In 2019 under the aegis of the Internet Governance Forum a pilot project was conducted into the causes of and solutions for the, in general, slow deployment of internet security standards. Standards that on mass deployment make the internet and all its users safer, indiscriminately, immediately.
Recently the report ‘Setting the standard. For a more Secure and Trustworthy Internet. The Identification of Pressure Points in Society to Speed up Internet Standards Deployment’, was published on the IGF website. Information was gathered by means of an international survey, breakout sessions at the IGF, dozens of interviews with stakeholders and desk research. It focused on two questions: 1) What are the reasons for slow deployment? and; 2) What are solutions to speed up deployment? This showed that underneath all other provided reasons lies a collective action problem. To break out of this state of inertia 6 recommendations, 25 identified pressure points in society and 7 action plans are presented. Including identified stakeholders who have to be(come) involved to have a chance at success in speeding up deployment.
The project took six standards as examples to start the discussion, three internet standards by the official definition, DNSSEC, RPKI and bcp38 and three not: OWASP top 10, ISO 27001 and the Safe Software Alliance principles. For ease of writing and reading all are called internet standards within this context.
Many participants agreed on the main cause for the slow uptake: the lack of a business case. If there is no demand, in general there’s no offer. Research showed that there are underlying causes. The report shows that there is a lack of pressure on decision makers; from the sides that matter. As far it was able to ascertain and no one pointing to another conclusion, there is no(t enough) pressure from laws/regulation, media or consumer organisations. As one of the interviewees stated: “No one cares if you deploy and no one cares if you don’t”.
To add, the overwhelming majority of consumers is not willing to pay for security measures, while/because of not understanding the implications of insecurity. The entrepreneurs willing to deploy face a negative business case or operate in a niche market.
Another important conclusion is that it is not (just) technical proficient employees deciding on deployment of the standards. Yet, outreach from the technical community is often aimed at these people. Unfortunately not reaching the level of success needed to make the internet safer, as they do not decide on deployment. This calls for different aims and for a change of narrative. It is the owners, board members, financial officers who need convincing. That may take pressure from other stakeholders to achieve change.
Governments have not taken internet standards into law (ISO 27001 is a voluntary exception), as is the preferred situation of nearly all we’ve spoken to. At the same time most of the efforts of governments (agencies) but also e.g. banks concerning cyber security are aimed at the only stakeholder with limited power where deployment of standards is concerned: the consumer or “user” as the internet industry prefers to call its customers. In other words, there are no carrots and no sticks of any kind, making it far worse than having no business case.
Collective Action Problem
All this results in a collective action problem, where there is no demand and no incentive to change behaviour and deploy the internet standards. Usually it is the government that society looks towards for solutions. In many sectors this is completely normal and accepted behaviour. Health, (air)traffic , agriculture, etc., etc.. A question in need of an answer is, what makes the internet so different, it justifies the absence of governments, while the market cannot solve the enormous security challenges facing it? Perhaps it becomes necessary to look at the problem as a (digital) health issue. What perspectives does that provide to act upon?
This report does not answer these questions. It searched for potential solutions and pressure points in society that can contribute to break up the collective action problem. A few examples are presented below.
The six recommendations are an accumulation of advice provided. Although there is a near consensus among participants that action is needed, there is no consensus on the precise way forward. The first five were tested in the breakout sessions (number 6 came out of the sessions) at the IGF and are seen as sensible.
1. ‘Create a business case for the deployment of internet standards’.
2. ‘To deploy internet standards successfully they need to be incorporated by reference into law or legally binding regulations, including a designated regulator.’
3. ‘To deploy internet standards successfully requires building security by design / default into products and services’.
4. ‘All stakeholders should collaborate on coherent strategies for multilingual awareness raising on internet standards and their effect on internet security’.
5. ‘Internet standards and architecture must become part of education curricula.’
6. ‘Standardisation processes are advised to include a consultation phase with government and industry policy makers, and civil society experts.’
The paradox this report bares, is that a large proportion of the participants see legislation as the only option to force industry into deploying, yet no one wants it. As legislation is seen as the least desirable option this comes with a moral obligation to step up on all others. No legislation can and may not equal non-deployment. Hence the pressure on those having to deploy needs to be created elsewhere. The report mentions 25 options, from parliamentarians addressing the issue to industry, to consumer organisations testing ICT services and products, from regulation to media publications.
Pressure points in society
Where deployment of standards is concerned a government can take on a few roles. Standards could be demanded by them through procurement. Standards could be demanded on the basis of duties to care. A question in need of an answer is what regulators can achieve on the basis of current laws, whether telecommunication, privacy, consumer, etc.. When all else fails the government is the legislator but even then cooperation is of utmost importance.
Mistrust of governments is one of the reasons mentioned why the technical community remains more or less aloof from other stakeholders that could play a role in making deployment happen. It is of the greatest importance that these others understand what internet standards are, why they exist, how they are made and what the importance of deployment is for a more secure internet. To ensure that future measures are the right ones, interaction is key. Hence the reason this report invites IETF en ISOC to participate actively in the next phase and assist in the creation of a change of narrative and the direction of outreach, to prevent legislation where possible. Their role lies in leading the other stakeholders forward and to make plausible deniability of not having heard of internet standards in need of deployment impossible. At the highest levels of industry and society at that. Why? The decision to deploy seldom is a technical decision but a financial one, an investment (without return). This calls for a different approach and narrative.
All this translates into seven actions that you can find in the report. To massively deploy internet standards is and will be a herculean task involving many stakeholders with different and most likely competing interests. Deep down however all stakeholders around the globe have the same interest: not to be hacked, not to have compromised or lost data, not to lose money, etc.. This is a starting point. And, when all is said and done, all will have to pay for security. That goes without saying.
Conclusion: a no-brainer
Ideally this report is not the end but a beginning. To start work on deployment by enacting the recommendations and gather the stakeholders in the action groups. The IGF is a neutral platform where all involved are equal. The first and most difficult steps can be conducted here before the results are taken outside of the IGF to be implemented. All with one aim: to make deployment of security raising standards a no-brainer for all involved.
You can find my report on the IGF website: