The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> CARINA BIRARDA: Okay, we are going to start. Good morning, everyone. Good afternoon, good night. I want to express my gratitude for joining this workshop Quantum-IOT-Infrastructure Security for Cyberspace. It is an honour to engage with such colleagues. I'm Carina Birarda from Argentina. Member of the Advisors Group of IGF Best Practice Forum of cybersecurity and passionate about the technology on all things related to digital protection.
As we know, in recent years we have seen an increased threat of cybersecurity incident which is showing consistent, global interconnection depending on technology and description of as a service as a key factor behind the trend. Maybe we have more work. The lack of adoption of internationally recognized cybersecurity best practices is one of the fundamental challenges.
Recognizing cybersecurity as a global issue is essential as cyber attacks do not respect borders or officials. Organisations at the UN, the Forums, IGF Forum promote internationally recognized cybersecurity standards.
Sorry. Such these cybersecurity frameworks and ISOC 27,001 security guidelines which provide a solid framework for protecting digital assets. Collaboration and international cooperation are equally essential as cyberattack also has actors operating in multiple contexts. Shirring information about cybersecurity is entitled to establishing the fight against these attacks.
In summary, the increasing international cybersecurity incidents is a challenge that requires global response. The adoption of the cybersecurity perspective is an international collaboration and fundamental pilots to address these growing threats and protect can all assets and increasing interconnected world.
In order to determine the best practices can be implemented, it is essential to understand the threats we are facing.
So we have two opening questions for all the Panelists which are as follows: Number one, what are the living cybersecurity increases threats that -- sorry. Across the IoT critical Internet infrastructure and web and technologies and what are existing best practices to counter these threats.
Number two, how can diverse stakeholders including the IGF community, respective Forum on cybersecurity District of Columbia and other relevant sphroorps cooperative to the development and implementation of these best practices?
And number three, in the context of the continuity involving cybersecurity landscape what key considerations are essential to ensure safer and more trustworthy Internet for our uses in all these areas?
I kindly request that each of you introduce yourself. And you have ten minute limit for your presentation. Number one, please, Wout de Natris? Thank you.
>> WOUT de NATRIS: Thank you, Carina. My name is Wout de Natris. I am a consultant based in the Netherlands. And as such, I am the Coordinator of the dynamic coalition that the IGF called the Internet standards and safety coalition. This coalition has one primary goal that is to make the Internet more secure and safer for all users. Whether public, private, or individuals.
We do that through different working groups and these working groups focus on different topics on the topic of cybersecurity.
So we have a topic called Internet of Things, so security by design built into the Internet of Things. I'm sure that Nicolas will tell more about that later. We published the first report yesterday morning here in Kyoto, which can be found online.
We have a working group on procurement and supply chain management. And I think that is going to focus on more of that in a moment. We have one on education and skills to make sure that tertiary education delivers what industry needs in this field and not calls progress from 20 years ago.
We have would be on data governance. We have one on consumer protection. We have a worg on emerging technologies and one on deployment of two specific standards. But then focusing on not the technical side but on, I'm sure also what we are discussing here is not about the technique. It is about political, economical, social, and security choices that we have to make in a society.
I think that what we try to aim to do and I think that answers one of the questions that I heard, is that when governments and larger industries start demanding security by design, when they procure the ICT services, devices, or products, that would mean that any company is not able to deliver these demands. We are not yet big assignments. That would be a major driver for adding everything including IoT more secure by design.
What I think is important to understand is that the Internet works as it does and let's face it it works fantastically. Anybody in the world can at this moment follow us. They can ask questions to us. They can use the chat to interact with us. And it is all because of the way the Internet functions. And the way it is scalable.
But unfortunately when they built these rules, security was not an issue because people were then connecting, were working at either the U.S. government Department of Defense or they worked in some U.S. Universities. Everybody knew each other. So there was no need for security.
And then the world came online on the same principle. Then showed that it was inherently unsecure.
The technical community has made reparations. It made changes to the code that lunes the Internet. That runs the Internet. The code running the Internet is the public core of the Internet that the people talk about.
When you talk about protecting the public core of the Internet, you are not just protecting under sea cables or land cables or server parks. You also are protecting the software that makes it work. And that is the weird thing about this story, that software that makes the Internet and IoT more secure is not even recognized by any governments in the world as such.
So if you talk about standards, they talk about government bodies making standards or they talk about organisations like ISOC making standards, but not about the Internet standards. They are made by the technical community on a voluntary basis. But that is what makes the Internet run. Not ISO, that is an administrative Tikuing box.
So if we get governments to understand that it's the other standards that have to recognize formally as well but also use them when they procure their services, their products, their devices, the world will change.
What is the current situation? The current situation is that there's not a level playing field for industry. When industry is not asked for a level of security built in, apparently they don't do it. And what if I was a single company and I decided I'm going to deploy all these standards that cost me money, cost me time, cost me effort. I have to train people. And the competition does not do it, it means my product becomes more expensive and most likely governments won't buy it because they go for the cheapest option.
In other words, I would be out of business. So there is no level playing field. There's no demand for the big players. There is no interest in deploying it. All the IoT devices coming to the market are usually insecure by design. From that moment on are a threat factor for everybody in society.
So if we don't put this pressure on industry to deploy, nobody will most likely except a few that are more idealistic.
And this is shown in the research that we've done on IoT security by design. I will not take anything away from what Nicolas will be telling us but we found that there is no pressure to make IoT secure. There is no pressure from the outside. We see also in the procurement study we've done, we've analyzed the documents around the world of procurement and if security is mentioned it is not always cybersecurity. If it is cybersecurity, it is seldom on Internet standards.
There is one big example that does, that's the Dutch government. They manditorily have to deploy four different standards when procuring or explain why they can not do that. That is reported to the Dutch Parliament once a year.
So why is this relevant? I think this is extremely relevant because we are discussing our future. IoT also is already among us. AI is among us for far longer than most people realise. And who knows what is coming with the meta verse and Quantum and who knows what is invented tomorrow. Because we are in a society that changes every two hours.
And it looks like that time and time again the same mistakes have been made. Product is invented and it comes into the markets, usually untested for security. So is that something that we should be discussing? That when the new technology enters the markets, at least we test it formally in one way or another. Or not legislate it. You cannot legislate what you don't know. You can at least demand a certain amount of testing.
So ICT in whatever form is allowed into the markets from outside, usually it is almost irrepairable. When they find flaws, it is almost too difficult to repair them. So they remain a threat factor sometimes for decades.
With AI or perhaps with Quantum and the meta verse we can at least demand security from the outset. Demand it before we start procuring this. This is certainly before we buy it.
Large corporations and governments can set that example. When they do, they become a standard and the security will become available for all of us.
So if we make governments and larger industry aware of their role, their potential influence and to provide them with the information they perhaps lack now, they will change the world for us. And that's our ICT's goal to make the Internet more secure and safer by the widespread deployment of security-related Internet standards and ICT best practices.
And if you are interested to join, you can do that at IS3 coalition.org. The three is the number 3. Our reports are there. Also the report Nicolas will be telling about. I think that is about what I would like to contribute for now. Thank you very much for the opportunity.
>> CARINA BIRARDA: Thank you very much. The second Panelist is Carlos. Carlos Martinez. He is online. Carlos, I can see you. Hello, how are you?
>> CARLOS MARTINEZ CAGNAZZO: I'm very well, thank you. Can you guys hear me?
>> CARINA BIRARDA: Yes.
>> CARLOS MARTINEZ CAGNAZZO: Okay. I have like four or five slides that I would like to share. I hope that I can share my screen.
>> CARINA BIRARDA: Yes.
>> CARLOS MARTINEZ CAGNAZZO: Okay. Carlos so I will get right to the point. My name is Carlos Martinez. I work for LACNIC, the original Internet registry for Latin America and the Caribbean.
I have been working for LACNIC for the best part of the last 15 years. And I am currently the Head of technology or the CTO for LACNIC.
One of the things that has initially caught my attention when I started working for LACNIC was the need for deploying two technologies that at the time were just not very well-known, actually. These are the DNSSEC and RPKI. I am grouping them because I believe there is a common theme between them which is securing the infrastructure, securing the core of the Internet.
Wout described, I would say, a bit of a dire situation regarding the security on IoT. But that is one part of things. When you have devices, the devices may be secure themselves. But you still have to traverse the Internet to get information from one point to another.
So I will try to go through this very quickly. When I speak about Internet infrastructure, I am not thinking about the physical layer in this case. Not about fiber, cellular, satellites. I am thinking about what I used to call three pillars of oormtly functioning Internet.
The Internet works, it depends on three functions. One is routing. The other is control and basically the ability of the network to have one packet on ingress and deliver that packet to a destination to the proper destination.
And a complementary function which is the domain name resolution or DNS. The three things are necessary. There is a subtle differences between routing and forwarding. Forwarding is the actual decision of a router when it has a packet that needs to analyze the packet and decide which interface it should be sent off. Routing, which is a control function where the router learns a table that it uses to decide how to forward packets.
Both things are necessary, of course, and are complementary.
So this is a very high level threat overview of these two or three functions. And each you could probably identify more than this. Name resolution, for example, suffers from domain spoofing. Where a server pretends to host a DNS zone that it shouldn't. It is not authorized to hold.
This is widely used, for example, for phishing attacks. Katch poisoning is a very well-known threat to the DNS and where a specially crafted packet can poison in a way a server. And allow an attacker to actually instruct a server to lie to its customers.
This has been widely discussed in the industry and has in a way caused a bit of I would say loss of trust on the part of users. Something that we have been indifferent in different industries and in different ways.
Routing suffers from something in away similar, if you will. Route hijacking is probably one of the most well-known effects on attacks on the routing system where an autonomous system publishes a network it shouldn't. Or it doesn't have authorization to do so.
Recently we have witnessed some instances of Internet instability due to hijacks or to a related situation called route leaks, where there is a network within the Internet that announces some prefixes, but it cannot fulfill the promise of actually carrying the traffic to the destination. This usually happens when a small network announces the whole routing table of the Internet and they basically cannot transport all the traffic that every other network starts sending through it.
So as was mentioned previously, security and some of these protocols was in a way an afterthought. These protocols were created when the Internet was a much, I would say, naive place. And some security had to be, I would say, back ported into them.
DNS, we have the DNS security sections or DNSSEC which introduced digital signatures within the DNS responses. And this allows a reserver to verify a response. This, of course, is not supposed to be a complete explanation of DNSSEC. It is just the general idea.
And RPKI does a similar thing for routing. Again there is some cryptography introduced into the HTTP protocol. Some additional decision points that are introduced in the HTTP algorithm that allows a router based on some signatures, which I'm going to call ROAs which is the name they have, allows a router to make a decision whether the route is a correct one or not.
So again, this is RPK has a lot of complexity that I'm not describing. I don't have the time to get into it. But there is a lot of documentation in the Internet.
So a few considerations regarding, for example, the use of cryptgraphy within these protocols. Some people have the misconception that every time you use cryptgraphy is to ensure encryption or ensure secrecy, in a way. Both RPKI and DNSSEC make heavy use of cryptgraphy, but they do not encrypt messages. They are not intended to provide privacy per se. Maybe privacy is a consequence of implementing these protocols but cryptgraphy in RPKI and DNS is not used for providing privacy.
What is it used for? For authenticating and verify indicating signature chains that ensure eat are a correct DNS response or a correct HTTP announcement. There is a slight difference between them. RPKI requires a well defined PKI. All the complexity that comes with RPKI. The RIRs have taken the role of operating the trust anchors of this RPKI.
On the other hand, DNSSEC uses a simpler chain of trust because it can depend on? Features that the DNS already have. For example, the three-legged structure.
These technologies are basically useless unless the community, I would say, realises that there is a shared responsibility here. In both RPKI and DNSSEC, there is a function which is the signing of the VNS or the routes and the validation. Both are necessary. Signing becomes useless if no one validates. And the other way around.
If you are validating but you have nothing to compare this signature with, again it is useless.
And there is a shared responsibility here. This is probably my, if you remember one thing of what I have been saying, please remember that the message of shared responsibility. In this case, it is something that we need to get across the industry.
Regarding Quantum, the previous Panelist mentioned that security was sort of an afterthought. That is completely true. And there is a silver lining to it, which is that this afterthought was implemented in the form of an overlay. The core protocol remains unchanged. There is, I would say, a layer of cryptgraphy applied over it.
The cryptgraphy here didn't exist before. It was afterwards. It was added in a way that can be replaced. There is a term that is technically used here which is algorithm agility. All these both DNSSEC and RPKI have algorithm agility. When this becomes standardized it will be applied both to DNSSEC and RPKI. I don't have it here in the slide but I have another thing I would like to mention which is that I have a strong position on initiatives that point towards weakening of cryptographic algorithms. They are having some discussions in governments and other fora regarding the necessity of weakening or providing back doors to algorithms. I think that would be a very poor decision to implement something like that.
So that's all I have for now. Thank you.
>> CARINA BIRARDA: Thank you very much, Carlos, for your presentation. Very clear. I am thinking the same. I am support very strongly.
The third Panelist is Maria Locke, she is online. Maria, the floor is yours.
>> MARIA LUQUE: Good morning, everyone. Good morning from Madrid, actually. Very happy to be here with you today. It is 2:00 a.m. in the morning in Madrid.
Today it seems that we are going to speak about software, a key point of our discussion. So give me a second to find my presentation. See if I can share my screen.
Okay. Can you see it?
>> CARLOS MARTINEZ CAGNAZZO: Yes, perfectly.
>> MARIA LUQUE: I think that's a yes.
I would say we are speaking about software. And software is a core of my presentation about Quantum security. First of all, I am Maria Locke. For the past ten years I have been advising national governments, local government INCs and I'm also in Spain. I'm in the European Union. On what to do with modern technologies, for example newer technologies, space connectivity, or Quantum technologies.
And how to do it. So that whatever we do with these technologies can benefit society in great ways. So also I have been working with Quantum organises, Quantum startups. And national Quantum strategies.
For the past three years. I'm very happy to be here.
So the focus of today. Today for me we are, we have a challenge, okay? And the challenge is understanding how Quantum technologies are going to disrupt not only cybersecurity but our entire conception or how we process and how we store and how we communicate information. You may have probably seen in the media the Quantum computing. Its potential is immense to bring about solutions to new challenges, computational or not.
Once it is leave, it implies our current crypt grapoic systems are unsafe and we won't be able to safeguard our privacy. In ten minutes today I will look at the Quantum threat and how to take advantage of Quantum to actually be Quantum-safe.
Now, we are in the IGF. The IGF's theme this year is an Internet for everyone. Internet for everyone is possible through universal access and privacy. And the fact that our communications can be kept secret is the base of our security as individuals and as nations, of course.
Our online interactions, we trust what we call cryptographic algorithms, what Carlos was talking about. This trust is built on something we call computational harnessed assumptions. The able that they will be able to with stand the cyberattack no matter what. But the crypt analysis breakthroughs make systems vulnerable in one night.
Now, we all know the company who suffers a cybersecurity in the past for three or four months. As mates were saying, when it is not a cyberattack on a company it's a cyberattack on a government system or. We live in cyberspace, thanks to 5G and others we rely on systems such as IoT, the critical infrastructure and the web. The more digital our infrastructure is, the more attack vectors we have to withstand. And if domain is vulnerable in its own very unique way. For example, as Carlos was saying before, critical infrastructures depend on scarce systems that are very unupdated. Environments have very limited computing resources by design and very limited security schemes as by design as my colleague Wout was saying.
When we speak about the Internet and networks we are are shifting to our software defined networks meaning that they will be susceptible to cyberattacks.
So we can say in a way that the credit cryptographic systems that protect our infrastructure are on shaky ground today. We can really say they are a weak point to watch. During the past decades with these covert Quantum algorithms with the cryptographic potential that can break the cryptographic techniques we use today to protect our decide. We need crypt processors that are big enough to run them. A new type of computing device, capable of performing very critical calculations some of which are intractable by classical computers.
And Quantum computer is a game changer. Uses the principles of super position environment, whatever they need, to change the way we store and process information. And while large scale Quantum computers are not the reality, they are not available yet, of course, the fact is that creating a strong computer, Quantum computer can accelerate our process of solving the schemes we use in public key algorithms to protect our data.
I can give an example. Thanks to a Quantum algorithm like Shor, we quo say encryption. This can break and destabilize us. It is not about native breaches. It is not about, not only about financial loss. It is about losing the integrity of documents, all of them. Losing the sanctity of our personal data and losing control over the health and the financial systems that keep us together.
And the truth is that we don't have to wait for Quantum computing to come because by harvesting now the critical later which I assume you heard a million times by now, someone can store encrypted information to the -- once the technology becomes more advanced. This means that the impact of Quantum computing truly started yesterday. As we can say.
Now, the paradox is that Quantum can also give us the key back to our integrity. And in fact, Quantum technologies and classical techniques are the back of the tech industry and governments when it comes to cybersecurity in the future. Now today as you can say in the presentation, we are going to focus -- we don't have time. We are going to focus on the tools we are developing today to be Quantum safe. In the short-term and in the midterm. The first one is post Quantum cryptgraphy. Carlos was talking about it before. The second one is Quantum key solutions. Let's focus on the solution we have more to attend.
We were saying that encrypted communication that is intercepted today can be decrypted in the future by a Quantum computer that is strong enough. Now, post Quantum cryptgraphy, what it offers us is neoclassical algorithms that we believe to be secure against a Quantum threat.
There is nothing Quantum in these algorithms but we assume computational hardness that can with stand the brute force of a Quantum computer that tries to decipher it.
PQC short is a strong solution we are making in the forth to standardize them, guided by the NIST from the U.S. Also probably heard there is cyber for secure key exchange and lithium sphinx falcon for the signatures.
And the interesting thing here, talking about best practices, is that the tech industry can enforce these algorithms in to solutions they offer to us today, even though they haven't been standardized. In fact they do this, which is interesting, for example, for government agencies that use technologies in the cloud or storing sensitivity data in the cloud.
Here we can see a couple examples of major tech companies taking a hybrid approach being in the cloud. For example, AWS has a cloud commercial environment, but it allows you to apply these algorithms cyberrer within your security shell. Google has historical crypt greasm algorithms with potential Quantum resistant algorithms which is a standard that you use to authenticate yourself when you initiate your session on a website. And cloudflare, for example, has done something that is more or less the same. So what I want you to get from this, it requires new software stacks. It can be started, it can be implemented starting now. Due to the comparatively low cost of doing that, the private sector can take the lead guided by standards, but it can take the lead.
Now, we get to QKD which comes to me as my favorite. QKD key distribution can be a midterm solution to the Quantum threat to cybersecurity. It is hardware based, not software-based. QKD uses the principles of Quantum mechanics to establish a secure communication channel, they have a secure communication channel and allows you, disrupting attempts. What I want you to imagine because we love to talk about the Quantum Internet but we are not causing that. What I would like you to think of is an entire infrastructure like those of the ISPs of the Internet. 123 for telegram Internet networks. Using Quantum techniques. That is a Quantum network. If we are successful in implementing Quantum networks we are going to have unhackable networks for secure communications.
Now I'm optimistic about the future of QKD but it not a simple ballot. There are many challenges to solve before it is deployed to scale. It is a bumpy road to start and very costly. QKD is a moon shot because we have to have entire infrastructures of communications. There are limitations. If you have a Quantum network that is hyper big, you will probably, I mean your Quantum states of the Forums can be degraded and the information maybe cannot make it. So we have to work on that.
Also these Quantum networks, they have to be integrated in classical telecom networks. That is the interesting thing that we can go about. And it requires compatibility. It requires us to work on interoperability. This is such a technical challenge.
Also scalability. And the potential to, for the service to work 99 percent of the time. Why? Because Quantum networks are going to be designed for the first use case to be secure government communications. It is going to be defense. It is going to be intelligence. And they need to work.
But the thing is, despite the limitations, I want you to understand that Quantum working is starting to work. We can see that in the Magiv communications infrastructure because it is able to send info over ratings of 40 square kilometers. We can also see that the New York, will connect NYU because they have a Quantum web there that actually works. Also in China, you already are seeing in the news they are very good at doing ground segmented, space segmented communication with Quantum importation.
So with QKD we have the short-term, with QKD, it needs to be very big an continued and all the nations and federations can kick start the design and deployment of this technologies. For example, the European Commission has the Euro QCI programme. The case is, as I told you, secure government communications.
Now, I have one minute for this. What I want you to get from this presentation is that of course there is a threat that may come with Quantum computers in ten to 15 to 20 to 25 years. But there are shields and techniques we can implement and standardize and use together in a phased approach in these 20 years to Quantum computing comes. The first one to me is going to be PQC. It is class cam and we can do it now. The second is Quantum is working and the end game is full deployment of Quantum communication infrastructure networks and also Quantum computer. The Quantum Internet. Sole source computers, everything protected using your data.
Taking this in to mind, how do we participate in making this happen? We can do many things, right, but first of all for me is always thinking about yourselves. And think about yourselves means that you have an organisation, you need to think about how we can be Quantum safe. And the way you can do it is understanding what you have in terms of information char. That we were used t make some premise on cloud services to have some communicate your data and the sent which you are following the level of encryption as Carlos was saying. Is it safe? Have an inventory of your cryptographic algorithms and see how much you can invest in your Quantum security. If you are a small organisation you may get to PQC and that's all for the next ten years. If you are stronger, bigger organisation maybe you can also try to understand how to engage in Quantum communication networks.
The industry is already busy working in interoperability and compatibility with governments for PQC and also for network working. The government is already launching national strategies and engaging Quantum solutions into the cybersecurity strategies. For example, the European Union is working on this right now. There are some boxes in PKC and KQD stacks for how it actually works. For the idea of community and for me the IGF community, I will tell you that Quantum is still a mystery to most of us in the policy community.
So what I think we need is to engage, we need to learn. We need to study this. We need to understand this. We need to create spaces for discussion and engagement.
I think it is on us to introduce something else medium quality thoughts on how to collaborate and standardize these technologies. And also let me finish with this. I think that Quantum technologies bring both light and darkness to our lives because our lives are digital. And that our privacy is our health. Is our identity. And the rights of the people cannot be lost in translation in a goal beak Quantum safe and unhackable, so that everybody understands. We can work together on this. Thank you very much for listening.
>> CARINA BIRARDA: Thank you very much, Maria, for your presentation.
And we thank you for sharing your ideas. And we invite you to ask questions to have an interactive session. And Olga? Is our next Panelist. The microphone is yours.
>> OLGA CAVALLI: Thank you. Thank you for inviting me. This is extremely interesting. And I have a question for the experts once we have the questions and answers. As part of the session.
Thank you for inviting me. I would like to bring to you a different perspective now. First from the capacity building concept and then from the public policy concept.
First, let me tell you my name is Olga Cavalli. I'm a University teacher at University of Buenos Aires. I teach network infrastructure and thrummings infrastructure which is where I have worked most of my first stage of my career.
Then for 20 years I have been working in public policy in Ministry of foreign affairs and now I'm in Argentina presently the national Director of cybersecurity.
I want to bring you some ideas from these two perspectives. The school was created 15 years ago because we realised that the participation of Latin America and all these dialogue spaces where the policy related with the Internet are defined, was very scarce. Was few and was perhaps not so much relevantly prepared to participate in dialogues and comments and shaping the policies that are totally different from perspective from Latin America to other regions.
Latin America is, has a different challenge from other regions. It is extremely unequal in relation with economic distribution, infrastructure distribution.
So our problems are not the same like other regions. This is why we created this space to train professionals at any age, any background is welcome. Whether technical, policymakers, journalists, lawyers. In order to learn all the rules that make the Internet work and how to participate and understand the problems and challenges that Latin America has.
So we have been doing that for 15 years. And for the first time this year we went out from big cities. We rotate among the Americas. We had one totally focused on cybersecurity in the venue of the organisation of American states. That was very interesting.
This year for the first time we went away from big cities and we went to a city inside one state in Brazil, City of Capina Grande with 400 Fellows. You can find information in our website.
What I would like also to talk about is the extremely fast pace of the adoption of ICTs technologies by human beings. The different estimations, maybe Nico will know more details about it. I had a report from Erickson that next year we will have 22 billion of IoT devices. And then I found another one from Cisco saying that the number will be 50,000s. The difference is interesting, but I think the amount of devices is enormous compared with what we have been dealing up to now.
There is a number of regional, reasonable number of devices per person. Considering that the population of the world is 88 billion people, the pace of adoption of all these digital infrastructures, especially the new ones, is very, very fast.
It is faster than, much, much faster, five times, sorry -- it's the time. It is the jet lag.
Faster than electricity and telephony, much, much faster.
So also it was already mentioned by Wout and colleagues, most of these technologies were not designed with concept of security from scratch. They were designed in a different environment and a different time with different ideas.
So that's extremely challenging. And I would like to consider now some public policy that we have been implementing in Argentina. Although I am participating here as an academic, I have a public policy role. I want to tell you what eive we have been doing in Argentina.
Our role in the national government, we have a target which is the national administration. So for that, there is a resolution that establishes minimum requirements of cybersecurity for them. What they have to do. They have to prepare a security plan. They have to share it with us. We have a database with all the security plans. The most important thing, they must assign one focal point. That focal point is in contact with us in a permanent basis.
We provide training for them every month and sometimes more frequently with news about technology and also we share with them all the vulnerabilities that the national cert that depend on our administration also can detect.
We share with them all this information on a daily basis. If they have an incident, they have to share that with us and the national cert and our experts can help them.
And this communication and this establishment of the security plans and the communication is mandatory for them. So there is a binding resolution. It is not voluntary or aspirational but it is mandatory for them.
Also we have developed a manual on what to do if they have an incident. So it describes the different stages that they have to go through if they have an incident. And I think that that would fit into the question about the best practices. And also the public policy that I mentioned to you.
Also we have published the new or approved the new cybersecurity strategy for Argentina. This is the second one that was produced after a public comment period during the month of January this year. And let me check if I'm forgetting something.
That would be all that I want to share with you.
I have a question for Maria, for Wout, and for Nico. What I see now, it is an increasing gap. And challenging for developing countries, especially for small and medium enterprises in catching up with all these new changes in technology. And I see this gap really being very, very big.
Not only because of understanding technology, but also by buying it. It is extremely he expensive. Some countries we have some restrictions for importing some products and some hardware. Also the lack of human resources that we all know that it is a big challenge for all countries not only for developing countries but also for developed ones.
But some human resources go away, like my son is living in Europe because he was captured by a company who thought he was very well prepared. He was trained in Argentina in a public University and now he is working in another country.
Which is good for him, but maybe no good for developing economies. Just an example of the challenge that we are facing.
And looking at all this Quantum technologies that are being developed, how do you see the small and medium enterprises or developing countries catching up with this changing, fast changing technologies that will be used and will be implemented very quickly? Thank you.
I did two things. I spoke and then I questioned.
>> CARINA BIRARDA: Thank you very much, Olga.
Sorry?
>> WOUT de NATRIS: Her question?
>> CARINA BIRARDA: We have only seven minutes for questions. If you want to answer the question, it is okay. Yes, Olga? Yes, yes, go ahead.
Let me see. Mohammad, do you have any question in the chat?
>> MOHAMMAD ALI JAUHAR: No, we don't have any questions yet.
>> NICOLAS FIUMARELLI: Yes, maybe I have one question and we can, the Panelists can respond as well. Because you all talked about different technologies, it is known that the yoit, the number of -- IoT, the number of devices is increasing and Quantum computing is already being developed. Also ICT is not showing deploying the best practices for security in every service.
As Olga said, it is so expensive to have all of this.
So yes, so my question is, do you think that also in the case of RPKI and DNSSEC, do you think that law enforcing these technologies is a good way to go? What are the threats or the risks, maybe commercial risks in having this? Why we are not having these as mandatory thing? In the case of DNSSEC and RPKI for the networks, in the case of the IoT security standards made by the ITF sometimes for these constrained devices that are solutions already in establishing the entities. Also for ICT, right, why this is not like Quantum resistant algorithms that we are seeing in the core Internet. Why these technologies are not applied for all the ICTs by a mandate, by a law enforced thing.
Maybe if you want to have two minutes per Panelist to try to respond? And also accumulate on the other questions we have had from Olga and the rest of the Panelists. Thank you.
Maybe starting with Carlos. Then, yes.
>> CARLOS MARTINEZ CAGNAZZO: Those were a bunch of questions in a single one. I will try to make both points.
I personally don't believe that mandating technologies is a good idea. I have seen many examples where that has failed.
That said, I think the situation for DNSSEC and RPKI is vastly different than the situation from zero eight. IoT has a serious issue with cost, with cost per device.
There is a race to the bottom with cost per device. It makes sense to have the cheapest device that you can actually manufacture. And there is a race to the bottom that certainly doesn't help in developing new technologies.
DNS and RPKI, there is a difference there. I think one of the issues that the Internet has face the over the years in deploying many technologies. It happens for IPv6 as well. The thing that many effects in the Internet are externalities. There are things that you as part of the Internet have to do at your own cost on behalf of another party to benefit another party.
And sometimes there is, you know, commercially a hard sell. So I think that's what has been one of the barriers in deploying new technologies on the Internet.
And I think there are two different phenomena there that need to be addressed differently.
Regarding what you mentioned why you are not seeing post Quantum algorithms being applied. In my opinion the post Quantum algorithms that have been proposed so far are less than satisfactory. Basically are variations of's lip particular curve algorithms with very, very long keys that are simply not practical. They exist but they are not practical. They would create this huge signatures that are a threat in themselves.
So, sorry. I think I took more than two minutes. Sorry about that.
>> NICOLAS FIUMARELLI: Now going to Maria, two minutes, please, and then Olga.
>> MARIA LUQUE: Thank you very much, Olga, for your question. I think it is very interesting. I would like to expand on this with you for an hour and a half.
Regarding what you say about P mis, like small companies faced with the challenge of trying to keep up with this Quantum technologies and all of the bus that comes with it and something very interesting because in Spain, for example, we have the national security scheme which was evicted on October 2022 last year. It doesn't speak about Quantum yet but the standards that it enforces for information security are very high. It talks about, for example, multilevel security schemes and it talks about PUF for hardware and I can see this strategy, for example, in Spain being updated with PQC requirements. And best practices.
And the theme here, I don't like it and I don't think it is positive, but the thing here is that a small company given that normally a small company if it is a tech company or Nova company they rely on the infrastructure of big tech companies and that infrastructure providers to serve themselves. They don't have, they don't have proprietary technology architecture schemes. They rely on AWS, Microsoft Azure. They rely on fooling.
These companies are going to be able to offer the solution that Carlos and I don't like very much. Which is PQC, PQC algorithms inserted in the cloud as an option for you to try to make your data safer in the place that it is.
It is going to be the option in the next five to ten years for small companies. Although I don't like it, but I can see that's the way. Also, Olga, regarding the nationality Quantum strategies for small company countries and countries in general, I can tell you the tendency is to be very, try to be very specialized and try to prioritize the one thing that you think you can invest in. For example, you can see that in the European Union everybody is very ambitious in the European Union, every country.
What we see is, for example, Spain says hey, we have, we are really good at optics. We are very good at, we have very good mathematicians. We are going to go for developing Quantum algorithms. And we are not going to focus so much on Quantum computer because maybe we don't have the resources.
Different countries are trying to understand which role they can play in the Quantum supply internationally. It can be betting on talented workforce. It can be betting on developing algorithms. It can be betting on familiar -- it is a big difference and different for every country and I would like to expand on it more with you.
>> CARINA BIRARDA: thank you.
>> OLGA CAVALLI: Thank you, Maria. I take your word of expanding this. I may get in touch with you.
It is interesting what you said first about the most important companies in the world will develop some technologies that others will start using, which is true and which is happening now, perhaps with cloud computing and other technologies.
My fear is that developing economies and small and medium enterprises will be just consumers of technologies developed as were mainly in the States and China which is the main posts where these technologies are being developed now. That is something we can change with awareness and capacity building. I'm also positive about technologies. I think we have to go in that way.
Thank you. Thank you for inviting me and for comments and Maria, Carlos, and Wout who left. Thank you.
>> NICOLAS FIUMARELLI: Okay. Thank you so much. So we are ending the session here with insights about law enforcement maybe is not the solution. The capacity building and awareness are there. We need to be in the loop. In the loop of what is happening requiring requirements, the national agencies and all these entire world of different technologies approaching.
So thank you so much to all the Panelists. See you next year in hopefully with new news about these technologies. Thank you so much. Big applause.
(The session concluded.)
(Realtime captioner signing off.)
>> CARLOS MARTINEZ CAGNAZZO: Have a great day. Bye-bye.