your data when it is at rest or in use. And can we trust the other party at the other end. Can we defend against those attacks. Can we guarantee availability and resilience. And I think there is a lot of questions in this area that I think haven’t gotten enough attention on some parts of the community at least. I realize that there is communities, et cetera, in those issues as well.

But I think that’s one area where we probably need more work in the future.

So why don’t we start with that and let others continue.

>> VLADIMIR RADUNOVIC: Thanks a lot. And it is maybe a good basis for the question, Thorsten, you can build up on what Jari mentioned. But having your experience from the corporate sector basically, how do you see – because it seems or it should be that it’s the industry that basically sees what the trends are. And then try to introduce standards in the engineering community within it. How do you see the standards? And what are the new things that are still under the radar and should be more visible?

>> THORSTEN KATZMAN: Well, who is the one to decide what standards are needed? It is not just only these industries or the – let’s say the manufacturers or the software developers. It’s – it should be market driven and who is the market. It is all the players. It starts with the industry, but you have also, of course, the users. You have the authorities. The whole spectrum who should decide on that. And that’s common practice in the ISO world or in Europe where CENELEC and ETSI are active.

So we think it should not be only the industry to look forward and to decide what is really needed. So that’s also related to the question, what is a cybersecurity standard or a security standard. Jari just mentioned encryption and other technologies. But we think you should look at cybersecurity more wider. And you need to take a holistic approach. So how to – what about the organizations?

Here management systems standards come in to place. We have seen the ISO/IEC 27,000 series that covers a lot of aspects here in general and for cloud computing and so on and so forth.

Because what we see or my colleagues also experience in the daily life is that we will – we build a good system. We test it. We give it to the customer and we tell them oh, you need to change the testing counts. So you have to delete them. Change the passwords. And when the colleagues come back to the customer one year, two years later, they discover that these accounts are still there.

So it’s – it is only one example. But it makes clear that we not just have to look on the technology and then to have – to standardize because we need some interactions, interoperability is really important because no one is really coding or designing a product on its own. You have a supply chain. So you have to interact with various players under other companies, other products.

So that here you need really the functionality and the interoperability. On the other hand, as said you need to manage your whole organization. It is a company or an authority, whatever. And here we see also the need for a standard. There are already standards. And so yeah. Back to the basic question, what are cybersecurity standards. And I – in the meanwhile I had to look on the ISO page for the technical community, the joint technical community one. They have a subcommittee 27. It is called Information Security, Cybersecurity and Privacy Protection. And you have really a wide, wide range of standards from describing very generic methods, providing guidelines. And the other hand of the scale, really going in to technical details of security mechanisms and so on.

So in their standard catalogs they list 220 published standards. That’s really a lot. And also almost 70 new standards under development. So that’s roughly 300 standards only from them. And really covering a huge and a wide scale of aspects that we think is really needed to work on cybersecurity, yeah.

So take the question again. So what’s the standards? Is it only on technology or is it on the organizational aspects, on procedures providing guidelines? We think all is needed. And here in Europe and you started with the aspect of standards supporting the regulatory frameworks, legislation here in Europe. Then, of course, it is only a subset and a dedicated list of standards that will be assigned by the European Commission to a certain – to a legal act.

So, for example, the radio equipment directive, there is now a new standardization request out for the – for CENELEC to draft various standards in support of this directive. And this will be listed in the official journal of the EU where you can really look on that and you will find with that. And here is the – is the mechanism of the new approach, nowadays called new legislation framework come in to place.

So what do we need to do? We need to do – follow the law. Products must meet all the requirements from the law, given by the law by the radio equipment directive in this case.

But if you look at the text you will find it’s not very, let’s say, very detailed. So the technical community will say okay, we need to secure the product, but if I do this or that, is that okay. And here and in Europe we can go a step more in detail and look at the standards.

And when we apply those standards for the products we can be sure that we apply to the law. That’s a very good mechanism. We know that for decades, for product safety, for electrical safety, it is working very well there. And I think it is a good idea and a good approach to apply this mechanism also to cybersecurity and also to other area – technical areas, yeah.

>> VLADIMIR RADUNOVIC: Thanks. I think – I like that you uncovered even more where we are talking about, definitely not just technical ones. If you remember 90% attacks or breaches end up because of human error. Moving accounts and simple things. Really, really important. But you raised an important thing that I wanted to touch on. You wanted to reflect on this.

>> SLAWOMIR GORNIAK: Yeah. I mentioned this question, what’s the cybersecurity standard. There are other Committees that are working on cybersecurity standards.

>> THORSTEN KATZMAN: Sure. It was only one example.

>> SLAWOMIR GORNIAK: This is cyber from ETSI and JTC13, from CENELEC and so on and so forth. And the important question, I mean important matter that also you mentioned it is like what are the areas covered by this cybersecurity standards. So, of course, there is security feature provisions that are like technical standards. We have security assurance that it is all common criteria work and things like that.

There are organizational management, like all these 27,000 series. But there is a plethora of standards that touch upon cybersecurity. But let’s say cybersecurity is not the fairest goal somehow. And I have the impression that the standards that are developed by this committees, let’s say, also not always stick only to pure cybersecurity. But that’s kind of my –

>> VLADIMIR RADUNOVIC: That’s a good point. That’s a good point you mention. There are a lot of actors there. And secondly, not necessarily cybersecurity is their narrow focus. I’m bringing back to what Monika asked in the chat. In a way the question is how could politics help standardization work. A step before that is what’s – what are the gaps when it comes to standardization work in the sense of as you mentioned the focus or the focus of organization, the wide scope of what we need to cover. And then the implementation, which seems not to be so easy, particularly for those emerging businesses, small/medium enterprises and so on.

David, I want to bring you here with some of your experiences and research that you did. What are the main gaps that then maybe we can look at, whether the regulatory environment can help bridging or if it can.

>> DAVID TAYOURI: Thank you. So I want to present the problem and the solution with an example of an area. So let’s look at the enterprises in general and the SMEs in particular and their perimeter. A few years ago, the perimeter of an organization was usually physical so we can secure it with physical means, et cetera. And secure the network with firewalls, ideas and other tools. But today, employee – some of the employees work at home. Some of the assets of the organization is in the cloud.

And so the attack surface is, of course, larger than before. It includes the enterprise’s premises, the service provider, the end points that can be employees, customers, suppliers, et cetera. So the perimeter has changed. The method of working and accessing data and applications have changed. And should understand the risks, what are the risks that all these changes brought to the organization.

But this is not an easy task. So this is the point that standards and the question can help. Just mentioning that in the IEEE as a group for the last year, we examined the different technologies regarding the cloud security. And also serving the existing standards regarding this subject. We found several gaps. We saw that most of the technologies for securing the cloud are fulfilled, but there are some gaps such as the end point security. There is no specific standard regarding that. The CASB, the Web app which is the user on entity, behavioral analysis and also the cloud forensics which there is something that’s no specific standard covering it. But the point I want to emphasize when it comes to security, in particular the cloud, regulation is a must. Why is it a must? Because look at the SMEs? Most of them are not aware of cyber risks. And those that are aware of cyber risks will have a hard time finding cyber experts that will help mitigate those risks.

They trust cloud service providers. But how this trust can be enforced. And this is the role of the regulation or the regulator that should enforce this trust. And how can regulators do that. And the answer is, relevant standards that are defined or should be defined to fill in the gaps as I mentioned. And by combining both things, the holistic standard for again cloud as an example but for all the fields of cybersecurity and enforcing those standards in particular for the SMEs that don’t have the relevant or the required resources to do it themselves. It is very important. And it should be done.

>> VLADIMIR RADUNOVIC: Thanks. And thanks for scratching the surface of what are the gaps. But I think what you mentioned in terms of the changing environment with surface is different, and then the rules. And I remember when we did last year within this Geneva dialogue on responsible behavior project we were looking at security of digital products and the industry that’s producing them and how the standards interplay with that. There are a number of gaps that were identified which is awareness of standards. These new actors, open source community with creating a lot of code and SMEs that might have to implement.

They might not have the resources because some of those standards are costly in terms of money and time. And then there is also the question of effectiveness. We see a number of cyber attacks not listed where companies had all the compliance possible but it didn’t help.

So back to the question of Monika asked and then you can maybe start on the others. Again, how can – Monika put it quite interestingly. How can politics help standardization work. It doesn’t have to be politics. But we do see that a number of pushes by the EU is driven by this security perspective generally, even geopolitical, national security if you wish. How can the European regulatory framework help the efficiency of standardization. We mention in prediscussions, laboring schemes. Then I think okay, the training things, bill of materials, procurement, guidelines and so on. Any tips from your side? And then I will open it to anyone who wants to comment.

>> DAVID TAYOURI: Okay. So I will refer to two points. And then we’ll let my colleagues continue. Regarding the open source, I think it should – it will be problematic to enforce regulations because the essence of open source, that’s someone or some additional entity has adopted something that’s useful. And since it is useful may other people may extend the code and other people will use it. These different entities extend the original code. Maybe others support the code. And many other entities use this code.

So in this matter I think enforcing the standard will be a problematic thing. And this can be let’s say achieved, the security of the open source and things can be achieved by the users and without the regulator in this case, in this extent. Because the – if we will raise awareness regarding the security aspects of the open source to the users, they will know that they should know where the open source, who is the people that contributed to. They can use these different technologies, scanning the tools or making sure that the code doesn’t include any matter. And this – with other clues to find if the code has some vulnerabilities that can be dissuaded. There are methods. And I don’t know if you can call it regulations or policies, but they can be achieved with the security, cybersecurity of the open code can be achieved even without the standardization.

Regarding the other thing, there are many standards that are overlapped. So my view is that in any particular let’s say subject, in the – if we had a perfect world, should be one standard. That can, of course, be defined by maybe different entities that have something to contribute, to be standard, but for the sake of the people that want to consume something that is relevant to that standard, it is better that it would be one standard that covers everything.

And it is better because instead of having more than one standard and thinking what is the better one or maybe want to have the – all the standards. And we all know that comply to standards require resources. So if there were one standard for each subject, it would be better and not only in Europe.

Let’s talk about also in international. We are in, you know, since 25 or 30 last years we became in a global village. We cannot talk about standards that are relevant only for Europe because many things go from one country to another country. We talked about the code, open source. All the supply chain that we can come from different countries.

And there are many other things that if you think of it, it is – in Europe, of course, lead the standards. Maybe with the collaboration with other standards entities. But if there could be one standard for each, that – to reach the field, that can cover everything, it would be perfect.

>> VLADIMIR RADUNOVIC: Thank you. You actually show an interesting provocation on this overlap of standards or should we have one standard or more. I will use it for the last part of the discussion, ask if you agree on this beyond Europe and the global aspect. We will get back to that in a second.

Let me for a moment keep on the interplay between the regulatory bodies and regulators and standardization communities. I have a raised hand. Wout. I don’t know if you can unmute yourself or we have to unmute you.

>> Wout: Yes. Okay. Thank you. And hello all. I have got a very special question that we have been talking about these official standards. So basically standards that you have to adhere to. When you met them all you have this. You are working on your own organization. There are a lot of Internet standards and related best practices that are around for sometimes over two decades which are totally voluntary but not being implemented or deployed as they call it.

So how can we assist companies and Governments and even individuals to make sure that the organizations and the developers have to adhere to these standards? So, for example, the top ten for (inaudible) or Internet standards that you can have a secure e-mail system or a routing system. How could we assist companies and Governments to demand these securities to be in place just like they are when you buy a car or when you enter a plane? I don’t have to go through all the checks myself before I can fly. Why should I be forced to do that as an individual when I buy software or an IoT product?

So what would be a next step here? Would that be legal? Or would that be through societal pressure somehow to make sure that these Internet standards and related best practices get more attention.

And I forgot to introduce myself. I usually – I’m Wout and I’m the coordinator of the IGF Dynamic Coalition on Internet standards, security and safety which strives to deploy a widespread use of Internet standards and related best practices. So thank you for the opportunity.

>> VLADIMIR RADUNOVIC: Very, very interesting and important question. I think you made the whole thing even more complex. We had the big scope and number of entities working on this. And we have these voluntary standards which are useful. The question is should we push for them or find another way for those to be closer to the users and the communities. Jari and then Thorsten. And if anyone wants to jump in to the discussion, please do either in chat.

>> JARI ARKKO: Thank you. I didn’t get to the line for answering your question. Maybe I can try to do that as well.

I got in line to speak a little bit about like what can the politics do with the Government or regulators do and to answer Monika’s question. And I think there is two things. One is to A, listen and be clever. And B, you know, think about the level at which you regulate. And I’ll try and expand on both of these things. So the first thing is that the standard space is complicated and technology is complicated. It is not always obvious what’s the right thing to pick for us in the companies to implement or governments to mandate. So it is really tricky. It is essential that we pick the right thing. And we have found that often it is the case like multiple incentives work together to push something to very recently the IETF published a standard on new transport which is called Quick which provides many more securities, encrypting the headers, for instance. It provides also performance benefits. So you get going much faster with this protocol. And also better security.

So that’s been sort of an important thing. And that’s just, of course, one maybe silly example, but it is important that the Government understands the incentives on different trends. Like why would this deploy. Why would that deploy. What’s the need from the users. What’s the need from the service providers. Are there any other parties that are affected. And try and understand, try and leverage those things. When there is desire to provide better privacy and better performance and some other security benefits.

Then you have a winner. Listening is important in collaboration with the whole ecosystem.

And then the other aspect well, maybe I will try and go to Wout, your question actually. So you brought up that there is lots of voluntary standards. That’s not just Internet but many other things. So there are some sort of Government directed or official things in some sense. But a lot of the world runs sort of on industry or user based driven standards. And they choose them to do – choose to use them because those are the best things that they fit their needs.

And so just sort of confession, I have some Internet standards that I’d like to be more widely deployed. IPv6 is one example of that. And I think there is good reasons for doing that. But I think we are generalizing a little bit too much. There is security things that don’t get implemented. But it’s not that simple. So routing security, for instance, is a hugely complicated topic. It is not a question of why don’t we, you know, tell the companies to do this thing.

It’s a hard problem. So, you know, there isn’t necessarily all the solutions on the table that we would need because, you know, research hasn’t come up with everything that we would need.

So that’s one side of it. And in other cases there are other solutions that are 90% of the end goal. Like DNS security, I would like that to be more implemented. Most of the benefits are – you get them from TLS or https. You know, you are talking to this website. It is complicated I think is the answer. Thank you.

>> VLADIMIR RADUNOVIC: That’s a good answer, it’s complicated. But on the other hand I – you mentioned in the beginning, we are coming close to 100% of encryption which there are things that are progressing. We don’t actually realize the progress we have made because we always look for getting more. So maybe we should also be more visible on what we achieved thus far.

>> JARI ARKKO: We should be happy about some things. It doesn’t mean that we should be happy about everything. I don’t sleep well at night because there are some things still not fixed.

>> VLADIMIR RADUNOVIC: Yeah, that’s true. Another thing that you mentioned which I think goes back to Monika’s question and part of this discussion, is understanding the needs. Who is shaping these needs. Is it – I guess it is certainly as we discussed it is a mix. But there is more and more of the Government’s needs. I don’t know to what extent in the past. Probably not that much because most of the standards about efficiency of the Internet was mostly the geeky thing. Now the Governments have the wrong requirements and probably this listening to the needs what you mentioned it is quite a tricky thing.

>> THORSTEN KATZMAN: Yes. When I saw the question, how could politics help standardization work, my initial thought was really keep the dialogue. Listen to the standardization community but also – and that’s not just the standards, right? Us, the developers, but also the users of the standards. As already mentioned several times today, standards work is complicated sometimes and not easy to understand. And really need some time to do it and efforts.

And so yeah, my advice would be go in to the dialogue. And we know that politicians that keeps the dialogue well understand those problems. And are more open to reflect on the limitations from the regulatory side but also what is the limitation from standards. And here, we come in to play the question from Wout. So we have the official – the standards work that’s used for supporting regulation for various reasons.

And this official standards and as explained usage standards and your – for fields of law, wonderful mechanism here. But what about the other standards. Yeah, my thought here is where is the benefit. If there is a benefit, maybe only you receive more secure products or you have also another benefit, it is quick, whatever. Usually companies will take that up or on the other hand, the procurer or even the private consumer will demand for those products who are using those standards.

So that’s what we see all over the place. And yeah, also I agree we need to not just to look what is still to be achieved. What is still open. Where are the gaps. But also on the other side what have we already achieved. We will see that we did great steps in the past.

All right. There is still a long way to go. And this route will never end because technology develops. Develops all the time. So that’s a big challenge here, especially here in cybersecurity. So products that is seen as secure today may be not tomorrow because a new gap is discovered and used for criminal attack. So this is always a moving target here. That’s really a challenge also for the standardization world.

>> VLADIMIR RADUNOVIC: That’s interesting. Because that’s something that politics might not always be able to catch. I must admit when you started speaking about how politics can help that your response would be stay away from standardization.

This is a good leadway to you from the regulatory perspective to some extent.

>> SLAWOMIR GORNIAK: Yeah. Thank you for this. I wanted to jump on this question of whether the standards are voluntary or mandatory. So the beauty of standards is that normally they are voluntary. So it is something that people would like to use normally, unless it is a company that has a predominate position on the market that actually don’t care about any standards. But standards help for achieving interoperability, the common ecosystem in cybersecurity. Unless the regulations require to use spec of standards they should advertise themselves in my mind. Europe has established certification of cybersecurity devices, products, services is voluntary unless mandated by other legislation.

Until now there is no examples of mandatory certification for these entities. But it might come one day. Whether this helps I don’t know. It was mentioned that standards are something that are depending. Technical standards might differ. It is something that is somehow reliable and can last for many years. Of course, practices differ. For example, for fulfilling the standards can differ. But it is a layer above. So when it comes to like mandating standards to be used, not sure if what gives a good result. On the other hand, certification framework, that’s based on good, reliable standards is something that can contribute to cybersecurity.

And another thing also, the question of this private standards was mentioned here. So technical specifications issued not by official standard developing organizations. The practice shows that working on real standards it takes a lot of time. So from the beginning of a new work item until the development of the standards, sometimes it is even two years can elapse. One year is kind of a minimum while this let’s say technical specifications or guidelines that are developed among a smaller number of stakeholders are much more agile. So it means that they can be produced in much smaller time. And produce equally good results in some places.

So the cybersecurity act, the main act of establishing, for example, the certification framework in Europe does not really foresee – does not foresee to some extent the use of these specifications, but I think this is something that needs a closer look as well.

>> VLADIMIR RADUNOVIC: Thank you. You can unmute yourself I guess.

>> DAVID TAYOURI: To add to what Slawomir said and what Jari mentioned before, when you buy a car you look at safety stuff. Four or five stars. Decide if you want to invest the required, additional money to get better safety. But this is not the case for the cybersecurity. I’m not sure but if you remember, but today in any car manufactured from two or three years ago, regular car, there are between 30 to 150 little computers is used. And this makes the car very vulnerable because these components communicate with each other and also with the ongoing, in-progress infrastructure, the lights, signals that are all becoming connected.

So there is the security, the cybersecurity of the car is not less important let’s say than the safety. Because if an attacker will manage to attack a car can make the same, the damages that an accident can cause. And today there is no – anything that lets the user know that what are the secure – cybersecurity stars or the score. And there is no regulation. So in this sense I think two things should be done. One is awareness, like the safety that has awareness. Users should know there should be a cybersecurity score or star that presents what’s the cybersecurity score of the car they are going to buy.

And second is the regulator. Some safety things are optional and some safety things like air bag are by the regulator. The car should have this kind of safety thing. So I can give an example in Israel, a few months ago a law was approved. Any ITS, any transport intelligent system should be checked against cyber attacks. And the regulator will give it a certification that this system has gone under relevant attacks, cyber attacks and passed all of them. And then it gets a certification. And I think this is the past that the cybersecurity, for instance, should go. And again it can be generalized to other domains of the cybersecurity.

>> VLADIMIR RADUNOVIC: Excellent. And I think this is a good example of practical, useful regulatory framework or policy we can see which is for certification schemes or labeling schemes that we see in many countries popping up that help the users to understand like consumption, what’s the security level. So we refer not – we are not experts. We understand that someone was behind checking and saying this is level B and level C.

We have a few more minutes. I want to get a perspective back on the question on beyond EU. You have touched upon that already. But I can use it as a location when you mention overlapping standards. On the other hand, you have governments more and more stepping in to this and what did they decide for different standards; one in China and one in EU and one in Emirates.

What do we do about it? This drives us to the question of global perspective and then the geopolitics that play the role in this global environment. Maybe I can start with Jari. A quick reflection on this global perspective of standards and beyond.

>> JARI ARKKO: That’s a good angle. I’m on the global angle. From an end user and business angle, for instance, from the business angle I work for a large company, but even if I work for a small company we try to sell to the global market on our particular area of expertise. And it is good for us to sell to the whole world and to be – we don’t necessarily appreciate local standards. That will complicate things. I realize that the world is complicated. And there is geopolitics in everything. To the benefit of business and benefit to the world at large that we have economics of scale and competition across the world.

And a lot of things to choose from. And also from an end user perspective they usually end up taking the thing that’s most appealing to them that might not be from your local region. So I think the global standards are hugely important. One vote for that at least.

>> VLADIMIR RADUNOVIC: And then also a question, what are the pitfalls of that in geopolitics generally. I don’t know, if you want to have a quick reflection on this global opposing points or where we are.

>> JARI ARKKO: Yeah. There is pitfalls. The interests don’t always align. And there is more destable industry here and that type of industry over there. It is challenging just by standards making. For instance, even in local scale is challenging, but it is even more challenging on the global scale. You might not get what you want. But then again you can have an influence on the thing that gets used in the world. That’s why this makes sense. But yeah, there are drawbacks.

>> VLADIMIR RADUNOVIC: Anyone else who wants to comment on this global character?

>> THORSTEN KATZMAN: Well, I can only second what Jari said. So standards development is – it is not an easy work and sometimes very frustrating. And especially if you look on the international level. But on the other hand, you have the big benefit that with that you have at least one level that applies to all. It is really widely used. And to Dave, you can buy your products, your devices everywhere. So via Internet e-commerce it is no problem to get the things from all over the world. And clearly not designed for your country. But you get it. You use it. Maybe not you, but others.

And there we start to create a new risk. And with that, I think Jari is absolutely right. It is better to have this minimum level than nothing. You can build on this minimum level from the international work. And for a global acting company, of course, it’s a huge mess if you have to look on let’s say 120 countries in the world with their own standards and so on.

So it’s much easier if you have only to see that the EU with 27 Member States, you look at one standard and you got it. And if this standard is very much aligned with an international standard, you may have also the U.S. and Canada and so on onboard. It makes life much more easier. The risk to produce new gaps in your product or to vulnerabilities it is much more reduced if you can work on this international level, even if it is minimum. At the end it is a good start.

>> VLADIMIR RADUNOVIC: Thanks. Thanks for the note in chat on difficulties when it comes to deployment of technical standards. A quick question to David, Slawomir, if you want to close up the session. End with Slawomir since you were opening the session.

>> SLAWOMIR GORNIAK: Thank you. I welcome the discussions and they are really nice. It seems that we still have a lot of problems when it comes to perception of standards, like shall we use them, shall we like provide for more flexibility, which kind of standards should we use. But well, of course, I mean I’m from the side of regulations somehow. I’m from the European institutions. Although here I see a bigger, how to say, subject for discussion, like how to treat the standards and actually how to make on one hand how to produce good standards. And secondly, how to make this standard widely used and if they are good.

Of course, we could say that if the standards are good they will be used. But it is not that simple. And so sometimes regulations help let’s say in choosing the correct instrument. On the other there is a lot of – there is still a lot of work to be done.

The fact that now all these new – I mean European Union really sees the importance in all these. Something that certainly we will not escape from. So I mean as closing words I would say it is like well, I really wish all the EDOs, SDOs to produce good standards that will be widely accepted by the community. And will serve their purpose at the industry level as well.

>> VLADIMIR RADUNOVIC: Yes. I would say anything from your side is a conclusion, David?

>> DAVID TAYOURI: Yes. Two points. I think that standards and regulation are two sides of the same coin. We need legislation to enforce the policy. And the policy is the standard. So needs a standard to enforce what’s required for cybersecurity.

Second thing regarding the European and international, I gave an example of the cars, but there are many more fields that is kind of collaboration between Europe and the other, all the work, standardization organizations are very important. For instance, let’s say airplanes, again we can talk about the safety. But there are also security and challenges in the airplane. And where the airplane is the airport and communicating with other systems in the airport that I started with the cloud. So when you are exiting the cloud and something happens, you need forensic analysis, but the cloud is not placed in one place. It can be in many countries. It can be all over the world.

So I’m not saying that it is easy. But the collaboration between the whole organization and all the countries is very important. So that we will have the relevant standards that can be applied to any country all over the world. And we need regulation to enforce those standards.

>> VLADIMIR RADUNOVIC: It serves as a good conclusion. And a couple of other points in the chat. We could have a provoking question, can we conclude that current technical standards deployed more widely would have a better success of global deployment?

We will stop there. I will just remind everyone that there will be a report from this session on the digital workshop observatory in EuroDIG. I hope you get the gist of the discussions. And there will be a recording for those who might have missed that we want to get back. Thanks to all of you for joining. Certainly the organizers and hosts. I hope you get some wine.

>> DAVID TAYOURI: Thank you. Bye-bye.

>> SLAWOMIR GORNIAK: Thank you, bye.

>> THORSTEN KATZMAN: Thank you, bye.