IGF 2024 Open Forum #28 How to procure Internet, websites and IoT secure and sustainable

Cybersecurity is at the top of mind of all organisations. Billions are spent on it. This open forum focuses on important causes of unnecessarily low levels of security and will show you the easiest and cheapest way towards a higher level of ICT security. You will learn, how existing security-related Internet standards and ICT best practices can contribute to ensuring a higher level of security and how your organization can use this knowledge to its advantage. This open forum is a) an awareness raising session and b) a knowledge gathering session on current good practice all can learn from. First three short introductions on the topic are delivered. Forum Standardisation of The Netherlands presents the ICT procurement procedure it developed for all levels of Dutch government (10 minutes). IGF Dynamic Coalition IS3C presents its research report’s results into procurement and its toolkit containing 23 standards (10 minutes). The Global Forum on Cyber Expertise (GFCE) presents on its current training programme on Internet standards deployment (10 minutes). This is followed by Q&A and an open discussion (50 minutes) in which experience is shared on how to obtain ICTs secure by design. Especially participants from governments, industry, technical community, parliamentarians, consumer protection and civil society are invited to join. The Internet functions because of software code like IPv4, DNS, BGP, HTTP, etc., all developed over 30 years ago. Security was not an issue at the time. It is today. Hence, Internet connections, services, devices and platforms need to be more secure, i.e. developed, manufactured and sold secure by design. This includes the new generation standards the technical community has developed in the past two decades, IPv4 --> IPv6, DNS --> DNSSEC, BGP --> RPKI, HTTP --> HTPPS, etc., that close security risks attackers abuse. These new standards are adopted too slow by (the ICT) industry. The consequence of this slow adoption is that all users of the Internet are, unnecessarily, vulnerable to attacks, abuse and loss of (privacy) sensitive data and finances. One cause may be that your organization is not demanding them. This can change. The following questions are asked in this open forum. Is your organisation aware of existing options to proactively secure their ICTs? A) If yes, what is your policy? B) If no, what stops your organisation from using these options? Are there different causes in respective regions? What do you need to adopt this option? Are you willing to work with us to develop a programme? The questions will be discussed in an open manner, with a clear aim to learn from each other’s experience and to gather and learn from existing knowledge. This is important, because larger organisations can play an important, proactive role in making ICTs more secure and safer. They can use their economic power when procuring ICTs, e.g. hosting, websites, domain names, email services, IoT devices, etc., secure by design or when renegotiating (service) contracts thereof. When the demand for security by design, so including state of the art, security-related Internet standards and ICT best practices, becomes an integral part of all procurement procedures in the public and private sector, this will lead to a selection between ICT companies that are able to deliver security and those who cannot. Most will very soon after. The session ends with a wrap up by the rapporteur and moderator (10 minutes).

As we intend to actively invite individuals and organisations, who are not regular IGF participants, a well-functioning online environment is of the essence. The onsite and online moderator therefore will operate on an equal footing. A successful hybrid format is important to reach the goals this session has. Both online interventions and the chat will be extensively used. Both moderators will prepare the sessions together, allowing for integration of both kind of participants. We do not intend to use online tools. Should this change, we will notify you well in time.