The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.
***
>> MODERATOR: Good morning. Welcome to our session. My name is Wout de Natris - van der Borght. I'm the coordinator with the coalition here at the IGF. I'm with people from the coalition and together we'll be presenting the report that we're putting out here at the IGF.
First, a short word about what it is. It's deployed by industry. We have been producing reports over the past five years, as we exist. And the first one was on education and skills. And so to close the skills gap between what sub security curriculum offer and what the industry actually wants. And we identified an age gap and a skills gap and gender gap all in one. All over the world.
The second report was on the IOT security. And that will come back a little bit in Joao Moreno Falcao’s presentation. I won't go into that further. The third report on government procurement. We found out that governments mostly do not procure their ICT's secure by design. It's not in their procurement perspectives. So that's something that really needs to change, if you want to have an incentive for industry to actually start producing secure products. Whether services or devices or applications, as such.
Then we produced two tools. We identified with a global forum of experts what are the most important internet standards to deploy on activity. And we added websites. Because everybody thought it was extremely, extremely important to put a point of pressure on for industry, as well.
Then we produced the tool kit on arguments. What arguments do technicians need to use to convince their CEOs, their CFOs, their boards of directors, et. cetera, to actually either deploy standards or procure standard secure by design.
And this year we have the fourth report, which the people on the table will tell you about the post quantum encryption. The way I look at it, the history of cybersecurity is imagine that you buy a car on the top of a mountain. And the salesman gives the keys to you and says "just drive down. There you go!" And you go around the first very soft bend. It's starting to slow down. Very slowly. And there's a guy saying "do you want to buy brake lights?" Waving on the side of the road. The next bend, somebody waving "would you like --" whatever, a seatbelts? Finally, "do you need brakes!" And then the first hair pin and this is what happens with ICT. You buy a device and somebody says you have to install this or buy antivirus or whatever. That's something that is not normal for any other product in the world. Everything comes with sort of design for security.
So I think that is what we are trying to prevent with this report. If quantum day comes and we don't have security in place, then there may be [?] and if that happens, the future will tell. But we think it does. And with me are the people who are going to explain why this is important.
We have Benoît Ampeau, we have Elif Kiesow Cortez online, and Benoît Ampeau. And then we have the reports and then we close the session with potential actions. First, let me give the words to you, Benoît Ampeau, to explain why this topic is important to take on.
>> BENOIT AMPEAU: Thank you. So I'm Benoît Ampeau. I'm at AFNIC. And we are very happy supporting these four reports and I'll explain why and give you some elements of context and why AFNIC is pleased with the outcomes from the report.
At AFNIC, we've been working over 15 years on the internet of things. Particularly on the technical aspects and the identification of objects, as well, on security and privacy issues for civil R & D projects.
Like many technical organizations, we need anticipating with technical transition and we have begun to gather the impact of post quantum. As early as 2016, we organized a conference with our scientific council to raise awareness about the impacts and the increasingly digitized societies. Since then, many things have evolved. As part of our commitment to R & D, we observed there are a few cities on the social impact of technologies. This is a shift for us. We are making -- trying to integrate relevance this important dimensions into some of our studies. Which makes sense. Particularly here at the IGF. A unique place where all stakeholders can dialogue.
This was born from all the context from all the elements. Quantum computing is no longer a distant dream confined to the page of science fiction. We do not know ... in conclusion, capable has not yet existed. The complexity necessities and also action plans. Testing interoperability. It's not just about activating an action or repressing codes. This also sometimes costly evolutions that require coalition among many actors and rigorous planning.
Past experiences in technical transition in deployment of internet security extensions shows how this changes can extend even more than a decade.
We must collectively anticipate an individual transition. Thank you.
>> MODERATOR: I think you set the stage, Benoît Ampeau, for the next step. Why is it important for registry.
>> SPEAKER: I'm the head of R & D partnerships. Thank you for e setting up the stage, Benoît Ampeau, for my talk. In the next five minutes, I'll try to explain why a domain registry is involved in the study about IOT and post quantum.
Here if you see in the image here, we have different stakeholders involved in connecting a domain name to the web service. Sending to different users. So if you see from a technical perspective, we have idea IETF that standardizes the IP addresses and the domains. For example, in the domain sector we have ICANN. In the IP address governance, we have regional internet registries. So all of these different stakeholders are involved in setting up the stage for translating the domain name to IP address. And the system that is used behind it is called the domain name system.
But when we see in IOT, we have different stakeholders involved, also, but they're working in silos. So what __AFNIC is trying to look at, is that the multi stakeholder system that has been working quite effectively in the last 40 years, can it be applied in the IOT? That's what we're working on. We're not just telling it. We are walking the talk.
We had, for example, worked with different stakeholders on French government and European projects. For example, we started with the supply chain industry in the consumer goods to look at how it could be used in the DNS. And then end result service and be used with the LP band technology. So we started, first, with seeing whether the identifiers can be added. Then these identifiers like RFID could be involved in the services. Then we add the next layers like security and privacy. We had considerable experience in the last 15 years working with IOT stakeholders on how to use DNS.
So the IC3C report here, the objective of the talk, looks at today's pain points in the IOT and how it is amplified by the advent of post quantum. This looks at in detail.
So, from a policy and standards landscape what happens? In the U.S., for example, NIST published different algorithms. The federal government is saying that by 2035, all federal systems classified and unclassified must be using full quantum resistant. For example, we have standards in the EU. The EU road map also says by 2035, transition should be largely complete for all practical systems. From a domain, there is also ongoing work on how the DNS system could be getting ready for a quantum secure future. Finally, our objective as the registry. Our call for action is as multi stakeholders, let's work to ensure that when the deadline arrives like in 2035 the IOT can address all. Algorithms. Best friend we focus on the IOC.
We focus on the IOT because we have limit our research, of course, but it could be on many different examples. The DNS will have the own problems. The banking system will have their own problems. The routing system on the internet will have their problems. But we face the IOT challenge is you always are going to go into that and come up with the post quantum part of the report. It requires its own onboarding and the other challenges we face today. Thank you.
>> SPEAKER: Hello everybody. Thank you for being here. So in this part of the report, we did a literature review to understand the emblematic to understand. We started to look after the emblematic incidents to see the reach of this attacks and how they are factored to the public. And, well, later we started to investigate and evaluate a policy framework and global standards. That are active today. And with this, we discussed and thought about how to assess readiness for post quantum cryptography. Here. It's not a question whether we are prepared or not. But how can we prepare.
So to this, we create at the end of the report, a proposal to actionable and inclusive mitigation. Including mitigation strategies. Since we know the internet is made out of billions of devices, and a huge part of them will not be able to be patched.
So to start looking over the landscape, we need to look into the IOT devices and see what are they. So they are resource-constrained devices, which is our first challenge post quantum. Cryptography is way more complex and way more resourcive intensive technology to be used. And we also are here using a devices with fragmented protocols. So we have devices with flora that uses a bandwidth different. And protocol different than the IP protocol that we are all using. So how can we go after it? How can we protect this other devices that talk in different languages? So it makes us feel like in the '70_s_ when we had a couple of devices talking different languages. But we need to harmonize them to protect all the ecosystem. Not just a part of the ecosystem against the quantum threats.
Of course, the other part of the landscape we have is the low-user awareness. So we have an inertia in patching these systems because most of the people even don't -- it's difficult, actually, to look after all your devices that you have in your home or in your factory or in your company. Because they are intended to be automated. They're intended to be devices you're going to drop into the system and you will never think of again of this individual device.
So, how can we highlight that we have this entry points that we have this devices. They are a risk. And use this to protect. So the case studies, I brought three here. One, is the Jeep Cherokee hack. It happened in 2015. They were able to change the steering wheel of the device and interfere with the braking system. So this was a huge turning point. Because a physical -- an online hack would be able to cause immediate harm to the user. So you can think, like, okay. It was in 2015. So now we are better. Well, no. In 2024, Kia had an instance where you could change the device owner and with this be able to unlock the car and also see the history of the car. So anyone with a Kia car could be hacked in this way and have its privacy violated.
So the Saint Jude cardiac implant showed it's not specific to a spresk industry. You talk about medical devices that can risk the life of the impact. So the cardiac implant had a flaw. The device could be discharged remotely. And then making it unusable to the patient.
And one thing that we saw very concerning is about the botnets. So the Mirai botnet is one of the most prominent. Because it was created in 2016. It was, actually, a proof of concept. So a couple of guys in the college said, "I think this kind of attack is feasible. So we will write up some code and publish on the internet showing how we are vulnerable." Well, this, actually, created a trend. A base in their code. There are more than 30 active variants of this running around. And they have a huge impact in the privacy of the users and, also, to cause harm. So we saw other examples being used. And we need to look after this kind of threat. It's global.
So the policy landscape we went through, it's pretty interesting. We have ISO and they are based in very foundational. They are based on foundational knowledge about how we can secure the devices. We have the EU Cyber Resilience Act, which mandates the security by design, including an IOT. We have the NIST. APAC labeling systems are pretty interesting. They try to bring awareness to the user by validating the devices. And, also, we looked up into the PQC part. We saw the UK created a roadmap to plan the transition up to 2035. Which it looks promising. But we need to work on it.
And, also, we saw the role of IETF in the PQC standardization. Because the main source of communication of the devices is the internet. And we need to have devices to tackle this. People to tackle this communications.
So, yeah. The strategic recommendations. We saw that we are coming in a good path, but we need to think further on it. And create a mandate secure-by-design, harmonize global labeling and certification, and invest in lightweight post quantum resistant solutions. And, of course, train the users and the programmers to be able to use this kind of technology. Thank you.
>> MODERATOR: Thank you. Elif, what are your findings in the research where the post quantum part and the cryptography is concerned. The floor is yours, Elif. You have nine minutes.
>> ELIF KIESOW CORTEZ: Yes, thank you very much. Just making sure my slides are up, as well. And, of course, we are happy to be presenting today the findings of our report and you see the sociopolitical and technical impacts of IOT and PQC. And in the report, already my colleagues mentioned that we will be focusing on, also, giving strategic guidelines. So for me, I think, to complement what has been already said, let me just maybe jump to the PQC part. Because it's more detailed.
So what we wanted to cover here with our coauthors was both giving the advice on the importance of the PQC migration. But, as well, briefly mention we wanted to make sure it's on concrete subject. And for this case, we'll be referring to IOT when it comes to our recommendations.
So, first, we wanted to understand what is the current status of the discussion on these issues. And when it comes to PQC, it's important to mention, also, for our audience, we, we are talking about a threat by a quantum computer. And this particular quantum computer we referred to is defined as a cryptography relevant quantum computer. It has a focus. It has the capacity. And it can be utilized for breaking the currently valid encryption, including RSA. And I don't have to explain why this is a significant threat, but I'm just going to picture for you one version of this threat that has been discussed a lot.
This is called harvest now decrypt. And this is to say even when we are thinking that our highly sensitive data, such as government communications, are currently encrypted, this discussion -- this particular risk is highlighting that this encrypted data can be recorded right now. And those recordings can be decrypted once malicious actors are able to utilize a cryptography relevant quantum computer. That's to give a concrete example of why we say the risk is a big one. And the other indicators, of course, to understand how this is a current and relevant risk is to look at the policy landscape.
We're already seeing and analysing in our report the actions by NIST. It was briefly mentioned by my colleagues they already have guidelines that is on PQC algorithms are recommended. That, also, the fact that they set 2035 as a target for all federal systems to migrate to PQC encryption.
So, again, this can sound like -- right. We're talking about 2035. Has been communicated by NIST strongly it's important to start migration process as early as possible so that we can really guarantee that we are going to be making sure that this data is really secure.
So they gave the target of 2035, but then it can be said, we have to start today all of the migration plans. Why am I highlighting this? Maybe some of you saw in the news, maybe not, but EU just announced a few days ago that their ambitious target for all high-risk use cases that the PQC migration should be completed by 2030. So now we are already looking at five-year deadline. But let me make it a bit more pressuring. By explaining how they actually said that for achieving this timeline of making the switch by 2030, EU is now requiring the PQC transition planning and pilots to be initiated at least by the latest by the end of 2026.
So if you walked into our lounge thinking that we will be talking about this issue about the future, I guess that was wrong. We are launching today this report that is directly relevant to what needs to be done now. And not later. So let me just stress that there are also other EU member states, including France, Germany, and the Netherlands that already launched their PQC migration guidelines. So in our report, you will be finding more explanations on this, as well.
And this was, again, mentioned by my colleagues very briefly. Our report also looks at the societal impact angle, as well. For example, if they're talking about this, like, harvest now decrypt later attacks. Then we have to preserve the long-term privacy of the citizen, as well, against these kind of attacks. And we have to secure critical services when it comes to societal impacts. And when we're thinking about the legal impacts. Now, for example, we're saying the PQC migration plans must start latest by 2026, the regulations like the GDPR should be, also, compelling the user of quantum resistant encryption in the near future.
And when we look at the economic impact, of course, that will be significant calls for upgrading systems and hardware that this also why we're urging for the migration plans to be started early. It has been mentioned, again, that we will be also covering in our report the environmental impact, as well. I think we made the reference to it about how the algorithms can be, also, energy intensive. And making sure that we are thinking about the environment. We will need to be working toward a lighter, possibly working very well algorithms, as well.
So now I will be jumping into the recommendations. Again, already highlighted that this could be on different levels. We'll be giving recommendations in this report that are both on the national and organizational levels in detail. But we also made a call for global cooperation, as well. And we have different levels of recommendations. Again, you will find all of this in our lengthy report that we are looking at, for example, some more timeline perspectives in more detail on how to handle PQC migration. And we're, also, explaining in detail how organizations should tackle this. But another added value of our report, is we got a chance to apply it to a particular case. Particular study, which is on this IOT security. For this, we also gave international-level guidelines global standardization and interoperability that is focusing on international R & D as well as capacity building. And we are also very happy that we managed to give this very concrete national-level recommendations, as well. Starting from government initiatives for awareness and R & D. Continuing with making mandatory the PQC compliance. Because, again, now I think it's clear that the risk, the threat, is there. We know now better than, let's say 20 years ago, to not to ignore cybersecurity. So in that sense, we're also highlighting that has to be already educational training programmes, as well. But, also, we need to be thinking from things like national synergies, things like supporting, for example, product developers in PQC, so that we're covering 360 aspect of this migration issue.
Again, we said that we gave complete guidelines. Also when it comes to IOT and PQC Intersection. You can see in the report we'll be explaining step-by-step how a company and organization can also work toward or move towards the PQC migration. Starting from a cryptography asset inventory for their IOT systems to, of course, getting to the data privacy policies in line with that. As well as the supply chain engagement.
So, again, I already said we're happy to be launching this report. So I think that we also have a few printed out copies, as well, but you can scan this QR code, as well, to download our report. And if you are interested in working with us, of course, our colleagues are on stage. If you want to learn more on our report, like I said, you are provided this free and publicly accessible link to download and benefit and cite this report in your future work, as well. Thank you very much.
>> MODERATOR: Thank you very much, Elif. And very much on time. I think what Elif shows we have an option. And that option is stay to start acting now and be secure in quantum. But other thing is that we have a dutch saying the donkey does not run into the same stone every time.
So where cybersecurity is concerned, the world is proving to be a donkey. We made the same mistake with launching new products insecure by design. Of.
This is a chance to do it differently. I think, with that, I open the floor for questions. Are there any online questions? No. There's a question in the room. Because the experts are here! Who would like to ask a question? There are microphones. So please move to the microphone. Please introduce yourself and your affiliation.
>> SPEAKER: Thank you very much. I'm the cyber investor for the Netherlands. I'm not a specialist on quantum computing and really thank you for the presentation. I will read the report with interest.
First of all, I was hoping that in the presentation there was reference to the cyber resilience act. Because it was especially important during procurement from the governments. Well, actually, that's already too late. I mean, it should already be in the products anyway. Because of the Cyber Resilience Act. I hope many other countries outside the European Union will look at the legislation and, also, try to copy it what is relevant for their own legislation to ensure it will come to world standards to include cyber resilience in the products of the companies.
For me, the risk in quantum and IOT new angle is interested to learn about it. I discuss, also, quite often with specialists, professors from universities the risk of post quantum computing. And I must say, there is also some different discussions. They say, you know, the organizations for which is really relevant. You know, the harvest decrypt later. They're already aware of it and busy with it. So, like, the intelligence agencies. For example, if you look to the small and medium -sized companies, data that is more than five years old, to decrypt it. So they say an encryption or the whole development of new encryption is going on anyway all the time. So it's not a topic for the wider audience to be really concerned about. Because, I mean, the product development in places in -- through the products. I'm wondering what your view is on that. Because you read a lot it makes big risk. And at the same time I speak to professors that say, you know, it's we already have post quantum encryption. Those organizations really need it, they are already aware of and use it. Also, companies they are truly aware of the need to secure the data. I'm curious about your view.
>> MODERATOR: Okay. Thank you. We'll take your question and then we answer both at the same time.
>> SPEAKER: Thank you. Very exciting and interesting session. Can you hear me now?
>> MODERATOR: Yep. Introduce yourself.
>> SPEAKER: Thank you for the nice interesting session. It's certainly an exciting topic. But, also, quite complex. I can imagine it's not super easy to grasp all the challenges here. And probably most of our normal people leading the everyday lives don't really think about much. Or even know they are using RSA or other encryption systems.
So I'm wondering what are your recommendations about the global labeling or certification. It would be interesting to hear a bit more what that could look like. And what would it be like in practices. It sounds like something a bit challenging. Because if you want to promote this kind of label, you also are, I believe, promoting these challenges. Like with this store now decrypt later. How do you balance raising awareness and not just worrying people or how to create trust without making it all way too complex. Thanks.
>> MODERATOR: Thank you. Thank you for your questions. Who would like to answer?
>> LUCIEN CASTEX: So the first one, is it a problem with most of the devices? So, yeah. I argue in this favor because when we think of cities, the intelligent cities. It has embedded several IOT devices all over the realm. And these devices are not secure enough for the kind of we make our society as a whole vulnerable to these kinds of attacks. So if you're able to fake the ownership of a specific device that it's crucial to the working of a transportation system, for example. And if you break this chain, you can cause real harm.
About the labeling part, well, we already have labeling in cars. You can see like, oh, this car is rated safety A. This car is rated safety D. I believe people buy them knowing this. And for their restrictions, they're unknown or not to take this risk. But it's good to take this decision informed. So I don't think it will cause, like, some kind of make them afraid unnecessarily.
>> MODERATOR: The example I heard where is the data stored and see what people voted 25 years ago when there's been a regime change. In other words, there are vulnerabilities that we need to consider that we're not even thinking of. It's about the things that lie there for 20 years or 40 years. And what happens with it. It's far more complex, I think, than just big companies or big banks will probably be able to deal with it. So that's sort of the thing we have in the back of our mind.
We have time for one more answer.
>> SPEAKER: It's NIST and the other organizations are trying to quantify the algorithms production could use. I would like to take an analogy of what happened, for example. People are saying the security. So the intersect was a solution but nobody was adopting that. I think in the quantum world, for example, things like that would help to easily add adoption.
>> BENOIT AMPEAU: To add an end-user perspective and raise awareness. Some countries are also thinking about developing, like, a cyber score label. So it could be, also, a way to directly give information to the end users and consumers about the level of security.
>> MODERATOR: Thank you very much. 45 minutes are over before you know it. We're closing.
I liken this topic to the millennium bug. All though everybody worked for nothing, it seemed. Everybody was able to act at the same time. Take the same measures that were agreed upon up front. I think that is something that we need to do with this topic. That the whole world starts acting. That nobody is left behind. The developing nations are assisting in the steps they need to take. If they're vulnerable, we're vulnerable.
So I think that the IGF in 2026 I'm confident we'll continue would be an ideal place to bring this together. Because we have so many different stakeholders that will have to take their own actions. And they have to agree upon these actions.
So what if we start later this year with an action plan bringing important stakeholders together and start discussing what is the issue. What are the actions. What is the quantum cryptography that we agree upon. And start to make action plan. And then it goes outside of the IGF. And from that moment on, hopefully everybody starts taking the same decisions. And Nico, you can have a short comment. Please introduce yourself. We have one minute left and they switch us off. Please introduce yourself. I would like to thank everybody, first. And then see how far we go. Thank you guys. Thank you over there. And the Norwegian organization. You've been absolutely brilliant these days in the reporting!
Very, very brief.
>> SPEAKER: Yeah. From the Finish Green's Party. I feel the largest actor on the risk here is not the private companies. Not the city. Not the ICT private operators, but the critical public infrastructure that is being quite harmed by austerity. And the current --
>> MODERATOR: You've made your point. Sorry, so Nico can make his point.
>> SPEAKER: Very quickly. I'm Nico. I want to know how many governments you have, at this point, participating in the initiative. And how they can -- can you hear me?
>> MODERATOR: Zero. That's your answer. We want to bring them in as fast as possible. I've heard you.
>> SPEAKER: You heard the question. Okay. Sorry.
>> MODERATOR: It's zero. We want to bring them in into the project.
>> SPEAKER: So they can still participate?
>> MODERATOR: Yes, of course.
We have 30 seconds. Can you share in one sentence what is ... the mic is there. There. Mic is there. One sentence. What is the conclusion of this session?
>> SPEAKER: Yeah. A few very good points. And I'll be brief. First one, and I have two. Is that it's quite important to keep in mind that IPC6 or the adoption we need to be faster.
And the second one, well, we launched this report at the IGF, which is a key multi stakeholder forum. We need forward thinking.
>> MODERATOR: Okay. That was very brief. Thank you very much for the synapses.
I want to thank everybody again for showing up so early on the last day an for your interest. Thank you, again, everybody! And hope to see you at the next IGF!
[ Applause ]