Building trust and confidence: implement internet standards

9 December 2016 - A Workshop on Other in Guadalajara, Mexico

Also available in:
Full Session Transcript

>> BART HOGEVEEN:  We're just waiting for the live stream to get up.

Good morning, everybody.  Good morning, welcome to this workshop on trust and confidence implementing Internet standards.  Hopefully in the next 90 minutes, we will manage to discuss some of the key issues and you have all been given a handout, which may give you a sign that we will actually try to get really into the discussion and get your inputs as much as possible.

I will talk about that in a minute.

If we can get the slides up.

As I said, the building trust and confidence:  Implement Internet standards is the title. 

My name is Bart Hogeveen, and I'm with the Clingendael which is maybe a bit of an odd actor here at the IGF.  I'm working as a training and research fellow, which means I'm not an Internet expert.  I'm not a researcher.  I'm merely a trainer and involved in training and capacity building programs which will be the topic of today, which may also explain a little bit of the approach that we take to this workshop.

What we are working on, we have actually only a very international focus.  So we are only dealing with issues that have an international ‑‑ an international dimension.  Creating awareness and mutual understanding and as I have been witnessing over the last couple of days at the IGF which is my first, there is a lot of need for mutual understanding as to what is each other's, between countries and between cultures and I think we are also trying to tackle.

Training and capacity building is the focus of today's workshop, as well as reaching out across the different stakeholders represented here.

What I will do, a little of the outline for this workshop.  I will give a few ‑‑ some words about the background to this workshop.  Why have we proposed this workshop and an introduction to the implementation of Internet standards and why we think this is an important topic and then I will give the floor to Olaf Kolkman who will give a short presentation and then we will break up into three groups and we will ask you for your experiences, especially related to implementation processes.  More details about that will come later and which are also reflected in the handout, which you can find on pages 4 and 5.

Then after the breakout sessions, we would like each group to present their findings and conclusions to the plenary, and that will also be reacted on by the speakers and maybe by representatives from the other groups.  And that in the end should give us quite a nice overview of the key elements that were discussed during this workshop.

We are running this workshop and the topic of this ‑‑ of this workshop under the global forum of cyber expertise.  You will undoubtedly have seen that the initiative being mentioned, before but I would refer to the GSCE magazine.  GSCE is bringing expertise together in relation to cyber capacity building.

With the ultimate aim of ensuring that the Internet will remain open too operable, secure and reliable.  Well, that's a name we are all striving for, right?

And one of the initiatives under the global forum and cyber expertise, the Internet infrastructure initiative, and that's the basis for this workshop.  It builds transparent and resilient Internet infrastructure and it's based on the experience that we have had in the Netherlands related to testing and monitoring compliance with open Internet standards and why are we doing this?  I think the key message here in this workshop is how do we build and how do we maintain trust and confidence in the net, not just by those who are here at the forum, or at the ‑‑ at the core um, but actually everybody who is using the Internet, from private citizens to companies.

So what is the aim of this workshop in the three aims, I would like to work with you to identify good practices in speeding up the implementation of Internet standards.  I would like to see whether we can identify certain areas where there's a need for additional capacity building, and finally, I would like to invite those who are interested, either personally or from your organization or for your country to work together on this initiative if you feel that there's a need or whether you have something to offer.  So it's kind of an open invitation.

So what are the issues related to Internet, to open Internet standards this it's not the lack of standards.  I think that maybe it's an open door for you here, but I think in general, it's good to mention.  It's not the lack of Internet standards at all.  It's mainly the implementation process and hence, our interest to also discuss with you what are good practices and implementation processes, rather than the ‑‑ the ‑‑ let's see the substance of the Internet standards.

What do we see?  We see different implementation approaches in different countries depending on your infrastructure maturity and depending on the societal culture and depending on the development that you have gone through in the past.

We have seen debates about what is ‑‑ which standards have priorities over others.  You need to prioritized and which standards are more essential than the other.  What is the role of the government?  Can the government provide incentives?  Or can they create a kind of norm for others to adhere to?

It also has to do with the maturity of your public/private corporation in your country or in the environment that you are working in.  Has it been ‑‑ been common or for a very long time for the private sector to work together with the public sector or have these been siloed?

And finally, achieving synergy between various global initiatives.  That's one of the questions, what the initiatives already there and.  Who are working already very much on the implementation of open Internet standards so how can we reinforce and multiply those efforts?  I think that's one of the issues that we are trying to tackle.

I mentioned before that it builds on the experience in the Netherlands and in the Netherlands in 2015, the Internet standards platform was established.  Bringing actually together the public sector and the known commercial private sector, the meeting, let's say, once a month, to discuss what's the practice of implementation within the boundaries of, in this case, the Netherlands.  And a practice by what I would call the public and the commercial service providers.  So the airline, is your airline company, when you are booking online is that company complying with the Internet standards which allows you to have trust and confidence in the system?

The platform also establishes a dialogue of reaching out to those companies or business sectors which they feel need to do an extra push in order to comply with the standards.

And there's also the beginning of an international outreach.  We have worked with the government of Poland and to also, let's say, support them in their wish to establish something like this platform.

And finally, this platform, developing a testing tool which I would like to show which is which is available in Dutch, English and Polish, and we would like to hear your comments as well on that, to explain the language range of this platform.

What is this testing tool?  You can find it here.  You can even go now, when you are going to the laptop and test whether ‑‑ you can test three things.  One, is this Internet connection that you are using actually compliant with the modern Internet standards?  Is the website you are trying to work from or work to or whether you want to, let's say, sell somebody from a web shop, you can test whether it's compliant and you can test whether your email is compliant.

And then it will give you a test score.  And complying with what this complying with, at this platform, identified the six most important Internet standards at this very moment.  I will not go into detail with them, bust you see them listed here, IPv6, DNSSEC, TLS, DKIM, SPF and DMARC.  These are the platforms that are most critical to say that you have a secure and trustworthy Internet.

So the mat forms.

Then the approach to that is not to shame and blame.  That's ‑‑ that must be very are obvious, it's not a means to show something as bad.  It's merely to say please explain ‑‑ please apply these standards and if you do not, that could be fine, but then explain why you do not implement these standards.

So the so‑called apply or explain approach has been used for that.  And you can see a hall of fame.  So these are the 100% scores of, as you can now see mainly Dutch websites which gives you a authority as a commercial company to say, well, I have a 100% score and I'm trustworthy as a web shop or a government website.

Now we tested this against the GFC website which is 100 score.  That's not a purpose.  But you also see in the bottom box, the conditions in which it received the 100% score.  It's not very readable the this moment.

We tested the website of my organization, which received a 78% score.  And you may be surprised that we also tested the website of the Internet Governance Forum which reached a 34% score.  So what does that mean?  It does not mean that the website is insecure or not good or vulnerable.  It mainly says that the website or the systems, that they are complying with those six Internet standards and we would be curious to know why is that?  Is this any need for support?  Maybe this platform or our technical experts can apply in getting to a 100% score.

So what's the ultimate aim?  To develop and implement I capacity building program that may increase the awareness and supports the implementation of openings and standards.  So what are we looking for and it will be a program for the next two to three years, is really a capacity building program, in terms of bringing people together and bringing experts to go and trying to raise awareness with those actors who feel they have a need for them.

What is the target audience?  Mainly those stakeholders who have a political agenda setting authority, regulators or policy and norm setting authorities and these can be public sector.  These can be just as much private sector.  Just to give you a few examples which we would be very interested ‑‑ which we are exploring right now.  You have may have heard that gmail has been implementing the DMARC open standards over the summertime which is something which takes quite an effort to implement, and ‑‑ but also must be a business case behind.  That.

Why has a commercial company decided to do that, even whether there might not be immediate results from that.

You I have heard "The Guardian" which moved to HTTPS, and they explained on the website which is very interesting to read, why they did that.  Not because they ‑‑ the newspaper felt, vulnerable, but mainly that their readers might be ‑‑ might be checked or might be ‑‑ that the pages being read might be traced by those who have bad intensions and so that's why they moved to HTTPS, mainly to protect their customers.

And you know "The Guardian" was one of the exposures of the Snowden files.

And one which is relatively new is the Hong Kong Monetary Authority which started a new initiative, the fortification initiative, where they forced all of those parties who were working with them to comply to certain Internet standards, including DNSSEC.

So we have some very practical examples and we would like to know more about that because we cannot imagine that prior to the example in the Netherlands, nor those are the only ones, nor that we can bring this up to a somewhat higher level and come to some good practices which we can actively bring out to the world.

So in order to draw good practices that may be more widely applicable, research the actors and secure the Internet.  That's the aim of that initiative.

Having set that, giving you an idea of where we are hosting this workshop and what we will be expecting from you in a minute, I hand the floor to Olaf ‑‑ Olaf is the chief technology with ISOC, I think very well known over here.  And I have asked him to do a short keynote to the open Internet standards.


If you could change the slide deck and then give me that little thingy here.

So I have been busy in the deployment of open Internet standards for, I think over a decade.  I have always been very interested in how to get the Internet ‑‑ keep the Internet open, scalable and secure, and with scalable and open, the sort of IPv6 comes to mind and with secure, the secure of the DNSSEC and the routing comes to mine.  This is not academic work.  This is just a fuel thoughts and reflections on what are the mechanisms by which these open standards, which are not mandated standards, which are not set by government, and which are in essence ‑‑ and that's the property of the open Internet, voluntary standards.

How does that work?  How do these innovations get into the market?  So when we ‑‑ oh.  This doesn't work.  (Computer beeping).

Do I need to turn around.  Technology.  Technology.

So when you sort of Google for innovation, then you end up very quickly at the standard work by Everett Rogers, "Diffusion of Innovation."  He says that there are five stages of the adoption of innovation, be it an Internet standard, be it a new television set or new detergent for your laundry.

So first knowledge, and so first the person adopting the innovation needs to know about the innovation.  Then they need to pursue ‑‑ persuade themselves that, you know this is actually a good thing.  So they read the manual or they do some research, when you buy a new computer, you will do some research, for example.

They dot decision and then you start using the new innovation and at some point, you get confirmation that this new innovation is a good thing.  It might not be a very conscious decision but this is basically what everybody goes through as they do a new info vague.  So knowledge.  Knowledge spreads to various ways and the decision making that comes with knowledge, once you have the knowledge, is also a little bit based on your environment.

You can have, let me see, notes, you can have authoritative ‑‑ authority‑based innovation decisions where somebody central says you will have to do this.  That's the ITU model, I would say.

The collective innovation decision is when a society collectively says this is a good thing, and they basically pick up an innovation.  And then the optional decision model is when individuals within the society or within the group in the societies ‑‑ the societal structure need to make the decisions for the innovation themselves.

And I believe that is the case for the internet.  If these enterprises deploy, IPv6, they make that decision on their own if ‑‑ if they deploy IPv6, they make that decision on their own.  They do not do that collectively.

So what does an individual go through when they try to make the decision?  They look at the innovation and they say, does this innovation have a relative advantage?  Am I better off after I implement the innovation than I was before?

In implementing this innovation, is it complex or simple, or is it simple?  Do I need to do something different with my washing detergent or do I have to, you know, stay home a little longer or something?

Is it compatible with what I do before?  If I buy a new television, I really would like to see it sit in the cupboard that my old television sits in, otherwise it's not compatible with my environment.

Can I try it?  Can I actually try the innovation?  That's why people go to the Mac store and press the keys, to see if the shift bar, and try‑ability is important.

Can I actually see that the innovation has happened?  Can I actually tell?  Can other people see that I took up the innovation?  Is my laundry more clean or can I ‑‑ or does it smell better?

Now, the relative advantage in the Internet depends a lot on the network effects.  This is Metcalfy's law for those who ‑‑ it's the formula, that describes the value of a network with respect to its size.

And in a lot of innovations on the Internet, that's exactly what happens.  This is why we all join Facebook, because that's where the value is.  There are many people who use the same social network.  Going to another social network doesn't really help you because your friends are not there.

If you look at the deployment of new standards, like IPv6 and like the second zone, it's not always aware that the network effect is there.  It's not there.  It is there are for IPv4.  So this is something that's all in the way when you talk about these Internet standards.

Now talking about Internet standards, the network effect is sort of easy at the top with the applications I gave the Facebook example, and the network and the other effects of observability and try‑ability and relative advantage are obvious on the network layer.  So the Internet is a network of network where network operators make the decisions about implementing the standards by which they shift packets all over the networks.  And if they implement a cheaper router infrastructure, they have an immediate benefit.  That's how it works.

The application level, the innovations are made essentially by the buyers of that infrastructure, and, you know, innovation is a driver as well, but that interconnection layer, that is where things become very difficult.  The shift from IP to IPv6 is a perfect example because both applications and the networks need to apply that.

It makes it all very difficult, and ‑‑ oh.  Going one too fast, I believe.

I believe that type of problem is ‑‑ is important with the transition to the IPv6 to the DNSSEC, and routing security.  So then the question is.  What can you do to ‑‑ to ‑‑ to do this?  And for all of these technologies there,'s no immediate relative advantage.  You have to make an investment in deploying IPv6.  It doesn't bring you more customers, for instance.

It's actually pretty complex.

The compatible for IPv6 is ‑‑ is troublesome for DNSSEC, it's an add on, but still, the complexity is fairly high.  And then the try‑ability might be hard.  If you turn on the DNSSEC, you may not immediately see that it actually works.

The Internet is a nice site to do a viability.  People can deploy this in their test network or the test setup and they can ‑‑ try if their innovation actually worked and that talks to the observability.  And, again with the ‑‑ the technologies that we deploy at the core of the Internet, that's plumbing.  Most people don't see plumbing.

If we change our ‑‑ our plumbing in our house, nobody will see that.  If you change your kitchen or your bathroom, everybody will walk into your room if awe and say, oh, yes, this is a very nice bathroom, but they won't say that about your lead plumbing.

So what is the ‑‑ what's the magic?  What are the dials that we can turn to raise that ‑‑ that little pointer there on the deployment panel?  If this magic box would access, I would buy it.

So I think there are two things that we can do.  As a group, if we can convince, as a group or for the group that needs to deploy the innovation, that there's a credible network effect, we might win.

We would have to identify the attractors what makes this attractive?  What is the reason to do this?  Sharing a sense of direction and vision, saying collectively this is where we go actually helps with people getting along, because they know that if they bet on this thing, they ‑‑ they might actually come in together and reducing costs obviously is something that ‑‑ that ‑‑ that helps as well.

For the individuals that have to make the choice of the adoption, reducing complexity of the technology, so bringing good tools, increase the relative advantage, if you can do that, and maintain compatibility, very important.  So make sure it works with previous tools.  This is a problem, people.

If we deploy IPv6 in our networks it doesn't necessarily interoperate with our security environment, for instance.  Enable try‑ability and make the thing observability.

So these are just a few tools that you can do for the group, you know, regulations, subsidy, market creation, that all speaks to this ‑‑ to this in the future.

Standardization is also something that there's a buy‑in, around this.  This is the thing that we are going to do.  The availability in products and make sure that it's there.

And I think that reducing costs by offering open source actually helps.  In two ways, it's not only lowering costs for the people who buy the products but it's lowering the costs for other people who want to innovate and bring that technology.

So for developers that build libraries that can be used by areas is an example of that.

For the individual, reduced complexity, those things, again, good tools, reduce the cost and make sure that documentation is available and that's sharing best practices of testing sites and make sure there's a relative advantage given the add, try to do that as minimum steps so that things remain simple.

So these are a few faults the mechanisms that we can use to ‑‑ to get awareness tools and ‑‑ and have some approaches to get better ‑‑ better deployment of these type standards.  So I hope with this we have a little bit of a ‑‑ of a feel of the issues without going to the technical details around these standards, but they all suffer in some way or another around these issues of observability, try‑ability and complexity and simplicity.

With, that I will now hand back to you.

>> BARTS HOGEVEEN: Thanks, Olaf, for providing a framework to think about implementation of standards like these.  So now that we have introduced the aim of the workshop, the ‑‑ the inspiring ground for where this workshop came from, this platform, and this testing tool and the framework that Olaf provided.  So what do we want to do next?

Three breakout sessions.  We have nicely split this room in three segments.  So what I would like to do is in a minute, for each of to you actually come down more or less, for a group here, a group over here and a group over there, which will be facilitated by Olaf and two colleagues, Paul Wilson, and director of APNIC, and Bastiaan Goslings with the Amsterdam Internet exchange.  They will help you through the process.

What are we trying to ‑‑ what are we asking you?  First, what's the problem?  The problem is we have a set of modern Internet standards, for scalable and secure users of Internet.  We talked about that.  It's also written on the earlier handouts and the main question that we have is how do we provide the right preconditions and consensus for organizations, companies and others to implement these standards.  Our key question is about how do we get, people organizations to implementation?

And for that, we have identified five questions which we will post for you.  One is what are and where are good practices and implementation of these standards, according to your experience or your thinking or your point of view?

What can be good preconditions for implementation, I think Olaf came from a more theoretical framework where they provided some ideas for that.  Whether the good preconditions for effective implementation, in which geographical areas is there a need to do more investments in either awareness raising or capacity building?  Or with which stakeholders should we invest more in terms of awareness raising and capacity building skills?

And finally, what other initiatives that you are aware of, that may have similarities, and can contribute to the overall development of our initiative that we can reach out for and find support for.

So these are the five questions.

Are there any questions at this stage?  Is it clear what we want to do?  Yeah?

So may I ask everybody who is on the ‑‑ for you on the left side of this line, to move to that area, yeah?

For everybody sitting over here to move over here, Paul will facilitate this one.

Olaf, can you go to the right side?  And the others can they come to this part, and Bastiaan, can you help them here?

We take 25 minutes to help answer these five questions.  Then afterwards, I would like to have one from the group present the findings.  Very shortly and very briefly and I will take note of that.

(Group discussion).

>> BARTS HOGEVEEN: All right.  Shall we finish the group discussion.  Thank you so much for your efforts.  What I would like to ‑‑ what I would like to do is invite the three reps or probably the three facilitators to ‑‑ to run through the discussions that have taken place and see what kind of lessons or ideas we can get from that.

In the meantime, I will take down the notes on the sheets based on the five questions that serve as a little bit of a guidance.  Who would like to start?

Paul?  Sure.

>> PAUL WILSON: Should I stand up here?  I have a few notes.  Thanks.  Thanks very much.  My name is Paul.  I was assisting the group on the left ‑‑ the stage left here.  I started taking notes when we started answering the questions themselves, but we had an interesting discussion at the start about really high level of diversity in the group, in terms of people's sort of involvement in standards.  I initially asked who was involved in implementing standards, I don't know if everyone was too shy but no one volunteered that they were.

I think at least half the people of the group were involved and directly involved in standard implications in their different places in interest net, in the PIR registry, and in the Dutch government.  Yeah, it was an interesting kickoff, just talking about what people's involvements were.

I'm just trying to find my note here.  The good practices in implementing open standards, I guess we were talking mostly about incentives.  There was ‑‑ I think there seemed to be a common view that a stick approach or a regulatory requirement approach was not going to be very useful, particularly in ‑‑ depending on the culture or the circumstance, but ‑‑ but governments regulating and forcing companies or trying to force companies, for instance, or communities to ‑‑ to implement, to take what could be costly measures.  That's likely to be fought and/or resented to the people subject to those requirements and there was a strong sense that a multistakeholder approach was the thing to do, so that the people who were being subject to the potential for regulation would ‑‑ would actually be involved in the beginning and the idea would be to ensure that ‑‑ or to avoid regulating completely.

A bit of talk of certification, that in the building and the food industries, people use badges to say I have been certified or inspected and that could be useful.  There's a question there about how much ‑‑ to what extent users would actually be aware of the meaning of certification and things like this, this rather opaque technical standards and there was a need for understanding of that, but also in another part of the discussion, the idea that users may not be very familiar with these particular sort of invisible standards but they are getting quite used to the idea of standards in a lot of devices and appliances that they use.  So the users are aware of vendor lock in on different operating systems on their computers and becoming aware of the fact that you can't shift from one to the other unless there's some sense ‑‑ unless you are complying with some particular standards.  They might not know it as standards but know it as a case of standards compliance.

There's still a sense of user consumer awareness.

My computer has just gone black for some reason.  Okay.

Yeah, IOT, the so called Internet of Things was also mentioned as a good ‑‑ as a likely case where ‑‑ where badges to say that you are the ‑‑ the devices that you are buying to connect to the Internet actually have been certified as safe for connection and that ‑‑ someone said that that could also give the user a base for decisions on how they use a device, whether they rely on it heavily or if they will connect it or just use it in their own home network, for instance.

Okay.  We spoke about the risks of ‑‑ well, the standard cases of market failure because of a lack of incentives for the ‑‑ the consumers in the mark, the critical mass was needed and the way to get that critical pass is often through government action, but that's where, again, the multistakeholder process to avoid sort of government top down government enforcement would be necessary.

There's also ‑‑ I mentioned that in these multistakeholder approaches, they can be formalized to the extent that you are able to send process if you are certified to some extent that there is actually a high incentive for companies to avoid fights down the track by getting involved with these discussions as they are going on, but they might also be a tick for entry which could actually sort of precondition some level of, I guess it was about implementation of a certain level of implementation before, before being admitted into those discussions.

Geographical areas, we spoke about ‑‑ the ones we spoke about were political situations of Internet shutdowns and a question about whether standards ‑‑ and we didn't have an answer, but whether standards can help to avoid or to circumvent shutdowns and that's definitely a geographic or geopolitical issue and other big thing is in developing economies that ‑‑ that a ‑‑ a number of things that migration is ‑‑ is costly.  So the idea that greenfield deployments of a new standard can be much easier than to take an existing infrastructure and have to upgrade it.

So, for instance, you know, the ability that we saw more recently for, different, GSM, to be installed in greenfield environments than worrying about migration from earlier technology.  And so that's actually ‑‑ that can be an advantage in developing environments because they done ‑‑ they may not be the ‑‑ the existing infrastructure and there may be the ability to leap frog the intermediate points but then, again, there's also the question in developing areas these day, not so much of second hand, reliance on second hand equipment being imported but often if that's not the case, it can still often be inferior goods which are being ‑‑ which are being sold at more affordable prices in order to, I guess, dump them more or less, and the likelihood of standards compliance could be quite a bit less in those cases.

And so which stakeholder groups?  We spoke about manufacturing infrastructure providers, government infrastructure developers, may be unaware of the full extent of sort of compliance that would be necessary or how to express that in tendering or how to ‑‑ how to judge arrangements like long‑term support arrangements for infrastructure that's being deployed, all of their ‑‑ there are quite a few factors if contracting that might need to be ‑‑ might need to be taken into account.  We did agree that consumers must be the benefit ‑‑ the beneficiaries, ultimately, of what ‑‑ of what we're talking about, but ‑‑ and the awareness raising is important.  And as we said, yeah, there's a ‑‑ a general gaining of sophistication in markets in consumers about device compatibility in this sort of issue and that can be sort of expressed as ‑‑ in terms of standards compliance in an educational sense, I guess.

Now, I think that's all.  That's all I took.  So if ‑‑ was there anyone else in the ‑‑ was there anyone in the group who had anything else to add to that?


Okay.  I'm sure I missed ‑‑ I'm sure I missed a lot.

>> BARTS HOGEVEEN: Thanks a lot for at least giving, I think, a very comprehensive overview of your discussions.  I'm sure there was much more detail to it.

>> PAUL WILSON: It seems I did all right.  Okay.  Thanks.

>> BARTS HOGEVEEN: Thanks so much.  Olaf, can I give the floor to you for the left‑hand side?

>> OLAF KOLKMAN: Yes, we were that side, left‑hand side, or right‑hand side depending on how you look.

>> BARTS HOGEVEEN: Maybe you can go over the items that are different from what were mentioned.

>> OLAF KOLKMAN: We didn't organize.  We started with one question and then we went free forum and meandered around the issues.

I think a few of the things that I took away would ‑‑ which would fall in the precondition for effective implementation, is that the maturity of the implementation is important.  Open source alone is not a ‑‑ a panacea for getting deployment.  The quality of those products and the documentation of open source or free products is ‑‑ is important.  And while I'm saying that, one of the things where I ‑‑ and we didn't discuss this, but one of the things that I like specifically as an example here is a script which is a technology that's incredibly easy to use.  It gives away free certificates and it has given rise to an enormous amount of HTTP sites where there were previously no encryption.  It's a specific initiative that I think about now.

We talked a lot about what are the drivers, also a sort of preconditions for effective implementations and we came to the conclusion that for the very early adopters, the bragging rights are important.  So for the technologists that do OS implementations, like early vista and the people who did the early network implementations ‑‑

>> BARTS HOGEVEEN: What are bragging rights?

>> OLAF KOLKMAN: The thump your chest I did it, nah, nah, nah.

And those bragging rights go with local leaders.  If you are a local leader in your community, it gives you a little bit of stature.

But in order to get volume, you need more.  I think that was one of the things that I learned most is there are two ways that we see things play out.  The high level people that say let's mandate this, so our state mandate and then things get implemented at lower levels.  Usually they don't work out very well.  Sometimes thing at the low level, the people who actually have to do the work and they take bottom up sort of initiative.  They sort things out.  That works but it's the middle management layer that usually doesn't get the ‑‑ doesn't have the buy‑in or the understanding or something to make a long‑term commitment to an implementation that actually works.

So what you see in the cases of the mandates in the US, is that people implemented it and forgot about it, and didn't really have the understanding of what they were doing.  So there seems to be a need for a class of different documentation material, not targeted to the CIOs and the CTOs.  Not targeted towards the people who have to do the actual hands on work, not the technical type of documentation, but sort of middle management documentation, that is fair about costs that talks about what WSIS are, and the costs of such implementation.

I think that was more or less everything that we ‑‑ is there something that I missed?  I'm looking a little bit around at the people who were in the session.

You were not in our session, David.

>> AUDIENCE MEMBER: No, I know.  There's a question.  There's an online question from Mr. Fernandez, he's from Mexico and the question is for Olaf.  So that's why I'm asking it right now.  Is ‑‑ what do you foresee ‑‑ do you foresee a role for the government in the implementation of Internet standards?  What sort of a role?

>> OLAF KOLKMAN: So this is something that we didn't really discuss in our setting.  I think leading by example is important.  But I think also what came out of our session is if you lead by example, you still need the sort of management layers and government to understand what is important.  You have to have the ‑‑ say, the C. IO of a municipality understand why implementing these standards is important.  So leading by example and setting those practices is what I think I took away.

>> BARTS HOGEVEEN: Great.  Thank you.

>> OLAF KOLKMAN: There's one more aspect and it was an economic aspect.  With some of these standards, once you get beyond the bragging rights, it's sometimes economic for others and then that credible large end future comes into play and an example for that the belief believe that IOT‑connected devices, millions of them will need to be addressed and that's where IPv6 has an incredible arcing.

Olivia, you had something to add?

>> AUDIENCE MEMBER: Thank you.  Just one thing, you have written middle class implementers.  I think it might be middle management implementers because middle class is a sort of totally different term.  Was that what you meant Olaf?

>> OLAF KOLKMAN: Yeah, yeah.

>> AUDIENCE MEMBER: Middle management, and not the middle class.

>> OLAF KOLKMAN: The class of middle management.

>> BARTS HOGEVEEN: Thank you so much for that correction.  Last but not least, Bastiaan, would you like to share the thinking of your group, and especially what's different from what has already been mentioned, given that we have about five minutes left.

>> BASTIAAN GOSLINGS: Yeah, hi.  Thank you.  Maybe to follow up on the online question, that was indeed, something that was quite extensively discussed by my group, a group that unfortunately was not as regionally balanced as I hoped for.  We had one lady from Mexico.  I'm grateful for that.  A government official from the UK and the rest were all from Holland.

But nonetheless, I think we were all very much convinced the challenges and the problems that out there.  Even, you know, it's probably because of the market failure that these items are implemented.  When it comes to the question, this didn't suggest a reason for governments, because the market to enforce as regulators, no, I don't think we are as far as that now.  It's still very much a focus of open standards compliances, a voluntary use of them, but there's something that needs to be taken into consideration to implement them.  There are a couple of examples that demonstrate that it's very much feasible to get things done cooperatively.  On the one hand we talked about antidotes, setting up a cooperating scrubbing center, but I think simultaneously you can establish the fact that that was because of commercial reasons, right, if you are ‑‑ well, under attack and your service is not available then you think maybe it is good to subscribe to a service and a subscribing center, which was interesting as what the SDN gave us an example, getting DNSSEC sign.  They gave the regular stars a discount, right, if they got the name signed, then they would receive a discount, so that can help.

And that's the day registry is in a position to do that and also a nonprofit organization.

I think with regard ‑‑ there are a couple of topics that we already discussed and I won't go into them now, with regard to what the GFC could do.  GFCE.  Yes.  We agree that you can be involved and create a sense of more urgency.  We need ‑‑ the ones that need to implement the standards are not here in the discussion.  That's also something that we just talked about, so the ISPs and others, the stakeholders are not here.  Maybe that's something that the GFCE could be involved to get them involved.

Something else that the GFCE could do, is focus on the more and better statistics and proof of exploited.  We have Internet analysis as an example, but there's a lot more stuff that's coming in, to actually demonstrate that this is a significant cost for society, if these standards are not implemented.  Maybe a bit of naming and shaming when appropriate, based on facts and the statistics I just mentioned, and obviously in terms of education and sharing knowledge, I think this became clear from the Mexican example that three see the sense but there's a lot of knowledge on the technical side that's lacking and so there could be a role for the GFCE in terms of capacity building.

>> BARTS HOGEVEEN: Great.  Thanks so much.  Thank all of you for pointing to this last and maybe for the important questions what kind of activities can these initiatives employ to enhance the implementation standards.  Thank you very much for the contributions and the three facilitators to supervise this.

We were talking about the costs and the benefits and I was witnessing a conversation not too long ago between the two main Internet service providers in the Netherlands, KPN and CIGO where KPN, says I want to be 100% because then that's also how you have a marked advantage so I can show to my customers that I'm complying.  I'm paraphrasing what has been said, uphill competition in the sense that in the first round of compliance and they also give you a market advantage.

Thank you so much for the contributions.  I think I owe you a little bit of ‑‑ how do you say, that a presentation of what are we going to do with these ‑‑ with these outposts.  If you can switch to the PowerPoint, what we will do, is that the outcomes of this session, among some other research and consultations we have will be set into a project document, which will be let's say, in terms of capacity building and I gave you some good anchor points to focus on that.

If you are interested, and I hope you are, please follow the progress that is being made, which can ‑‑ which can be found on the website, and maybe the most important question in let's say open invitation that I would like to give to you of those would are interested either here or online if you are interested to join this initiative, either as a ‑‑ somebody who can provide certain expertise or certain good practice or that you want to either in your country or within your organizations to increase the implementation of these standards, you can reach out to us and bring the expertise to you.

If there's any other feedback, we would also be very curious to learn from that.

So I think we are wrapping up.  Thank you so much for your contributions and hope to ‑‑ no, I forgot one thing.  Because we have a very specific group in the ‑‑ in the back of the room, and I would be very curious to hear maybe one or two sentences of what you are doing and what you took away from the session.

>> AUDIENCE MEMBER: We are not stopping each other.  Actually, I'm the teacher and four of the students from Hong Kong to join this IGF and want to learn more and want to learn more about the world.  And about the topic, it is mainly for the adult world, but we also have some ideas about that, that know whether it's correct or not.  The first one when we talk about the good practices and of course first is the school or some community centers, but, of course, they are young.  So they should be under surveillance and the second one about effective or something like that.  Of course in the Internet, should we have the software to make sure that they can go to some good websites.  Of course, all the contempt should be taught at school.

And number three is talking about, of course, we done want to have discrimination because it's talking about geographical cares.  So that ‑‑ but, of course, we believe that last developed the country should have more concern about.  And the next one is about the stakeholders.  We believe throughout these days we have an idea, we have to care about the woman, kid or ethnic minorities.  Last but not least, about the initiative and consideration as they are kids, they should have some computer workshop or make it bigger, we should put it into our school curriculum to implement and make them to have more understanding on these topics.  Thank you.

>> BARTS HOGEVEEN: Thank you so much for that and thank you so much for being here and sharing your thoughts.

I think that really puts a dot behind this workshop and thank you so much.


(End of session 12:20 p.m. Central Time).