Mutually Agreed Norms for Routing Security (MANRS) Strengthening the Internet

Working with APRICOT to Improve Routing Security

We’re pleased to announce that the Internet Society and the Asia Pacific Network Operators Group Ltd (APNOG) signed a Memorandum of Understanding (MoU) to cooperate in supporting the MANRS initiative in the Asia-Pacific region.

APNOG is the non-profit entity that runs the annual APRICOT conference, also called the Asia-Pacific Regional Internet Conference on Operational Technologies. APRICOT is the largest meeting of the technical community in the region.

The agreement will see the two undertake initiatives and activities to promote the security of the Internet’s global routing system and Mutually Agreed Norms for Routing Security (MANRS). MANRS is a global initiative, supported by the Internet Society, that provides crucial fixes to reduce the most common routing threats.

We agree to tackle routing-related cybersecurity incidents such as route hijacking, route leaks, IP address spoofing, and other harmful activities that can lead to DDoS attacks, traffic inspection, lost revenue, reputational damage, and more.

APRICOT draws many of the world’s best Internet engineers, operators, researchers, service providers, and policy enthusiasts from around the world to share the technical knowledge needed to run and expand the Internet securely. The partnership will allow MANRS to better leverage the platform to promote routing security to conference participants, including Internet Service Providers (ISPs) and Internet Exchange Points (IXPs).

Specific activities include hosting events on routing security at the annual APRICOT Summit and/or online; promoting MANRS participation to APRICOT attendees; helping develop the MANRS community in the region; and working together on the MANRS Observatory, which shows a network’s level of MANRS readiness and serves as an indication of the general state of routing security.

We have also agreed to continue to sponsor APRICOT’s Fellowship Program, providing financial support for individuals from developing economies to attend the event, and to contribute to discussions about Internet operations, technologies, and development.

The agreement builds on the long-running partnership between APRICOT organizers (previously the Asia Pacific Internet Association (APIA), now APNOG) and the Internet Society. The Internet Society has contributed to it over the years by not only sponsorship, training, and community building, but has also made multiple high-profile appearances in various sessions, including the keynote speech in 2019 by Internet Society President and CEO Andrew Sullivan.

“We believe Internet routing security issues can be resolved through collective action and a shared sense of responsibility. We look forward to welcoming more MANRS members from the Asia-Pacific region, and working together with APNOG to improve routing security both regionally and globally,” said Rajnesh Singh, Regional Vice-President, Asia-Pacific for the Internet Society.

“We run APRICOT to cultivate the skills and understanding needed to develop a robust Internet infrastructure across the Asia-Pacific region – a goal also strongly supported by the MANRS community and the Internet Society. The partnership will let us work more closely together, and I look forward to MANRS playing an increasingly important role among key Internet builders in the region,” said Philip Smith, Director of APNOG.

Learn more about MANRS and APRICOT.

Building Trust Privacy Security

Announcing the 2020 U.S. Presidential Campaign Audit

Today, the Internet Society’s Online Trust Alliance released a new report, the “2020 U.S. Presidential Campaign Audit,” analyzing the 23 top current presidential campaigns and their commitment to email/domain protection, website security, and responsible privacy practices. OTA evaluated the campaigns using the same methodology we used to assess nearly 1,200 organizations in the main Online Trust Audit released in April.

An alarming 70% of the campaign websites reviewed in the audit failed to meet OTA’s privacy and security standards, potentially exposing visitors to unnecessary risks. Only seven (30%) of the analyzed campaigns made the Honor Roll, a designation recognizing campaigns that displayed a commitment to using best practices to safeguard visitor information. The 2020 campaigns, taken together as a sector, lagged behind the Honor Roll average of all other sectors (70%) in the 2018 Online Trust Audit, and were far short of the Honor Roll achievement of 91% by U.S. federal government organizations.

To qualify for the Honor Roll, campaigns must have an overall score of 80% or higher, with no failure in any of the three categories examined. The campaigns who made the Honor Roll are:

  • Pete Buttigieg
  • Kamala Harris
  • Amy Klobuchar
  • Beto O’Rourke
  • Bernie Sanders
  • Donald Trump
  • Marianne Williamson

Website security scores are high. This can be attributed to the relative “newness” of these campaign sites and the fact that they were built recently on secured platforms. The lack of email authentication for two of the campaigns is a surprise, since these are long-established best practices and modern infrastructure should support SPF, DKIM, and DMARC.

Privacy is a major problem for campaigns, causing failure for 70% of them. There were a variety of reasons for failure, including:

  • Lack of Privacy Statement – Four campaigns had no discoverable privacy statement. This yields a statement score of 0 and is an automatic failure. This may be an oversight, but is inexcusable since every campaign website is collecting data. Fortunately, it can be remedied quickly by adding a privacy statement.
  • Inadequate Statement – Many campaign privacy statements were silent on the issue of data sharing, retention, etc. so they did not give clear notice and transparency about their practices. Such disclosures are generally accepted best practice.
  • Freely Sharing Data – Several privacy statements said they could share data with “like-minded entities” or unidentified third parties, effectively putting no limits on the use of personal data.

We encourage all campaigns to remain vigilant regarding security, and to revisit their privacy statements. Disclosing that data may be shared with “like-minded” organizations may be a common practice for campaigns, but is still concerning in light of the depth of demographic and financial information being collected. Since even campaigns who made the Honor Roll had poor privacy scores, OTA calls on all campaigns to consider updating their statement and practices to better reflect consumer concerns pertaining to the collection, use, retention, and sharing of their personal information.

We reached out to each campaign the week of 30 September, prompting some campaigns to make updates, which we re-evaluated on 7 October. We are committed to helping campaigns improve their efforts to keep both people and information safe online by providing tailored best practice recommendations upon request. We will reassess active presidential campaigns in mid-November and provide a short supplement to this report, highlighting any improvements.

We encourage you to read the report, and to make sure your organization (of any kind) is following the best practices outlined in Appendix C – Best Practices Checklist.

Building Trust Encryption Improving Technical Security Internet of Things (IoT) Mutually Agreed Norms for Routing Security (MANRS) Privacy Security

Celebrating National Cybersecurity Awareness Month

Every October, we mark National Cybersecurity Awareness Month. From the U.S. Department of Homeland Security website, “Held every October, National Cybersecurity Awareness Month (NCSAM) is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online.”

We believe in an Internet that is open, globally connected, secure, and trustworthy. Our work includes improving the security posture of producers of Internet of Things (IoT) devices, ensuring encryption is available for everyone and is deployed as the default, working on time security, routing security through the MANRS initiative, and fostering collaborative security.

The Online Trust Alliance’s IoT Trust Framework identifies the core requirements manufacturers, service providers, distributors/purchasers, and policymakers need to understand, assess, and embrace for effective security and privacy as part of the Internet of Things. Also check out our Get IoT Smart pages for get more consumer-friendly advice on IoT devices.

Much of OTA’s work culminates in the Online Trust Audit & Honor Roll, which recognizes excellence in online consumer protection, data security, and responsible privacy practices. Since that report’s release in April 2019, we’ve done a couple of “deep dives” into specific sectors, including Healthcare and Banks, with more sectors on the way. We’ve also done a deep dive specifically into privacy statements, finding that most organizations do not comply with existing global privacy regulations and are not ready for additional regulations going into effect in 2020.

In addition, our Cyber Incident & Breach Trends Report analyzes events to extract key learnings and provide guidance to help organizations of all sizes raise the bar on trust through enhanced data protection and increased defense against evolving threats.

Check out our Best Practices to learn more, and make October the month you work to improve your organization’s overall cybersecurity stance!

Building Trust

Online Trust Audit Updates & Translations Now Available

A slightly updated version of the Online Trust Audit & Honor Roll is now available in English, French, and Spanish.

Changes include:

  • Accidentally marked Google Play as top scorer in Appendix C (instead of Google News)
  • Missing bar in graph on page 5
  • Several minor spacing, grammar, and miscellaneous edits

The Online Trust Audit & Honor Roll assesses nearly 1,200 organizations, recognizing excellence in online consumer protection, data security, and responsible privacy practices. This Audit of more than 1,200 predominantly consumer-facing websites is the largest undertaken by OTA, and was expanded this year to include payment services, video streaming, sports sites, and healthcare.

This is the first time in the Audit’s 10-year history that we’ve translated it, and we’re proud to bring it to a wider audience. Going forward, we will work toward adding more global sectors and regions into the report findings.

The Trust Audit Planning Committee, open to Internet Society organization members, has already had its first meeting to discuss the methodology for next year’s Audit. A public call for comment on the draft methodology will come later this year, so watch this blog or follow us on Twitter or Facebook to keep up with our work.

Events Internet of Things (IoT)

Talking Internet of Things in Canada at IoT613 This Week

This week, 8-9 May, we’ll be at IoT613 in Ottawa, Canada, talking about our work on “Trust by Design” – the idea that privacy and security should be built into Internet-connected products, and not just an afterthought. We have been working with manufacturers to embrace the Online Trust Alliance’s IoT Trust Framework, which identifies the core requirements manufacturers, service providers, distributors/purchasers and policymakers need to understand, assess and embrace for effective IoT security and privacy. We also work to encourage consumers to demand security and privacy and to help policymakers create a policy environment that strengthens trust and enables innovation.

This week in Ottawa, we’ll have an Internet Society booth at the event both days, and on 9 May, Mark Buell, North American Bureau Director, will be part of an “IoT in Canada” panel that will “explore current IoT trends in Canada, identify the benefits of IoT for businesses and citizens and find out how Canada’s IoT ecosystem stacks up compared to the rest of the world.” Mark will speak about the Canadian Multistakeholder Process: Enhancing IoT Security, an Internet Society-led initiative to develop a broad-reaching policy to govern the security of the IoT for Canada. 

From its website, IoT613 “fosters a culture of knowledge, sharing, and growth within the local and global IoT community. Through our varied programs, we provide a platform for technology, business, and policy professionals to learn, connect, and interact for the advancement of technology and economic development in the National Capital Region.”

Join us in Ottawa, come chat with us about IoT, privacy, and security, and read more about our work on the Internet of Things

Building Trust Privacy Security

10 Years of Auditing Online Trust – What’s Changed?

Last week we released the 10th Online Trust Audit & Honor Roll, which is a comprehensive evaluation of an organization’s consumer protection, data security, and privacy practices. If you want to learn more about this year’s results, please join us for our webinar on Wednesday, 24 April, at 1PM EDT / 5PM UTC. Today, though, we thought it would be interesting to see how the Audit and results have evolved over time. Here are some quick highlights over the years:

  • 2005 – The Online Trust Alliance issued “scorecards” tracking adoption of email authentication (SPF) in Fortune 500 companies.
  • 2008 – Added DKIM tracking to the scorecards, and extended the sectors to include the US federal government, banks, and Internet retailers.
  • 2009 – Shifted from scorecard to “Audit” because criteria were expanded to include Extended Validation (EV) certificates and elements of site security (e.g., website malware).
  • 2010 – Introduced the Honor Roll concept, highlighting organizations following best practices. Only 8% made the Honor Roll.
  • 2012 – Expanded criteria to include DMARC, Qualys SSL Labs website assessment, and scoring of privacy statements and trackers. Shifted overall sector focus to consumer-facing organizations, so dropped the Fortune 500 and added a “Social” sector (now called Consumer). 30% overall made the Honor Roll. Now a comprehensive audit, 2012 has served as the baseline year for Honor Roll achievement – there are 28 organizations that have earned Honor Roll status all seven years.
  • 2014 – Added News/Media sector and included US federal government as part of the Honor Roll (vs. just as an overall sector). 30% overall made the Honor Roll.
  • 2017 – Added ISPs, hosters, and email services sector. 52% overall made the Honor Roll.
  • 2018 – Added healthcare sector. 70% overall made the Honor Roll.

Since 2012 the overall assessment categories have not changed, but the breadth and depth of criteria have been expanded to give a more holistic view of organizations’ adherence to best practices. Criteria and their weighting are re-evaluated each year to make sure they reflect the latest best practices and protection against common threats.

Even though the bar is raised each year, Honor Roll achievement has grown steadily, from 30% in 2012 to 70% in the most recent Audit. While this is solid progress, we can’t forget that these organizations are the top in their sector (by assets, revenue, users or traffic), and therefore don’t necessarily reflect the status of the entire sector.

Our Audit criteria are meant to be practical and implementable by organizations of all sizes, so we encourage all organizations to examine the best practices summarized in Appendix E of the Audit and assess themselves. We look forward to another decade of progress in ensuring a more trustworthy and secure Internet.

Join the webinar on this year’s Audit!

Building Trust

Announcing the Online Trust Audit & Honor Roll Results

Do you know how – or even if – your favorite retailer, or your bank, or your ISP is working to protect you? The Online Trust Alliancerecognizes excellence in consumer protection, data security and responsible privacy practices. Today, we released the 10th annual Online Trust Audit & Honor Roll, covering more than 1,200 predominantly consumer-facing websites, and found that 70% of the websites we analyzed qualified for the Honor Roll. That’s the highest proportion ever, driven primarily by improvements in email authentication and session encryption.


Overall, we found a strong move toward encryption, with 93% of sites encrypting all web sessions. Email authentication is also at record highs; 76% use both SPF and DKIM (which prevent spoofed/forged emails) and 50% have a DMARC record (which provides instruction on how to handle messages that fail authentication).

It’s not all good news, though. We also found that only 11% of organizations use mechanisms for vulnerability reporting, which allows users to report bugs and security problems. Only 6% use Certificate Authority Authorization, which limits certificate abuse. And overall privacy scores dropped compared to last year, primarily due to more stringent scoring in light of the E.U.’s General Data Protection Regulation and the California Consumer Privacy Act. In addition, 15% of organizations had at least one data loss or cyber breach incident.

The U.S. Federal government sector surged to the front with 91% of sites placing on the honor roll, a dramatic turnaround from 2017 when they had bottomed out at 39%. Consumer services (including social media, payment services, video streaming, file sharing, and dating) finished second this year at 85%. News & Media and then Banks came in at 78% and 73%, respectively. Internet Retailers came in at 65%, barely edging out ISPs, carriers, hosters and email providers at 63%. Healthcare, a new sector this year, had the lowest overall honor roll placement at 57%.

Top Scorers

The Top 50 (Appendix C) shine bright with the best overall scores across all 1,200 sites we analyzed. They are:

  • Top Overall: Google Play
  • Top Bank: First National Bank of Omaha
  • Top Consumer: Paypal
  • Top Healthcare: 23andMe
  • Top ISP/Host: Google Cloud Platform
  • Top News: Google News
  • Top Retailer: Google Play
  • Top U.S. Federal: Federal Emergency Management Agency (FEMA)

Audit Resources

Too many numbers in here? We have some resources to help distill down the highlights, including:


We’re hosting a webinar to discuss the Audit results on 24 April, from 1PM-2PM EDT (17:00 UTC) for the ISOC community webinar. See for more information.

Improve Your Security & Privacy

How would your organization do in the Audit? Check out Appendix E – the Best Practice Checklist – to see how you’d stack up, and use it to improve your site’s security and privacy.

We hope you’ll read the report, view the infographic, watch the video, share the news, and/or join us on the webinar. And be sure to watch OTA on TwitterFacebook, and LinkedIn and share using #OTATrustAuditHonorRoll!

Building Trust Internet of Things (IoT) Privacy Technology

Do You Want Privacy With That?

You may have heard about CloudPets being pulled off shelves for recording kids’ voices and that data being leaked, or the EU recalling kids’ smart watches for giving away children’s location in real time. If you’re shopping for any sort of Internet-connected device, you should be worried about your privacy and investigating how much data your new gadget is collecting. That’s why we’ve joined Mozilla in calling on big retailers in the US like Target, Walmart, Best Buy, and Amazon to publicly endorse and apply our minimum security and privacy guidelines and stop selling insecure connected devices.

From the letter: “Given the value and trust that consumers place in your company, you have a uniquely important role in addressing this problem and helping to build a more secure, connected future. Consumers can and should be confident that, when they buy a device from you, that device will not compromise their privacy and security. Signing on to these minimum guidelines is the first step to turn the tide, and build trust in this space.”

In total, the letter is co-signed by 11 organizations: Mozilla, Internet Society, Consumers International, ColorOfChange, Open Media & Information Companies Initiative, Common Sense Media, Story of Stuff, Center for Democracy and Technology, Consumer Federation of America, 18 Million Rising, Hollaback

5 Minimum Security Standards for IoT Devices

Encrypted communications
The product must use encryption for all of its network communications functions and capabilities. This ensures that all communications are not eavesdropped or modified in transit.

Security updates
The product must support automatic updates for a reasonable period after sale, and be enabled by default. This ensures that when a vulnerability is known, the vendor can make security updates available for consumers, which are verified (using some form of cryptography) and then installed seamlessly. Updates must not make the product unavailable for an extended period.

Strong passwords
If the product uses passwords for remote authentication, it must require that strong passwords are used, including having password strength requirements. Any non unique default passwords must also be reset as part of the device’s initial setup. This helps protect the device from vulnerability to guessable password attacks, which could result in device compromise.

Vulnerability management
The vendor must have a system in place to manage vulnerabilities in the product. This must also include a point of contact for reporting vulnerabilities or an equivalent bug bounty program. This ensures that vendors are actively managing vulnerabilities throughout the product’s lifecycle.

Privacy Practices
The product must have a privacy policy that is easily accessible, written in language that is easily understood and appropriate for the person using the device or service. Users should at minimum be notified about substantive changes to the policy. If data is being collected, transmitted or shared for marketing purposes, that should be clear to users and, as in line with the EU’s General Data Protection Regulation (GDPR), there should be a way to opt-out of such practices. Users should also have a way to delete their data and account. Also in line with GDPR, this should include a policy setting standard retention periods wherever possible.

These five are a subset of our IoT Trust Framework, a more comprehensive set of principles manufacturers, resellers, and policymakers can use to help secure IoT devices and their data.

We hope that this letter opens the discussion with large retailers so that we can work together to increase consumer confidence that the devices they bring into their lives will not do them harm. We’re committed to helping improve the safety and trustworthiness of all types of IoT products.

Here’s What You Can Do Today

  • Check out our #GetIoTSmart page for consumer and enterprise IoT safety checklists and to keep up to date on our latest IoT activity for news and tips
  • Reach out to your favorite retailer to (1) share our tips and advice, (2) express your thoughts on privacy and security, and (3) ask them to commit to endorsing minimum security standards in the products they sell. — Tell them to #GetIoTSmart!
Building Trust Events Reports

Webinar: Can Consumers Trust Retailers’ Email? Findings from OTA’s Email Marketing & Unsubscribe Audit

Next Tuesday, 18 December, at 2PM ET (1900 UTC), we’ll be holding a webinar to discuss the results of the Online Trust Alliance’s 5th annual Email Marketing & Unsubscribe Audit.
Two Internet Society organization members from Yes Marketing and Endurance/Constant Contact will co-present with the Internet Society’s Jeff Wilbur, and it should be an interesting discussion that touches on various aspects of email authentication and best practices, online trust, and consumer confidence.
Please register at It will be recorded if you can’t make it on Tuesday.
The fifth annual Email Marketing & Unsubscribe Audit analyzed the email marketing practices of 200 of North America’s top online retailers and offered advice on providing choice and control to their consumers as well as technical best practices for retailers and marketers to follow. You can read more about it in Kenneth Olmstead’s recap blog post or view the infographic with key findings.
As always, you can follow along with us on TwitterFacebook, or LinkedIn. We also have a Facebook event for this webinar at
I hope you’ll register and join us on Tuesday, and invite you to share this with anyone you think may be interested.
Building Trust Events Improving Technical Security Internet of Things (IoT) Technology

Cybersecurity, Data Protection, and IoT Events in November & December

The end of the year has been very busy, with Internet Society staff members speaking at many events on data protection, security-by-design, and the Internet of Things (IoT). First, to recap the last month, you might want to read the Rough Guide to IETF 103, especially Steve Olshansky’s Internet of Things post. Dan York also talked about DNSSEC and the Root KSK Rollover at ICANN 63, and there were several staff members involved in security, privacy, and access discussions at the Internet Governance Forum. In addition, we submitted comments on NIST’s white paper on Internet of Things (IoT) Trust Concerns; the NTIA RFC on Developing the Administration’s Approach to Consumer Privacy; and the NIST draft “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks”.

We also have several speaking engagements coming up in the next few weeks. Here’s a quick rundown of the events.

6th National Cybersecurity Conference
27-28 November
Mona, Jamaica

The Mona ICT Policy Centre at CARIMAC, University of the West Indies is hosting the 6th National Cyber Security Conference. The Conference theme this year is “Data Protection – Securing Big Data, Understanding Biometrics and Protecting National ID Systems.” Jeff Wilbur will be speaking on 27 November, during Session 1, on Data Protection: Issues and Approaches.

Cybersecurity & Cloud Expo North America 2018
28-29 November
Santa Clara, CA

The Cyber Security & Cloud Expo North America 2018 hosts discussion around cyber security and cloud, and the impact they are having on industries including government, energy, financial services, healthcare and more. Jeff Wilbur will be speaking on 29 November at 9:50AM on a panel titled “The role of regulations & standards for enterprise cybersecurity.”

ASAE Technology Conference & Expo
4-5 December
National Harbor, MD

The American Society of Association Executives (ASAE) is hosting its Technology Conference & Expo on 4-5 December. Jeff Wilbur will speak on 4 December at 3PM in a Learning Lab titled “Internet of Things (IoT) – How Associations can Help Create a Safer Connected World.”

Governance of Digital Security in Organisations and Security of Digital Technologies
13-14 December
Paris, France

The OECD is hosting the inaugural Governance of Digital Security in Organisations and Security of Digital Technologies on 13-14 December in Paris. Jeff Wilbur will speak in session 4 at 4PM on 13 December on “How to Achieve Security By Design?”

While it doesn’t look like any of these upcoming events will be livestreamed, if you’ll be attending any of these events in person, please let us know!

Building Trust Events Improving Technical Security Internet of Things (IoT) Privacy

National Cybersecurity Awareness Month = International IoT Security and Privacy Month

October is National Cybersecurity Awareness Month, and as part of our work with the Online Trust Alliance and our Internet of Things (IoT) campaign, we think October also deserves another label… International IoT Security and Privacy Month. There are a number of significant activities and developments related to security and privacy. Here are a few highlights of what’s happening, how we are participating, and how you can get involved.

  • The “How to Make Trustworthy #IoT” Workshop – (Oct. 8) This year’s Internet Society Chapterthon is focused on IoT, and we are excited to see how all 43 participating Chapters raise awareness of the privacy and security issues surrounding IoT. On Monday, 8 October, Jeff Wilbur and Megan Kruse from the Online Trust Alliance be in New York City with the Internet Society New York Chapter (ISOC-NY) and IoTNation holding a workshop on ‘How to Make Trustworthy IoT’ – an IoT Privacy & Security Workshop. If you’ll be in New York City on Monday, please consider registering for the event, or watching the livestream starting at 2PM.
  • Comments due for NIST Internal Report (NISTIR) 8228: Considerations for Managing IoT Cybersecurity and Privacy Risks – (Oct. 24) The report by the non-regulatory agency of the United States Department of Commerce, the National Institute of Standards and Technology (NIST), is intended to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their IoT devices throughout their lifecycles. The draft also includes recommendations about how to address risk considerations for these devices. We will submit comments by the Oct. 24 deadline.
  • Europol-ENISA IoT Security Conference – (Oct. 24-25) The invite-only event is organized by the European Union Agency for Law Enforcement Cooperation, Europol, and the European Union Agency for Network and Information Security, ENISA. Our Chief Internet Technology Officer, Olaf Kolkman, was invited to address IoT security and privacy. Kolkman will specifically discuss the IoT Trust Framework which, if implemented, could easily avoid every single documented IoT vulnerability as OTA documented in 2016.
  • UK Secure by Design Report – (coming soon) The UK government is expected to issue the final report of its recommendations about how to ensure that consumer Internet-connected products and associated services are sufficiently secure. In particular, the UK Secure By Design Report looks at the rights and responsibilities of consumers and industry. In its preliminary report released earlier this year, 30 of the 40 recommendations were from OTA’s IoT Trust Framework.

We’ll be watching developments with the above closely. If you want to learn more, check out the Online Trust Alliance and our Internet of Things (IoT) resources.

Building Trust Events IETF Improving Technical Security Public Policy Technology

Registration Open for “Cyber Diplomacy Meets InfoSec and Technology” Alongside IETF 102

As we recently announced, the Global Commission on the Stability of Cyberspace (GCSC) will host a lunch panel on “Cyber Diplomacy Meets InfoSec and Technology” alongside IETF 102 on Tuesday, 17 July. Registration opens today in two time slots for global time zone fairness, at 08:00 UTC and 20:00 UTC. Register here.

The Global Commission on the Stability of Cyberspace is developing norms and policy initiatives that intend to counter the risk to the overall security and stability of cyberspace due to rise of offensive cyber-activities, and especially those by states. During this session, the Commission wants to inform and engage with the IETF community on its work so far and the work that is in the pipeline.

The Internet Society is assisting with logistics. Internet Society Chief Internet Technology Officer and GCSC Commissioner Olaf Kolkman will moderate the panel. The panelists are:

  • Irina Rizmal, researcher at the DiploFoundation specialized in policy analysis in matters pertaining to national security and defense.
  • Bill Woodcock, Commissioner and Executive Director at Packet Clearing House, the non-profit agency that supports critical Internet infrastructure.
  • Jeff Moss, Commissioner, founder of Black Hat and Defcon, member of the DHS security council, and former ICANN CSO.


The panel takes place during lunch on Tuesday, 17 July, at the Fairmont The Queen Elizabeth in Montreal alongside IETF 102. Lunch will be provided to those who pre-register.


Pre-registration is required to attend this briefing panel in person. Registration is now open, so register here.

This event will also be webcast and audiocast. Pre-registration (or IETF attendance) is not required to attend online. Watch this space or the session page for more information and links on remote participation.

We hope you can join us in Montreal, or online!