Categories
Encryption Strengthening the Internet

Encryption Helps America Work Safely – And That Goes for Congress, Too

This opinion piece was originally published in The Hill.

Over the past month, Americans across the country have adapted to a new reality of life, which includes social distancing to curb the spread of COVID-19. For those fortunate enough to be able to do so, that means learning to work, attend educational classes and socialize from afar using the Internet. For a huge number of Americans, social distancing means little to no work – and even greater uncertainty. Businesses, schools and government entities everywhere are asking the same question, “can we perform our work online and, just as importantly, can it be done securely?” 

As Congress acts to respond to COVID-19, it faces a similar challenge. With some Congressional members and staff testing positive for COVID-19, and others choosing to self-isolate, lawmakers are exploring whether they can perform the most critical aspects of their office remotely – deliberation and voting. For Congress to be able to vote remotely on legislation, measures to ensure the integrity of these communications is critical. If even one vote is changed or blocked by a criminal or foreign adversary, the legitimacy of congressional decisions, and thus Congress as a whole, will be called into question. Any digital voting solution would need to rely on strong encryption to be secure.

Encryption is a critical tool to provide confidentiality and integrity to digital communications. Encryption enables much of the flexibility needed for staff to work from home securely during social distancing. End-to-end encrypted messaging like WhatsApp, Signal or iMessage, and voice or video calls allow staff to discuss sensitive topics without fear of eavesdroppers. Encryption also secures everyday digital activities like payroll, human resource management, and file sharing. For Congress to legislate effectively while staying healthy during this pandemic, the security provided by encryption will be key. When reaching across the aisle, especially necessary in times of crises, staffers and legislators must be assured that politically sensitive discussions remain confidential – even when those conversations happen over the Internet. And while congressional votes are public information, a remote voting system must ensure that congressional members’ votes aren’t tampered with, and in case they are, make it clear that tampering has occurred.

A new bill introduced by Judiciary Committee Chairman Sen. Lindsey Graham and Sens. Richard Blumenthal and Dianne Feinstein, puts the security provided by encryption under threat, and therefore, weakens the country’s ability to work, learn and govern while we aren’t able to conduct business as usual. This bill, called the “EARN IT Act of 2020,” would make changes to Internet intermediary liability rules in the United States and could force companies to modify their services for law enforcement to gain access to encrypted user content for various services – or become liable for the actions of all their users. But the consensus among cybersecurity experts is clear: there is no way to provide exceptional access to encrypted communications for law enforcement without making all of its users more vulnerable. Any way for law enforcement to get in could be found by criminals or foreign adversaries, and used for their own purposes.  

As the country faces an unprecedented challenge, we all must be practical, flexible and energetic. We need to ensure Americans have the tools they need to successfully do their job remotely and securely, especially if that job is a member of Congress – that means not passing legislation that can undermine strong encryption practices.

Take these six actions to protect encryption and protect yourself.


Image by Simon Abrams via Unsplash

Categories
Encryption Strengthening the Internet

Strong Encryption Is Central to Good Security – India’s Proposed Intermediary Rules Puts It at Risk

Security and encryption experts from around the world are calling on the Indian Ministry of Electronics and Information Technology (MeiTy) to reconsider proposed amendments to intermediary liability rules that could weaken security and limit the use of strong encryption on the Internet. Coordinated by the Internet Society, nearly thirty computer security and cryptography experts from around the world signed “Open Letter: Concerns with Amendments to India’s Information Technology (Intermediaries Guidelines) Rules under the Information Technology Act.”

MeiTy is revising proposed amendments to the Information Technology (Intermediaries Guidelines) Rules. The proposed amendments would require intermediaries, like content platforms, Internet service providers, cybercafés, and others, to abide by strict, onerous requirements in order to not be held liable for the content sent or posted by their users. Freedom from intermediary liability is an important aspect of communications over the Internet. Without it, people cannot build and maintain platforms and services that have the ability to easily handle to billions of people.

The letter highlights concerns with these new rules, specifically requirements that intermediaries monitor and filter their users’ content. As these security experts state, “by tying intermediaries’ protection from liability to their ability to monitor communications being sent across their platforms or systems, the amendments would limit the use of end-to-end encryption and encourage others to weaken existing security measures.”

End-to-end encryption is one of the strongest tools for digital security online. With end-to-end encryption, only the sender and intended recipients have access to unencrypted content, providing trustworthy confidentiality and integrity to their communications. As the threats to computerized and networked technologies increase, confidentiality and integrity is critical. Since no third party, including the platform provider, has access to user content in an end-to-end encrypted system, content monitoring or filtering is impossible. As the letter notes, “There is no way to create ‘exceptional access’ for some without weakening the security of the system for all.”

Whether intended to filter online misinformation or to provide access for law enforcement purposes, laws or policies like those being proposed in India would make the Internet less safe, unintentionally allowing access to online communications to malicious hackers and criminals.

It is imperative that digital security not be undermined for hundreds of millions of people in an effort to force blanket data retention and network observability. Digital security is the foundation of our connected economies and societies. It is up to governments to make the right decision and support strong digital security, and it is up to all of us to hold them to account.


Image: Guna city, India. © Atul Loke/Panos for Internet Society

Categories
Building Trust Encryption Security

Your Day with Encryption

How often do you use encryption? It seems like the stuff of spy films, but you might be surprised to find out how often it touches your daily life.

Encryption is the process of scrambling or enciphering data, and only someone with the key can read or access it. You can use it for things like shopping online, using mobile banking, or using secure messaging apps. So while you may not be smuggling encrypted government secrets across borders, you do rely on it, along with your passwords and settings, to keep your data secure and private.

Learn about all of the ways you use encryption.

07:21

Your alarm vibrates. You reach for your phone, ready to snooze before you think better of it. You’ve got a big presentation at work and you’re going to need every minute today. There’s a message from your friend in Australia wishing you luck. How thoughtful! Even more thoughtful: your friend used an end-to-end encrypted messaging app. Sure, they saved on international phone charges, but the added security is nice too.

08:13

You’re ready to go, but before heading out, you check a news website for the traffic report. There’s a lock icon on the search bar, telling you the site uses HTTPS security, which means it’s harder for anyone to see which articles you’re reading. There’s been a minor accident on your usual route so you decide to take the train.

09:46

The train is crowded, but you manage to grab a seat. You take a sip of the coffee you purchased at the platform kiosk. When you used your credit card you used three points of encryption: via the credit card’s chip, the credit card reader, and while the credit card info was transmitted to authorize your purchase. But you’re not thinking of that. Instead you slip on your bluetooth headphones and breathe a sigh of relief that no one else can hear your daily affirmations. There’s a reason for that: because you’re good enough, you’re smart enough, and doggone it, encryption!

11:24

Before you can even settle into your desk at work, you log in to your email account to check on one last thing you need for today’s important presentation. There’s no news, so you hop onto a videoconference call with a colleagues across the country to try to get an update. The call is secured by end-to-end encryption, so it is a lot harder for anyone to listen to your conversation as the data travels from your computer to your colleagues’.

15:14

You did it! The presentation went well and now you’re ready for a break. You’re about halfway through that double bacon chili cheeseburger when the pain starts. You use all of your drugstore rewards points to buy heartburn medicine, and make a mental note to eat better. Lucky for you, the store encrypts this information. Hackers can’t easily access your purchase history, so your dietary choices can be your secret.

16:39

At the end of your work day you glance down at your fitness tracker and see that you’ve walked 8,000 steps. Good job! It almost makes that lunch worth it. Because there’s secure communication between your tracker and its app, you know your health information will stay secure from anyone hacking the free public WiFi you use in the train station. Now you touch your secure pre-paid pass to the gate at the train station to head home. You were annoyed a few months before when the transit authority updated their pass system, but the new system uses cryptography to help ensure that someone cannot pass their card off as your own – and charge your account.

17:44

You stop at the grocery store to pick up dinner. Since you’re out of cash, you use an app on your smart phone to pay. Each time you make a payment this way, the transaction data is secured using encryption. You spent the exact cost of a deep-dish Buffalo-wing pizza, but your future cardiologist doesn’t need to know that. (It comes with celery sticks. You’re already making healthy choices!)

As soon as you’re home, you beckon your personal digital assistant to turn on the lights. You settle into the couch with dinner and turn on your smart TV to watch your favorite Hallmark movie. You have a weak spot for stories about successful women who return home for the holidays only to fall in love with their childhood sweethearts. Because your WiFi is encrypted, your film snob neighbor never has to know.

Now that you know all of the ways encryption keeps your data secure, your mission, should you choose to accept it, is to help protect it.

Take these six actions to protect encryption and protect yourself.

Categories
Building Trust Encryption

Improving Internet Trust: Ironing out the Details

We all can make some pretty rash decisions under stress. I once burned a hole through my undershirt instead of ironing my button-down shirt because I was so nervous before a presentation.

The Internet has its challenges and sometimes can seem like a scary place. In the 2019 survey, the CIGI-Ipsos Global Survey on Internet Security and Trust, 62% of respondents who said they distrust the Internet cited a lack of Internet security as a reason why.

When it comes to facing challenges on the Internet, everyone, from average Internet users to government officials, tends to act the same way I do before presentations – frantically and with questionable results.

In pursuit of security, some governments are making decisions that could harm the Internet as we know it. They’ve taken actions that could weaken digital security, have the potential to fracture the Internet, and some have even shut the Internet down in their country. Like burning a hole through an undershirt and having to wear a wrinkled button-down shirt to a presentation, these actions do little, and make things worse.

The survey results highlighted in our report, “The State of User Privacy and Trust Online,” tell a similar story about average users.

Acting in response to their distrust of the Internet, 18% said they were making fewer online purchases and 13% were using the Internet less often. A full 49% said they were sharing less personal information online. I understand sharing less personal information, for instance, I don’t want everyone to know all of the mundane details of my life. Yet, self-censoring yourself online or using the Internet less, whether for online purchases or in general, can be limiting. It is much more convenient to be able to buy new undershirts online, without having to worry about my credit card being stolen.

Despite being one of the best tools people can use to protect themselves online, only 19% said they were using more encryption or other privacy and security-enhancing tools. Encryption helps us get data to whom we want and without anyone else seeing or messing with it along the way.

How can we get more people to turn to encryption to better protect themselves online?

  • Make it easier to use. More companies need to build end-to-end encryption into their services, turn it on by default and make it easy to use. After my ironing fiasco, I did the same thing and bought a few of those “wrinkle-free” button-down shirts.
  • Stand up for encryption. When governments try to weaken encryption technologies to facilitate government access, they put the security of all of us at greater risk. Can you imagine if the only irons we were allowed to have were hard-set to a low temperature? No one would have unwrinkled shirts – except those with black market irons.
  • Teach others about encryption. Teaching others the value of encryption and how to use encrypted services is a crucial step towards a safer Internet. My parents taught me the value of an unwrinkled dress shirt and how to get there.

While I’ve not always been so successful when it comes to ironing shirts, I still have the tools, both in the iron, the “wrinkle-free” shirts, and the know-how for success. Everyday users need the same for encryption. Only then can we move away from less effective security and towards a safer Internet.

Check out our report, The State of User Privacy and Trust Online, and take these 5 steps to make sure you’re as secure as you can be!


Ipsos conducted the 5th annual CIGI-Ipsos Global Survey on Internet Security and Trust on behalf of the Canadian think tank the Centre for International Governance Innovation (CIGI) in partnership with the Internet Society (ISOC) and the United Nations Conference on Trade and Development (UNCTAD). The findings are a result of more than 25,000 interviews with Internet users in 25 economies on issues related to Internet security and trust.

Categories
Building Trust Encryption

G7 Leaders: Protect Strong Encryption for a Secure World

Encryption protects us every day. It helps secure web browsing, online banking, and critical public services like electricity, elections, hospitals, transportation, and more.

If the G7 countries are truly committed to building a safer and equal world, then it is crucial to recognize the important role that end-to-end encryption plays in securing the Internet, their economies and their citizens.

The Internet Society and more than 30 organizations have signed an open letter calling on the G7 leaders to do just that – prioritize digital security – and not to require, coerce, or persuade device manufacturers, application, and service providers to:

  • modify their products or services or delay patching a bug or security vulnerability to provide exceptional access to encrypted content;
  • turn off “encryption-on-by-default”;
  • cease offering end-to-end encrypted services; or
  • otherwise undermine the security of encrypted services.

Digital security is the foundation of our connected economies and societies. And digital security is underpinned by strong encryption! It ensures that data – whether that of law enforcement, banks, or everyday citizens – can only be accessed by its intended recipient. Any attempt to insert “exceptional” or “lawful” access to encrypted content provides a way for others, including criminals, to gain access. This weakens online communications and the security of us all.

We all can make a difference to promote a secure Internet!

If your organization are also committed to building a safer world, then join us in supporting this call! Send us a message at g7letter@isoc.org.

Categories
Improving Technical Security Mutually Agreed Norms for Routing Security (MANRS) Security

The Internet Is Your Oyster: MANRS at International Telecoms Week

What do oysters, clams, and mussels have in common with network operators? Hint: it’s not just that they are both in Atlanta this week, either in exhibits in the Georgia Aquarium or for the 2019 International Telecoms Week.

It’s that both bivalves and network operators play an incredibly important role for their ecosystems: they filter the bad stuff out and leave things a lot cleaner.

As water quality is vital to life in the ocean, the global routing system is vital to the smooth functioning of the Internet. The routing system’s decentralized structure, made up of thousands of independent networks tied together through business decisions and trusted relationships, provides flexibility, scalability, and overall durability.

However, despite its strengths, thousands of routing incidents occur every year. Some of these can be pretty scary, with route hijacks sending government traffic through the networks of foreign adversaries; route leaks slowing parts of the global Internet to a crawl; or hackers using spoofed traffic to take down websites in distributed denial of service (DDoS) attacks.

Network operators can help mitigate these problems by using stronger filtering policies to block spoofed traffic coming from their networks (helping guard against DDoS attacks) and filter route announcements from neighboring networks to separate the real announcements from the bogus (helping guard against routing incidents). They can help filter out the pollutants of the routing system.

Yet, both network operators and bivalves suffer from serious image problems.

Sure we all know mussels as the things that look like shells and taste great when cooked with butter and white wine, but did we know they are also one of our best allies in cleaning the oceans? And who knew that network operators do so much to ensure the smooth function of the Internet?

Bivalves are incentivized to clean the ocean as a part of getting food – so they will always do it. Network operators, as businesses, also need incentives to do the right things on routing security. Unfortunately, while the solutions to routing security are known, a lack of incentives, particularly the difficulty of credibly signaling one’s routing security to customers or peers, holds back their implementation.

The Mutually Agree Norms for Routing Security (MANRS) is trying to change that.

As a visible, measurable, and actionable set of principles, network operators who join MANRS can show their customers, peers, and governments that they are doing their part to improve routing security online. And, with the forthcoming MANRS Observatory and Dashboard, people everywhere will be able to see the quantitative difference that MANRS members have vs. non-members in implementing routing security best practices.

These days, people tend to like the humble oyster or mussel. Sure they look like rocks and live in the mud, but they play an important part in making their ecosystem safer for everything else in it.

Network operators have an opportunity to demonstrate their leadership in improving the security of the global routing system.

Come see our booth this week at ITW to learn more about MANRS and how joining could help your business.

Join MANRS and take simple, concrete steps to improve Internet security and reliability!

Categories
Building Trust Encryption

A New Survey Shows Few Actively Encrypting More Because of Internet Distrust

A new survey shows that only a handful of people who said they distrust the Internet are actively choosing encryption in response.

The survey, called the CIGI-Ipsos Global Survey on Internet Security and Trust, was conducted by Ipsos on behalf of the Canadian think tank the Centre for International Governance Innovation (CIGI). The Internet Society (ISOC) and the United Nations Conference on Trade and Development (UNCTAD) are partners in the survey, which is now in its fifth year.

The survey asked more than 25,000 individuals in 25 economies their opinion on Internet security, privacy, and trust.

Trust is very personal. The word “trust” may mean different things to different people. What we consider to be trust is constantly evolving and is shaped by many factors including our culture, our education, and our experience. 

The survey asked users how much they agree or disagree with the statement “Overall, I trust the Internet”. We did not ask users how much they trust the Internet to perform in specific ways or to provide a specific user experience. However, the question provides a rough indicator of positive or negative attitudes towards the Internet.

74% of respondents in 2019 agreed with the statement “overall, I trust the Internet”. But, of the 36% who did not agree, more than 60% cited a lack of Internet security as a reason. And, at least 81% of these respondents said cybercriminals as a source of that distrust. 

In response to these concerns, 49% of these respondents started sharing less personal information online and 39% began using the Internet more selectively. This could mean they are being more careful about disclosing personal information and which online sites they visit, but it also could mean they are self-censoring or otherwise limiting their online experience. Surprisingly, only 19% of these respondents said they were using more encryption or other privacy and security-enhancing tools to protect themselves online.  This could mean that some people do not know how to use encryption tools or that some people find encrypting their data too hard.  It may also mean that users aren’t aware that some of the services that they are using are encrypted.

Encryption is currently one of the best tools available for protecting the data of users online. The technology scrambles data or turns it into a coded form so it can be read only by someone with the means to return it to its original state. It helps protect people by: keeping their communications and information confidential; preventing their data from being altered; and ensuring they are communicating with the right service. We rely on it every day for things like web browsing, online banking, elections, electricity, hospitals, transportation, and more.

While there is no single solution to Internet security, strong encryption helps make the Internet more secure and it should be the norm.

Here’s what You Can Do Right Now

We’re excited to be at RightsCon this year and to talk about how the CIGI-Ipsos findings show that people are worried about their security and privacy online, and that we can all take a stand for strong encryption to make the Internet more secure for everyone. Security and trust are critical to ensuring that people stay online.

If you are at RightsCon and taking part in person, or, if you are participating remotely, we’d love your help! 

Categories
Building Trust Internet of Things (IoT)

Fact or Fiction? With IoT It’s Not Always Clear

Recently, owners of expensive smart shoes found themselves at loose ends. Unable to pair the shoes to their smart phone app, they couldn’t tighten their self-lacing sneakers. It sounds like science fiction, but this really happened.

From dental sensors that can monitor what a person eats to kitty litters that can track a cat’s every movement, it can be difficult to sort fact from fiction when it comes to the Internet of Things (IoT). Can you tell which is real and which is not?

Fact or Fiction? The voice came from inside the Arizona man’s home – his home security camera to be exact. “You’ve never met me. I’m just a hacker.” Fortunately, it was a friendly hacker, alerting the household to a vulnerability in their home security system.

Fact: The hacker had a solution: turn on two-factor authentication. When using IoT devices, consumers can take this simple step, plus a few others, to help protect their privacy and security.

Fact or Fiction? A couple returned home to find that their carpet had been worn through by their overzealous Internet-connected vacuum cleaner. A hacker had programmed it to clean one square foot of their carpet for several hours.

Fiction: While there are plenty of robot vacuums on the market – and at least one has been found to have vulnerabilities that could allow its owners to be spied on – we have yet to learn of one that channels Lady Macbeth: “Out, damned spot!”

Fact or Fiction? FlushSmart is disrupting the plumbing industry. The WiFi-enabled product attaches to your bathroom infrastructure, scans everything you flush, and analyzes the contents.

Fact and Fiction: It seems like fiction, but you can buy an “intelligent toilet,” which features a heated seat, built-in speakers, and voice control. When it comes to its security features, let’s hope the manufacturer takes privy-cy seriously. They can stay one step ahead with the OTA IoT Trust Framework, which provides manufacturers and others with a simple risk assessment guide for connected devices and systems.

Fact or Fiction? In a ski resort in Austria, guests found themselves locked out of their rooms, which were secured via an electronic key system. The doors were unlocked only after the hotel agreed to pay hackers two bitcoins (about $1,800 USD).

Fact: When this happened in 2017, a spokesperson said the hotel was considering a return to old-fashioned locks and keys.

The good news is that we don’t have to return to the past. Everyone can take steps to make their IoT products more secure, starting with Top Tips for Consumers. We’re asking manufacturers to take action, too, by baking privacy and security into their products – Trust by Design.

March 15th is World Consumer Rights Day, and this year’s theme is Trusted Smart Products. When it comes to making IoT secure, we can all make a difference.

  • Explore #GetIoTSmart, which includes resources for consumers and manufacturers
  • Participate in the tweet chat with the hashtag #IOTsAwareness2019
  • Join us at the Consumers International Summit, which takes place 30 April to 1 May in Estoril, Portugal
Categories
Building Trust Encryption Privacy

In India, Days Left to Comment on Rules That Could Impact Your Privacy

The public has until 31 January to comment on a draft set of rules in India that could result in big changes to online security and privacy.

The Indian government published the draft Information Technology [Intermediary Guidelines (Amendment) Rules] 2018, also known as the “Intermediary Rules” for public comment.

When it comes to the Internet, intermediaries are companies that mediate online communication and enable various forms of online expression.

The draft Intermediary Rules would change parts of the Information Technology Act, 2000 (the “IT Act”), which sets out the requirements intermediaries must meet to be shielded from liability for the activities of their users. The draft rules would also expand the requirements for all intermediaries, which are defined by the Indian government and include Internet service providers, cybercafés, online companies, social media platforms, and others. For example, all intermediaries would have to regularly notify users on content they shouldn’t share; make unlawful content traceable; and deploy automated tools to identify and disable unlawful information or content, among other new requirements.

Here’s some more background:

  • News reports are citing a number of concerns about the draft rules. Ours centers on their potential impact on the use of encryption.
  • Encryption is the process of scrambling or enciphering data so it can be read only by someone with the means to return it to its original state. End-to-end encryption is the most secure form of encryption available, in which only the sender and intended recipient can read the message.
  • Although you might not realize it, you rely on encryption every day. It protects you while you browse the web, shop online, use mobile banking, or use secure messaging apps.
  • By requiring the deployment of automated tools to identify and disable unlawful information or content on their platforms, the proposals in the draft Intermediary Rules could require intermediaries to break their end-to-end encryption or otherwise risk becoming liable for the activities of their users.
  • This weakens the technology meant to keep our private information private. That means it’s easier for anyone, anywhere, to access our stuff. And, with all intermediaries impacted by this decision, end-to-end encryption it’s not just messaging applications like WhatsApp or Signal affected, but also secure Voice over IP (VoIP) services, some cloud storage services, and much more.
  • We believe strong encryption is critical to the Internet and should simply be how things are done. We’re working to ensure encryption is available for everyone and it becomes the default.

If you  want to make your voice heard on these draft rules, now is the time.  The deadline to submit comments to India’s Ministry of Electronics and Information Technology (MeitY) is 31 January to:

  • gccyberlaw[at]meity[dot]gov[dot]in
  • pkumar[at]meity[dot]gov[dot]in
  • dhawal[at]gov[dot]in
Categories
Mutually Agreed Norms for Routing Security (MANRS)

Routing, and Water, Are All about Trust: Introducing “Routing Security for Policymakers”

Introducing the new Internet Society white paper, “Routing Security for Policymakers

The global routing system is a lot like a water system in a city. It’s vitally important to the Internet and we tend to overlook it until something goes wrong.

Routing determines how packets (data sent over a network or networks) containing information, like email messages, website data, and voice-over-IP (VoIP) calls, move from one place to another on the Internet. However, despite its importance, many people only think about the Internet routing when they hear about a major routing incident in the news or can’t reach their favorite websites.

Both the water system and the routing system are, at their core, built on trust. 

A water system relies on hundreds of workers, its water suppliers, local farmers and companies, and countless others to deliver its service. The system is based on chains of trust, with each person or entity relying on the other to act appropriately.

Similarly, the global routing system is a complex, decentralized system made up of tens of thousands of individual networks. Independent business decisions and trusted relationships between individual network operators that are implementing the Border Gateway Protocol (BGP) determine how the network operates. (A routing protocol is the way in which a network determines the path a data packet is going to take. To route traffic between networks, most networks use the BGP). The routing system’s decentralized structure provides flexibility, scalability, and overall durability.

Yet, despite its strengths, thousands of routing incidents occur every year. Just as water main breaks, broken pipes, and sewage backups can disrupt life in a city, routing incidents like route leaks, route hijacks, and IP-address spoofing each have the potential to slow down Internet speeds or even to make parts of the Internet unreachable, thus disrupting the ability of companies or users to access critical services or information. Packets could also get diverted through malicious networks, providing an opportunity for surveillance.

The solutions to address many routing incidents are known, but we lack the incentives to implement them.

Unfortunately, routing security is not a market differentiator, meaning that it is difficult for network operators to demonstrate their contribution to routing security in ways that customers will appreciate and value. Routing incidents are easiest to address by the network operators at their source, but their negative effects are most likely to be felt on another network. Since the perceived benefits will mostly go to other networks and not their own, network operators are less likely to invest in better routing security. In order to address the broader ecosystem challenges facing routing security, all stakeholders, including governments, need to play their role in order to strengthen the security and reliability of the global routing system.

To help policymakers understand these issues, the Internet Society has released a white paper, “Routing Security for Policymakers,” that provides policymakers with an introduction to routing security. In the paper, we highlight key issues and challenges of routing security, together with guiding principles and recommendations for policymakers.

Only through global, collective action can we improve the security of the global routing system, thus making the Internet more secure for everyone. Through procurement policies, large companies and governments can demand better routing security from their Internet service providers – much as a water department would place water purity requirements on their own water suppliers. These procurement policies could have a trickle down impact on the wider industry.

Let’s take the water analogy one step further: if we don’t want our sewers to clog up or even flood, we know that we shouldn’t pour grease down the drain. Similarly all networks providing Internet connectivity, including enterprise or government networks, should do their part to implement better routing security on their own networks. By using stronger filtering policies to determine when bad announcements are made by neighboring networks, networks can limit the number of route leaks and route hijacks they contribute to, thus making the Internet more secure for all of us. (Networks make announcements to one another which detail the addresses reachable through or on their network or a customer’s networks. Announcements help determine how routers decide to route traffic to a destination. Each network determines what it will accept as an announcement from other networks.) By using IP source validation to find spoofed traffic, networks can help prevent devices on their network from participating in distributed denial of service (DDoS) attacks. (IP source validation are techniques used to ensure that the IP address given by a packet came from a valid source address.)

Whether it’s a water system or the Internet, life gets harder when we can’t trust that each participant is doing their part to make things more secure. Please read and share “Routing Security for Policymakers to learn more about the challenges we face and what you can do to strengthen routing security.

Read “Routing Security for Policymakers.” The white paper is also available in French and Spanish.