Cooperation Working Group
RIPE 80.

ACHILLEAS KEMOS: One of the co‑chairs of this Cooperation Working Group. Welcome everybody to the Cooperation Working Group. We have a pretty tight schedule so what I suggest is that we move on, at administrative stuff to the e‑mail list and get straight on with the programme.

So, our first speaker is Nicole from Europol. Please, Nicole, go ahead.

NICOLE VAN DER MUELEN: Thank you. And welcome everyone. Indeed I am a senior strategic analyst at Europol's European cybercrime centre and also head of the policy and development team. And I just want to first thank RIPE for this opportunity to give this presentation virtually on the work Europol has been doing in the area of cybercrime and Covid‑19.

What I want to do in the next 25 minutes is basically give you an overview of what we have been doing but also to talk about how the Covid‑19 crisis has impacted cybercrime but also how it has impacted people who may have never been encountering cybercrime or never become acquainted with it because I think that's a very important factor in the whole story. To put it into context, I have been working in cybercrime for over 13 years and many of the things we are seeing now we may have seen it before, but now we simply see them in connection to Covid‑19 which obviously increases the impact on society and on the different actors within society.

So just to give you some background. Obviously after March 16, things really kicked off, at least for us. We had a joint statement with some of our European partners and they are really key partners in the sense of the information that we gathered that we include in our reports, because what we have included in the reports we have been working on is not just information we have received from law enforcement, it's also information we have received from private partners as well as these European public partners.

So what we have been trying to do is, basically tried to produce reports to what we call to do some intelligence notification, and the first one really focused on all sorts of different crimes. We followed that up by one that was specifically focused on cybercrime, and the last one was looking at the different phases and what would be the long lasting impact really when it comes to Covid‑19 and cybercrime.

We created different versions, so we did have a law enforcement only and a basic protection level as well as these public reports. I welcome you to read them on our website. They are available together with a lot of our prevention awareness material. And we have also developed some dedicated cyber bits which are more focused on specific vulnerabilities or specific cases as you can see on the slide.

So I will follow the pattern we generally follow when we talk about cybercrime. So we have cyber‑dependent crimes, such as ransomware and different forms of malware, and then there is a really large category of cyber‑enabled crime and that includes social engineering, the phishing and any sort of scam. And the difference between cyber dependent and cyber enabled is that cyber enabled really is a type of criminal activity that could be conducted without the Internet but is enhanced and facilitated through the Internet.

And I think that's really a key component when we look at some of the cybercrime‑related activities that have been very rampant during the Covid‑19 era.

On top of the list is ransomware and this has been the dominant threat for the last few years. I work on the Internet Organised Crime Assessment, which is our annual assessment, and ransomware has been the most dominant type of threat. So it's not new. If anything, we just continue to see it during Covid‑19. And it becomes more problematic because ransomware perpetrators have been targeting hospitals even before Covid‑19 and that is particularly problematic because, of course, having access to the information systems within a hospital could be a matter of life and death. That is also why they are a lucrative targets for criminals because basically a hospital, when faced with such a life and death situation, is more likely inclined to pay the ransom, which is ultimately what criminals are after, of course, the financial profit.

So in Covid‑19 we also, during this era, we also witnessed a number of attacks on hospitals; one in the Czech Republic is the most well known, I would say, because that one was also made public. And what we did witness was, you see the same type of perpetrators operating, they are looking for collaborators but they are also not waiting as long to strike as they would in the past. So they are faster, and you could argue that they are even more targeted. What is interesting, though, is that there are some perpetrators who have claimed some the sort of morality and said we are not going to become involved because of the pandemic but many others are still carrying out their attacks.

When it comes to DDoS, or distributed denial of service attacks, we have not seen them as much; there's been a slight increase, but there is definitely a vulnerability there if criminals wants want to enhance that activity and basically extort companies by making their network unavailable by making their services unavailable, as we have an increased dependency, of course, on these services because of tele working, because of businesses having to go online, etc.

So this is something to keep an eye on, but was not as prevalent as you may have anticipated.

Now, phishing is really probably the one thing that, together with scams, that really was a very dominant element, and that's why I call the presentation rewriting in the narrative because phishing is a dominant form of cyber enabler or cybercrime that we have seen across the years and what really happens with phishing attacks or any kind of social engineering attack that the criminals use, whatever narrative is convincing and is most likely to have people fall victim for their activities.

So it's used as a lure. So there are many phishing e‑mails, malicious apps, that really try to respond to the need for information people have during this crisis. So they claim to be from the World Health Organisation, from national health authorities, they claim to have availability of death figures, of information basically about the crisis, to ensure that people would click on it, so this was very rampant throughout March and April. Towards the end of April, of course, as prevention and awareness efforts were in hand, we saw this decrease and slowdown, but it's something to still keep and eye out on because what you see is that they might become more targeted, they might even become better quality, and, as such, they will capture their victims. What is also important to note here is that is many more people have to go online, because of the lockdowns, because of the physical restrictions, there are people who have may have encountered phishing attacks or other other cybercrime attacks that have never become familiar with them. So this is also why, as I will mention later on, that we enhance the prevention and awareness efforts and really connected it to the type of criminal activities we have witnessed within Covid‑19 because otherwise people might not be able to recognise them.

The last point I focused on it malicious domain name registration, which is more of an overarching threat. It's an infrastructure element that criminals need. So, we saw a spike in domain name registration. So basically having domain names that include either Covid or Corona and a number of those were malicious, because those are being used as an instrument, for example, in phishing attacks or in other attacks where they really want to lure the victim through this malicious website and obviously they are using terms such as Covid or Corona.

Now, unfortunately cyber‑dependent and cyber‑enabled crimes were not only the forms of cybercrime where we witnessed an increase. The conditions as such also influenced the potential for criminals to take advantage of children, many children were home, many children were online, their parents may have been working. So we did notice an increase in reports from the public. We noticed an increase in attempts to initiate contact from perpetrators with children. And they really tried to do that for children to obviously to produce what we call self‑generated explicit material because they are looking for new material. A lot of perpetrators are also at home. We noticed them talking amongst each other in underground forum about how to potentially access more material but also about how to get into contact with vulnerable children or with children in general.

So these are some of the things we did notice and that we also tried to focus on within the prevention and awareness campaigns. And in terms, we are worried that there will be more exposed to offenders, in many countries now schools are opening up again. But the threat still remains, of course, and this is something that we actually will issue a new report on scheduled for the second week of June, there will be a public report from Europol specifically focused on the threat of child sex exploitation within the Covid‑19 era.

And then the last part of it in terms of what we really focus on is activity on the dark web. And this really, I would say, connects to many different elements. Of course you have the dark web market places under "normal" conditions, where there is a lot of sales of drugs and other illicit goods. And what is interesting, we notice there is the sale of what you might call regular goods that are being sold on the dark web were a bit hampered because of physical restrictions. So people were indicating that the post might not function as usual, they might not be able to deliver things as usual. But what was also interesting: On the dark web there was a lot of room for the sale of sort of scam material, so things that people really needed: face masks, disinfectants such as hand sanitiser, chloroquine, which was mentioned as a potential drug that could be used against Covid‑19, test kits. But also to ensure business would continue, perpetrators were also offering discounts. But they were also just making up sort of fake materials. People were trying to sell their blood claiming they had had Covid‑19 and, as such, they had antibodies. There was a wide variety of things being offered. What is interesting when we talk about these goods in terms of masks and the hand sanitisers and any elements like that, we obviously noticed a lot, if we connect it back to the previous slide, of cyber‑enabled crime, there was a lot of scams going on, and towards the end I have two examples when it comes to operational support, where clearly perpetrators were trying to lure predominantly government authorities into pretending that they had face masks available and trying to sell those, even though they didn't have them, they were, in certain instances they were imitating companies and just trying to get the money, and, because of international cooperation, at least some arrests have taken place and some actions were able to be taken because, of course, it involved multiple countries.

As I mentioned a few times now, it goes beyond the intelligence notification, the gathering of strategic information to ensure we can inform law enforcement, we can inform our partners and we can inform the public. But we also wanted to make sure we used our knowledge and expertise in the area of prevention and awareness, and that goes across the board. We issued advice on tele working, which obviously goes for employees as well as for organisations, but we also issued advice for children, for teenagers, and we also specifically wanted to focus on a particularly vulnerable category or group of people, and that is the elderly.

That is at least one example of people who may not have ‑‑ who may not be used to operating online and as such, could be particularly vulnerable to some of these scams, to some of the phishing e‑mails, and as such, we sort of tried to target especially vulnerable people. We have a landing page on the the Europol home page where you can assess all the materials. Many of them we have been able to translate into the different EU languages to ensure availability and accessibility for everyone within the EU and to some extent, beyond that as well. And on the same landing page you can also access the reports.

So reports and relevant press releases that pertain, for example, to operational actions.

And here are just a couple of examples of the materials that we have created within the area of prevention and awareness, that really try to draw that bridge between what is going on and how are criminals trying to profit. Basically, the primary purpose of these prevention and awareness campaigns is to have people recognise potential scams, potential attempts from criminals to gain their personal information, and things of that nature, and for children obviously to recognise perpetrators who are trying to gain some of their information.

And then like I said, in terms of operational support, we were involved in a number of actions, some of them we have been able to make public. And the main thing, of course, for those who may not be too familiar with Europol, we do not have investigative powers, so the primary way we can assist is really to facilitate an operation that involves multiple countries, at least two member states, for example, or, if it goes beyond that, it could be that it involves countries beyond the EU, of course.

And what we see here is this is an operation where somebody was arrested and that involved sort of the support and facilitation of both Europol and Interpol where, once again, as I mentioned before, trying to sell face masks and hand sanitisers, even though the person didn't have them, and also, in that process, imitating a legitimate company. So there is really the abuse of a fear of urgency in terms of getting sufficient supplies on the the side of governments, on the side of different countries, and then taking an existing company and pretending to be that company. And, of course, considering the current crisis situation, it's difficult to sort of take the time and be able to distinguish between a fraudster and a legitimate company.

And the same went for this case, which I'll try to give a bit more detail about. I think that's interesting about this one, once again trying to imitate an existing company, but what you can see here, it involved the Netherlands, it involved Germany, Europol was able to facilitate predominantly through facilitating information exchange between the different countries, but also a key component was the cooperation of banks in this case, because a transfer of money had already been made, part of it, and of course nothing was delivered, and this was quickly discovered. So then you need the cooperation of the bank to follow the money, but also to be able to freeze the assets and return the money to the government. And thankfully, it's already led to two arrests and it's an ongoing investigation further on.

But it goes to show basically, both in terms of how successful criminals have been, but also the positive side in terms of international cooperation among the different countries facilitated by Europol in order to actually identify some of these perpetrators and even more, even better I would say, be able to regain some of that money that was issued by the government.

I think that is it from my side. That should leave some time for questions, hopefully.

CHAIR: Thank you. I hand over to the co‑chair to handle the questions.

ACHILLEAS KEMOS: We don't have any questions.

JOHAN HELSINGIUS: Do you have them there or should I handle them?

ACHILLEAS KEMOS: Yeah. Okay, you can handle them now, I am just going to read them as well.

JOHAN HELSINGIUS: The first question comes from Carsten Schiefner:

"Are your activities and investigations by some means synced with, for example, what we have heard about yesterday, SIDN going after fake shops?"

NICOLE VAN DER MUELEN: If they are synced with it? A good question. I would have to ‑‑ I think that depends to what extent we're in contact with them about it. I haven't heard about it yet, but I think that depends on some of my operational colleagues, so I'm afraid I can't really give a complete answer to that.

ACHILLEAS KEMOS: Blake: "I am sure there is no simple answer here but how do you differentiate between disinformation and cybercrime?"

NICOLE VAN DER MUELEN: That's a very interesting question. I didn't talk am almost at all about disinformation. It's something that is ongoing because depending indeed how does it connect the cybercrime? I would say that criminals themselves are able to abuse this information, so, for example, if someone says this is a cure for Covid‑19 and it's based on a lie, criminals can subsequently use that to sell some sort o ‑‑ f, or to have some sort of scam and sell something. So, in a way, what is happening within many phishing or social engineering as well as within the scams is, they are already using some sort of fake information. But if it comes from another source, I would almost say that criminal activity gains a certain level of legitimacy. So I would almost say that cybercrime is almost able to take advantage of this information.

ACHILLEAS KEMOS: Thank you, Nicole. A question from Benno Overeinder, thanking you for your presentation and the question is:

"For the malicious domain names, which top level domains are you monitoring? And, in particular, like .org, .com, etc., and/or the European ccTLD or just everything?"

NICOLE VAN DER MUELEN: That's a very detailed question. I would have to check and get back, unfortunately.

ACHILLEAS KEMOS: Okay. Thanks. The next question is:

"What is considered the peak of the cybercrime related to the pandemic based on your perception?"

NICOLE VAN DER MUELEN: The peak in terms of the type or the moment?

ACHILLEAS KEMOS: Good question. So, next ‑‑

NICOLE VAN DER MUELEN: I can say in terms of the moment, I think the peak may have been end of March. But that's quite intuitive, because I think there was a lot at the start but I'm sure end of March they really really hit it. So if it's sort of timing wise, otherwise the peak in terms of the type, I think I mentioned it's really I would say a combination of the phishing attempts and e‑mail as well as a lot of the scams. I think in terms of volume and potential impact, those were the highest.

ACHILLEAS KEMOS: Okay. Oliver Hohlfeld:

"Thank you for the nice talk. How did you measure the increasing DOS attacks and against which targets?"

NICOLE VAN DER MUELEN: That's a very fair question. I would say we had to rely on external sources of course in this regard because we do not have a complete overview. I don't think anybody does. So this we had to just come from third‑party sources who were measuring it.

ACHILLEAS KEMOS: And the next question:

"I assume the awareness campaigns are aimed at the public at large. If so, how effective are European level campaigns? Is everything translated? How do you take cultural differents into account?"

NICOLE VAN DER MUELEN: So they are obviously targeted at the public at large, although, like I said, sometimes we try to focus on specific categories within the public at large, such as children and teenagers. There are translated to the extent possible, which means that not all campaigns are translated but many of them are, and if they are translated, then they are translated in all the EU languages. And then the idea is we produce the material, it gets translated and then we turn it over ‑‑ of course it's always available on our website, but we also give it to the law enforcement agencies within the member states and we are always happy to give it to any other organisation that us autos it for public benefit.

In terms of cultural differences, I mean, this, of course, is a bit complicated. I would say it's embedded in the translation in you have native speaker translation but something we may not be able to take into account as much as we would like to.

ACHILLEAS KEMOS: Thank you. Should we continue? I think that there is one we could take also.

"Is there many countries in Europe that report on growing grooming on the net now?"

NICOLE VAN DER MUELEN: The thing about grooming is, you would have to be able to meet physically subsequently. This is something I would have to look into and I think this is something we can give a better answer to when we issue the subsequent really dedicated report on CSE in the second week of June.

ACHILLEAS KEMOS: Okay. Thank you.

JOHAN HELSINGIUS: We seem to have one more question.

ACHILLEAS KEMOS: Okay. "How do you receive or fund information about malicious sites?"

NICOLE VAN DER MUELEN: In terms of the malicious domain name registration or just general malicious sites? For the domain name registration, we do have an external partner for that.

JOHAN HELSINGIUS: Thank you for the great presentation. We move on in the programme, and the next one is Marco talking about a certain proposal from a certain country and a certain manufacturer. We won't mention their names because we don't want the connection to be cut.

MARCO HOGEWONING: A certain country and a certain company. Talking about new IP and you may have already seen that. For those of you who don't know me, my name is Marco. I work for the RIPE NCC in the External Relations Department, and, in that role, I also participated in ITU meetings and track the work that's going on. This is one that popped up.

So, new IP. You may have seen it already in the web block or your favourite newspaper, but let's delve a bit into what it's about and give you a bit of background. We first came across and the world first came across this back in September last year. ITU has what is known as the telecommunications standardisation advisory group, which is kind of steering body for the ITU group, that meets approximately twice or three times a year and has high level discussions of where things are going, the work that needs to be done and finished, etc.

And caught out a bit by surprise. There was a proposal by ‑‑ supported by a number of other Chinese companies and the government, and it's a three‑/four‑page document, so I only took a small snippet but I think this captures it really well where they say, okay, the Internet, and particularly TCP IP, might not be up for its tasks, it's not fit for purpose, and what we would like to do is build a new information and communications network with new protocols and sort of accommodate new users, as they say, holographic used, IoT, etc.

As part of that, they said like, oh, yes, this is a great opportunity for ITUT to do this work and to get back into the Internet. It features as I said, like drop down design, a much more tradition here is the whole integrated system.

Why did they do that, emphasis by the way on these slides is us, but that sort of captures I think the proposal. Which kind of brings me like why there and then? And as it says, 2020 is approaching, so a bit of background here is, ITUT works on four‑year cycles and every four years there is the World Telecommunications Standardisation Assembly, in short, and the next one is scheduled for November 2020 in India. It's still on the roster. Whether it's going to happen, we don't know. We are waiting for updates.

And with such a big meeting that kind of looks at the work done and looks at sort of what are we going to do the next four years, preparations take quite a while, and in fact that almost takes two years in which all the study groups but all the ITU members, the member states look at where do we think we want this work to go? What else is there coming? How should we restructure? What should we do in the next four years?

With that, it's not a hard deadline, but let's say, in that sense, the preparations for that should be roughly ready in September 2020, so we have a bit of time to look at those before we go into the big meeting where the text is finalised and hopefully we'll reach an agreement on what should be done in the next four years.

So if you draw the time lines alongside of that, that's also where Huawei was aiming for. Now is the time we're going to talk about what we're going to do in the next cycle and in the most farfetched proposal it was let's set up a dedicated study group to work on this. We don't want this scattered out across many groups, we want a dedicated vehicle to build and deliver the standards we need.

As I said that was September '19. We all got caught by surprise so took a bit to sync in and understand what they were doing. We used the opportunity of the next meeting which was in February this year to submit our response, which also can be found on our website, which we said like yeah, there is still a lot of questions here, but looking at what's on the table right now, we don't think this is a good idea. More to the fact that if you think you need to modify the Internet, we suggest you take this to the people who actually manage the Internet standardisation, the IETF, and work with them on where you think TCP IP or other protocols have shortcomings and change those.

So, we felt filed our response and there was a bit of discussion, we got another session with more information about this. And then ‑‑ and that's probably sort of where your attention got drawn in general, the Financial Times produced a very big article in March, six pages, about the Chinese attempts to kind of retool or redesign the Internet. There were a number of other media publications, also questions for us, so we published a piece on RIPE Labs that explains more of our views and highlights sort of what we see is problematic.

That will probably now continue. As I said, there is a meeting aimed for in September 2020 where this will hopefully be wrapped up and sent to WTSA. What is particular about this request is that back in July '18, ITU had established a focus group. The focus group network 2030, which kind of got permission to kind of figure out where this is going in the next ten years, figure out what role ITU can play, figure out with standardisations gaps are, etc., etc. Focus groups, by definition, are set to only live two years, so in that sense we are waiting for their final reports which are supposed to be due in July 2020. Whether they are going to make it in the current situation, that's not entirely clear, but as it was designed, the focus group should set this up, deliver their report into the parent study group, study group 13 which looks at future networking and new protocols, and then from there, study group 13 should take this as a way to prepare for WTSA.

The cures detail here is that the focus group was established upon request by Huawei and is headed by Huawei, the Chair is an employee of Huawei. So we were all a bit puzzled saying why don't you take this to the focus group? Why aren't we just waiting for the focus group to say what's needed. So that was part of the initial discussion.

Back to the topic. New IP.

What is it then?
Well, we're all a bit confused. We probably still have more questions than there are answers despite numerous sessions that aim to explain what that is that same to sell us on the idea.

From what I have seen, it's more of a philosophy than a really concrete idea about technology, it's not like a ready major package. A couple of snippets from the number of presentations, one of which key features apparently is to move from a centralised system to a decentralised system. As you already say, it's very much a top‑down design, top‑down control as well. How that's going to work with the decentralised system, that's anybody's guess.

One of the other features we have seen being promoted is it attempts to use what they say more flexible addressing space, which includes geographically based addressing, or as they put it diverse IDs to indicate destination but also a much stronger tie what it seems to identification. So really just sort of make it your personal address or make the device burnt in address.

And that's then sort of one of the pitch, one of the tech lines, "Provide, universal and wider connectivity."

So, what it's not.
Well, if you look at sort of the little technical details there are, it's not a new technology. It's mostly presented as an architectural framework based on the idea that somehow the current Internet is failing to deliver on its promise.

If you look at what I have presented on the technology, it's all not very new. I would say it's. We have seen locator identify separation before, it's not on known as lis in the industry. It's not a great success, if you are old enough you may remember those discussions about exploratory length addressing and ID keeps opening up in various for ace. What do we do if we find a middle way here? Of course that's, yeah, we filter and block traffic all of the time of course. That's what firewalls are for.

Also, the notion of like a dump core with everything on the edge, these days, if you you can think of middleware, it probably exists. Yet, if you take a step back and see how they kind of present how this should work, you quickly go towards like the OS I system, X25, it also has elements we have seen with ATM, small fixed cell headers to reduce the overheads in switching and overheads in sending large headers.

It's not a new technology.

Is it the new Internet? And that's an interesting question. Because that kind of makes you wonder, like, what is it that defines the Internet? Is it really just a matter of technology choices? Like the use of TCP IP, if it's not IP then it's not the Internet. Or, is it more a matter of values and behaviour? The open permission with innovation, the modular approach, the fact that sort of things can evolve that you can pick and choose your favourite technologies and sort of not forced into a very rigid model.

As far as new IP goes, many documents refer to what they say are many nets. As I said, part of the claim here is that the TCP /IP has limited use and what they propose is then heterogenous network of networks that include non‑IP networks, so kind of expanding the Internet with non‑IP‑based networks or even at some point replace IP networks with different proposal. It's still very vague on how that should work.

What it's mostly and this sort of comes from like discussing this with people in the industry, with government representatives. What it seems to be mostly is a new package. We know that a lot of technologies and capabilities that new IP advertise actually exists. It's not a great secret that there is the great firewall there and we know how it works partly due to research in terms of filtering, in terms of traffic moderation, but also content control.

And if you take a step back and look at the newspapers, there is a lot of governments and a lot of politicians who kind of seem to be asking for similar tools. Think about sort of elections, think about trolling, think about fake news, disinformation, and a lot of times it's like we need more control. So, taking a step DTAG, if you look at where they're coming from they have got a lot of this technology already on the shelf, and it's ready to go. All they need is sort of a package to sell it to the people that want this.

Of course, the much title err top‑down control structure fits into that picture. Here we have got something that allows you to control the Internet. But mostly, it could just be just monetising on what they have already have in terms of security, tracking, filtering. Of course having an international standard there makes it much easier. It is often a prerequisite for public tenders, but also keep in mind that if you would tender for a network or you would specify say like oh the telecommunications network should do this and this filtering, there is probably a couple of NTOs that will be all over the place and comment on that.

But if you just basically put it in a regulation and say this network has to be compatible with something, would we really notice what's going on there? So, that's sort of, you know, the devil is in the detail.

In fact, the devil is in the detail because as much as new IP and the big idea, it might not make it, we still have to wait for it, we have to see how this all pans out. But at the same time, we have seen that work has already started on some components, FT 13 is discussing starting a couple of work items that we believe are part of new IP. But, for instance, also SG20 started work on a block chain based authentication and authorisation scheme for the IoT, which fits nicely into the new IP package.

So the high level in that sense, and that's part of the message here, keep an eye out for what's happening with new IP and that's important, but don't let it distract you too much.

The real work is hiding deep down in the study groups and I know that some of you are working for ITU sectoral members, there is probably a couple of governments watching as well, and we need to track this, and part of the tracking is very labour intensive. It's a lot of work to keep an eye out for every single meeting, every single study group to see what's going on there.

So, in that sense, my call to you as a Working Group and to the community is, share the load and share the intelligence we all have, and this was also pointed out earlier this week in talking to a government representative, was like, yeah, this is on the upcoming table for a European meeting. Make sure that your government representatives know what this is about and understand that this is not as much about technology but this really is about how the Internet could work how the Internet should work. Engage with them. Flag it, make sure that they are understand it. And make sure that they come into this meetings well prepared and understand what to say and what to do.

There is a lot more information on the RIPE Labs, but this is it for new IP. I think we have got a tiny bit of time, so as it was brought up on the cooperation list as well.

We also saw the press release and ETSI started to work on a non‑IP Working Group. And also thought like, if it walks like a duck, it swims like a duck, it quacks like a duck, it's probably a duck.

Disclaimer here. We're not an ETSI member. What we know is mostly from a couple of public sources and mostly from hallway chatters and intelligence from ETSI members that we got.

We currently believe it's not a duck. It's very similar to new IP but it's not directly related. What this is probably driven by and you can also see that a bit about sort of the people who participate in these groups, is probably a couple of large telco hosts trying to regain their dominance, trying to sort of reinvent their earning model. Many of those, and it's also probably not a big secret, they make public statements about that, they feel the Internet killed the goose laying the golden eggs, they don't like what they then refer to as OTTs and there is a lot of effort in going, but then sometimes it's referred to as specialised services, create for wealth guard and limited use of OTTs and regain the control of that earning model.

If you look at it from that side, 5G slicing, which is being worked on by kind of fits that model as well. You know, better specialised services, different monitoring model.

So in that sense, it could create a perfect storm. We have got new IP and elements of new IP are also pitched towards this goal, let's limit the use of OTTs, provide more control. This is what ETSI is doing, 5G slicing comes along so we have now got three different elements and three different bodies that all kind of seek to let's curb sort of the Internet one way or another. So that's definitely something we will be tracking. It's definitely probably also something you should be tracking but as it stands apart from ETSI, I don't have a lot of information and if you have an ETSI member, feel free to tell us more, send us more info.

With that, I know that we're just about to run out of time. I can take hopefully a few questions now, otherwise you can also find me online. Send me an e‑mail, I am happy to have a chat; send you a Zoom link and we can find a corner in our virtual hallway to talk about this.

JOHAN HELSINGIUS: Maybe a couple of quick questions. If you can pick a couple of interesting ones.

ACHILLEAS KEMOS: A couple of statements. I'll start with our fellow Working Group Chair, Jim Reid:

"Marco, you and your colleagues are doing a wonderful job on the topic. If you have concerns about new IP and the upcoming, please talk to your government and regulator because they will be the ones who get to take the decisions at WTSA. People would appreciate to hear them ‑‑ we have in a way from Constanze Berger from Germany and also echoed by ‑ from Greece, and from the Czech, Willem Vessili.

Constanze said: "Germany supports the sustainable professional of a free and multistakeholder government Internet. On this basis the technical development of the Internet should take place in the well known and proven current bottom‑up organised structures. After our own analysis we support the statements of IETF, RIPE and ISOC and, accordingly, the position within the German ITU representatives and others. We are proposing a government round table in advance of the WTSA in November 2020 to discuss the governmental point of views in the region.

So then if I can go to Kurt Kayser:

"Is this effort for new IP complimenting just the report that TCP has reached its limits on the fast Internet?"

MARCO HOGEWONING: That's good question. We know that new IP has its limitations, and Geoff highlighted that. We have also seen suggestions in IoT where people go like why send a 40‑byte header if all I need to communicate is a little temperature probes that sends 2 bytes of data out? It's not a question of whether we should accommodate those, but the point is the choice of venue and the point is that they are trying to sort of use this as an opportunity to change the governance model.

If you take this to IETF and IETF has been work on it and as Geoff also highlighted there are various ideas on how to change queueing, but the important bit is that this needs to be done at the right venue, which is in our view, is the IETF. It shouldn't be done by the IETU, and it almost certainly isn't an excuse to redesign the governance model just because we found some uses. Sure, let's talk about it, let's see what we can do and what we can do to modify, recently we have also seen QUIC come up as a potential replacement for TCP. It's not set that the IETF come and do this work but it's important that the discussion happens there and not in some closed room in Geneva or elsewhere.

ACHILLEAS KEMOS: Thank you. Carsten Schiefner:

"Haven't Huawei and others filed a problem statement and, if so, what is it?"

MARCO HOGEWONING: Sorry, the problem statement? It's still a bit vague. You see statements like, yeah, TCPIP doesn't work on satellite communications. It has its challenges but before the whole crisis we were still trying around and sending e‑mails from airplanes and it was using TCP IP over satellites. It might need a bit of fine tuning, as with Geoff's presentation as with the example I just gave. But I wouldn't call it a failure.

ACHILLEAS KEMOS: Okay. Thank you. Freddie McBride, from echo:

"Is there any links between this new IP proposal and digital object architecture?"

MARCO HOGEWONING: Maybe. To me, from my observations, it seems that China is much more on to block‑chain‑based technology than into DOA, but of course DOA is also still around and it might sort of reappear as part of this conversation. But I haven't seen any direct links yet on that part.

ACHILLEAS KEMOS: Thanks. And also Jim Reid added on that:

In his experience HG20... there is no direct linkage between DOA and new IP though though both fit in the narrative of a bigger role for ITU in this Internet governance.

It may be the last question from Paul Rendek:

"Is this being viewed as a revolution on the future of the Internet by iSTAR organisations in has the IETF welcomed discussions on this? Is the IETF engaging with the ITU and what is the view of this outside the member states driving this?"

Also, if I may add, QOA has got a huge presentation in the last IETF group. Why didn't they choosing to go there as well?

MARCO HOGEWONING: That's interesting. IETF, just as our response sent a liaison pack about this work, also saying we don't think this is feasible inviting them over to come to the IETF, discuss it. Of course IETF is user‑driven. If you don't bring the work and push it forward, it's not going to happen there. It's not like you ring the doorbell, to say it over the wall and be done with it. But it's also ‑‑ that was one of the things that was highlighted in the media where sort of who I came a bit under attack and Huawei said mind you, IETF is already developing dot, which indeed IETF is doing, which is a way to sort of mitigate DDoS attacks. That work is being driven by Huawei in the IETF. So part of our response is also like there is a lot of duplication here, and I said in one of my slides. It's not new technology. We know it exists, so why redesign in the ITU. We have the technology. It's different discussion. So, yeah, in that sense. It's still up to the operator to pick, choose wisely about their technology. Our biggest fear is that this sort of gets branded as this is the Internet. Where it really isn't. And people might buy into equipment that is not fully compatible with the Internet, believing that it is, and that the lead to problems further downstream.

If this answers your question. The there were multiple questions in that.

ACHILLEAS KEMOS: Thank you Marco. I think back to you.

JOHAN HELSINGIUS: Thank you for the great presentations. I think we need to let people go and get their coffee. But before everybody disappears for coffee, I want to remind everybody to rate the talks. Enjoy your coffee. Thank you.

MARCO HOGEWONING: Can I squeeze in one last comment? Because, we did ‑‑ normally my colleague Suzanne has already given a couple of presentations about EU policies and everything that's happening. Given the time, this time, we did not have time to do that presentation, so she published today a big piece on RIPE Labs that sort of highlights all the upcoming work in EU legislative areas that might have impacts on operators. So I would recommend having a look there and feel free to send Suzanne your feedback on that. Thank you.

JOHAN HELSINGIUS: The good news is there shouldn't be a queue by the coffee machine. Thank you everybody. And bye.

(Coffee break)