Categories
Improving Technical Security Internet Governance Privacy

Collaborative Security: The Way Forward

In the past year, the conversation about the Internet has centered around issues of trust.  As we have discussed here, concerns about criminal hacking, commercial espionage, increasing cyber attacks and pervasive government surveillance have caused the technical/policy community to concentrate efforts on preventive and corrective solutions. One focus at the Internet Society is the promotion of an approach that we call “Collaborative Security”.

In that approach, we have urged that restoring trust is a collective responsibility and that all players on the Internet must do their part. We have insisted that any solution be grounded in fundamental human rights and that we cannot break the Internet in our efforts to fix it.

Yet, as governments have attempted to cope with cybersecurity issues, there has been a tendency to rely on the traditional top down mechanisms used in the past for physical security or telecommunications security to solve problems in the new world of the Internet.  We are wary of both ineffective, short term “fixes” as well as massive government overreach.

The Global Conference on CyberSpace2015

At The Hague earlier this month, the Global Conference on CyberSpace(GCCS2015) brought a different approach to the problem. The Dutch government brought together over 2,000 people from all over the world to discuss Cyber Security under the themes of Freedom, Growth and Security. The tone of the conference was one of optimism and openness. Indeed, one of the most important successes of the week, in my opinion, was the decision of the Dutch government to include business, civil society and the technical community in this forum which has previously principally focused more on intergovernmental conversations.

The recognition that governments alone cannot fix the security of the Internet is central to making progress on restoring trust in the complex, multistakeholder environment that is the Internet. While civil society, in particular, legitimately asked for greater inclusion, it was encouraging that the design of the meeting fully embraced the necessity for greater inclusion of all sectors.

I was pleased that Internet Society staff and members were able to work with a very receptive Dutch government to open up this GCCS event to members of the Internet’s technical community. Indeed, I was delighted to greet an impressive number of ISOC Chapter members who were attending.

Both Olaf and I had an opportunity to discuss the collaborative security approach in our respective GCCS 2015 panels. Olaf’s blog post is particularly helpful.  We hope that you will take a few minutes to familiarize yourself with the Collaborative Security document, use it in your work and provide feedback on how the approach is achieved on the ground.

The Global Commission On Internet Governance

While at the Hague, I was privileged, as an “official observer”, to participate in the meeting of the Global Commission on Internet Governance (GCIG) chaired by former Swedish Prime Minister Carl Bildt (sometimes called the “Bildt Commission”).  The GCIG issued a statement “Toward a Social Compact for Digital Privacy and Security” that I also encourage you all to read. This Statement is the result of a thoughtful debate among and between diverse points of view on the Commission on how to integrate citizen security and privacy with legitimate state security. The report gives a strong nod to our notion of collaborative security and it acknowledges the need for the intentional involvement of legitimate stakeholders in finding solutions that integrate both privacy and security and which rest on foundational human rights. I believe that the principles set out in this Report warrant our serious consideration.

Internet.nl

I also was pleased to see, during the GCCS 2015 week, the launch of Internet.nl, a new site designed to answer the question “Is Your Internet Up To Date?” Our Internet Society Chapter in The Netherlands was very involved in this effort as were a few of our staff from our office in Amsterdam.  The site provides a very simple method to test if your websites and your Internet connection are using the latest Internet standards such as IPv6, DNSSEC and TLS.  Services like these go far in helping us increase the overall security of the Internet.

Joint Statement of Technical Community

Finally, on Friday afternoon after the GCCS 2015 Chair’s Statement was released, a number of organizations and individuals from within the Internet’s technical community joined together to issue a joint statement reflecting on the event.  Bringing together AfTLD, APNIC, auDA, CENTR, ICANN, LACTLD, RIPE NCC as well as ISOC and a number of other tech experts demonstrated the kind of collaborative engagement we believe is required to address issues related to the Internet.  The human capacities and fundamental principles laid out in that document are ones that we believe are critical for the future of  the Internet.

The events at The Hague provided staff and many members and friends of ISOC an important opportunity to share our thinking on the pressing issues of trust and security. We had outstanding discussions; our agenda of keeping the Internet open while increasing the security made solid progress.

I look forward to continuing these conversations at the next GCCS event in Mexico and at all the Internet governance events in between.  Working together we will change the cybersecurity conversation to be more inclusive of all stakeholders.  The Internet is for everyone – and we each have our role to play in making the Internet more secure.   Please join with us!

Categories
Building Trust Improving Technical Security Open Internet Standards Technology

Internet is All About Collaboration

The Internet, as a global system, is a network-of-networks held together by a spirit of collaboration. When information traverses the Internet it may pass through a handful of networks, and the network from which the traffic originated probably has no formal relationship with the network that receives it. The reason why that works is collaboration, both in exchanging and carrying traffic from other networks, and in solving problems that may have originated several hops away.

The basis for this collaboration is a number of open standards and practices that all the network operators have adopted voluntarily. In fact, voluntary adoption is one of the core principles of the Open-Stand paradigm.

Joining the ecosystem

When you connect to the Internet, you become a part of its ecosystem. Even more, across the Internet there is no clear line between consumers and suppliers; every participant is a contributor. That comes with a collaborative responsibility: you should consider not only how the global system impacts you, but also the impact you produce on the system through your activity or inactivity.

This perspective is especially important in the area of security (also see the Internet Society’s recent paper on Collaborative Security). As an end-user, that means that you do all you can to keep your own systems secure, to reduce the risk of their be taken over and used to abuse others. For service providers, that means making specific security features available. Those offerings and measures may not bring an immediate return on the investment, and in the short term they may even lead to additional cost. But they will help to raise the level of security in the system and reinforce confidence in the Internet.

And therein lays the problem: there is no direct economic incentive for individual providers to deploy some of these technologies.

Can’t their deployment be mandated then? In theory yes, but that approach would go against one the fundamental and foundational principles of the Internet: as an organic system, a network of autonomous networks, not built from a global blueprint but developing in accordance with local needs and conditions, deployment depends on voluntary agreement and collaboration. Forcing security and scalability through global mandates may be slow, and may have unintended side effects. It also assumes that a global consensus can be reached on a multitude of security issues.

The voluntary collaborative approach, combined with a continuing dialogue with those who impact and are impacted by certain measures — the end-users, the policy makers, and the technicians — allows more flexibility and agility. Measures taken can more easily be adjusted to minimise unintended adverse consequences.

“The Internet way”

Accomplishing global deployment of secure, resilient, future-proof Internet technology is better done “the Internet way”: at the initiative of individual actors, based on their own decisions and their own leadership; and through sharing know-how and experience, both voluntary and professionally.

One important aspect in getting new innovations deployed is awareness and visibility. Deploying these Internet technologies is like installing new plumbing: something has improved, but the water still tastes the same. Leaders who want to inspire their colleagues to follow suit will have to provide some visibility into what their innovations brings.

A profound example is the just-launched Internet.nl initiative, in which the Dutch Internet community, a ministry, and a governmental agency have collaborated to set up a website that helps to highlight the status of deployment of key Internet technology. The website gives users simple and straightforward information about their own access to various innovative technologies.

Some of these technologies contribute to the continued scalability of the Internet (IPv6 support and transparency of the network), while some relate to security (DNSSEC, anti-spam and anti-phishing, and support for encryption). By doing so, the site helps to promote the open standards that will make the Internet more scalable and more secure. It highlights the leaders, and provides the followers with tools and know-how.

[Editor’s Note: This guest post by Olaf Kolkman originally appeared at https://en.internet.nl/blogs/olaf-kolkman/internet-draait-om-samenwerking/ in celebration of the launch of Internet.nl. The post also appeared in Dutch at https://en.internet.nl/blogs/olaf-kolkman/internet-draait-om-samenwerking/.]

Categories
Improving Technical Security

Introducing Collaborative Security, our approach to Internet security issues

Isn’t the cybersecurity debate highly confusing at times? There is a lot of talk about the security of all sorts of cyber assets, discussion about cyberwarfare and cyberdefense, and in all these discussions the Internet seems to be central. Often mentioned in a not so positive context.

In recent conversations I’ve made the analogy between “Cybersecurity” and “The Economy”. We all want to fix the economy but making progress is not an easy task. As soon as you are beyond that statement you notice that there is a lot of nuance. Issues like trust, influence, actors, and affectivity all come to play when you want to fix the Economy. The cybersecurity discourse has similar features.

It is important to dissect the cybersecurity debate into palatable pieces, recognize that all these pieces interact, and be careful about what we talk about. Cybersecurity is often about security in a networked world. For example, an attack on a company where lots of data is stolen is in essence a company security issue that is exacerbated because the company is on the Internet. Without dismissing the importance of that discussion, I would like to take a very specific perspective. Let’s talk about the security of the Internet as a system.

How do we enable people to trust in the security of their communication and connections across the Internet while ensuring the Internet remains open and accessible? How do we keep confidence at such a level that businesses are happy to offer their products and services on-line, that journalists will feel confident that they can do their work in the more dangerous places on the planet, and that a kid from Bangladesh can invent a new application that can make the current favorite tools and services irrelevant?

Given that the Internet is a global network of networks without any centralized control, there is no magic answer. There are no single solutions that can be prescribed by governments or just implemented by network operators.

Central to this notion is that when you are on the network you are also part of the network. The reality is that comprehensive Internet security only comes through the efforts of many different people collaborating together to take action to help ensure the security, resilience and stability of the global Internet.

Today, we at the Internet Society are publishing a document that outlines “Collaborative Security”. This Collaborative Security approach is characterized by five key elements:

  1. Fostering confidence and protecting opportunities: The objective of security is to foster confidence in the Internet and to ensure the continued success of the Internet as a driver for economic and social innovation.
  2. Collective Responsibility: Internet participants share a responsibility towards the system as a whole.
  3. Fundamental Properties and Values: Security solutions should be compatible with fundamental human rights and preserve the fundamental properties of the Internet – the Internet Invariants.
  4. Evolution and Consensus: Effective security relies on agile evolutionary steps based on the expertise of a broad set of stakeholders.
  5. Think Globally, act Locally: It is through voluntary bottom-up self-organization that the most impactful solutions are likely to reached.

The Collaborative Security paper provides further details regarding each of these elements, but, here I want to quickly explore a few examples to show where this approach is already in action.

Open Internet Standards

The development of Internet standards within the Internet Engineering Task Force (IETF) is a prime example of solutions that scale globally and are available for people to act locally. Deployment of these standards is also a collective responsibility – creating the standards is only the first part of the equation, we must also make sure those standards can and will be implemented. Specifically since the deployment of open standards is voluntary, and not mandated.

Keeping Internet Routing Secure

An initiative launched last year, the Mutually Agreed Norms for Routing Security (MANRS), is a voluntary, bottom-up agreement between network operators to collaborate together to improve the security of the Internet’s routing system. Already, some of the largest global networks have signed on as participants, and more networks are signing on every week. This is a key example of the kind of collaboration we need.

CERTs and CSIRTs

All across the world, computer emergency response teams (CERTs), also known as computer security incident response teams (CSIRTs), established by governments, businesses, educational institutions, private enterprises and others, long ago realized that while they could fight some of the threats to Internet security, their strength would grow if they collaborated together to share security information. Through organizations such as the Forum for Incident Response and Security Teams (FIRST), these teams are showing the elements of “collaborative security” in action on a daily basis.

Many more examples

I could continue listing examples: the hundreds of Network Operator Groups (NOGs) around the world; the DNS security community; academic conferences such as NDSS, bringing together security researchers. This idea of “collaborative security” is part of the “Internet way” that has been with us since the birth of the Internet decades ago.

Today, though, this amazing creation called the Internet is at the center of so many aspects of our lives. It has become a global engine of innovation, commerce and creativity. We use it every day to communicate and connect with people around the world.

For the Internet to continue to be this global engine of growth and to continue to allow communication and creativity to blossom, we need to work together collaboratively to improve the security of the Internet and ensure that users can have confidence that their communication and information across the Internet can be secure.

This week I will join several colleagues at the Global Conference on CyberSpace 2015 (GCCS2015) which is happening at The Hague and bringing together thousands of participants from governments, businesses and other organizations across the world. Here we will talk about the key themes of growth, freedom and security. During our engagements at GCCS2015 we will be using the principles of this Collaborative Security approach to frame how we think we, as a society, should be tackling these challenging issues to bring about a better and a stronger Internet.

We ask you to join us in that endeavor. The Collaborative Security approach is not just a discussion piece. It is a call for action, for Internet participants to take responsibility. Please look at your own networks and sphere of influence and ask how you can implement these principles.

Please join with us to make the Internet more collaboratively secure!


Photo credit: Olaf Kolkman on Flickr, used with his permission.

Categories
Human Rights Improving Technical Security Internet Governance Open Internet Standards Privacy

Internet Society Activities At The Global Conference on CyberSpace 2015 (GCCS2015)

Next week, the Internet Society will be in The Hague for the Global Conference on CyberSpace 2015 (GCCS2015) and other associated events including:

Internet security is a key focus for our organization this year and GCCS15 provides an important venue to continue cybersecurity discussions across many different stakeholder groups.

Kathy Brown, our President and CEO, will be speaking in a focus session on Thursday, 16 April 2015, at 16:45 (local time) focused on a secure place for business and people. A live stream will be available, so please go to the GCCS website to watch this session. Prior to that, on Wednesday, 15 April 2015, Kathy will be participating in the Global Commission on Internet Governance (GCIC) session led by Carl Bildt.  We will have more news to share about these sessions next week.

Olaf Kolkman, our CITO, will be speaking at the same time in a parallel session towards 21st century Internet standards, emphasizing the necessity to support the development, deployment and use of open standards. He will be highlighting the Open Stand principles. At this point in time, it appears there will not be a live stream for this session. Olaf will also be involved in several of activities organized by the ISOC Netherlands Chapter – watch for some exciting news!

Andrei Robachevsky, Technology Programme Manager, will be participating in a panel in a ONE Conference side event on Monday about increasing Internet resilience with BCP38 and onward organized by the Dutch NCSC. The full details of this event are still being ironed out but the focus will be how to increase adoption of anti-spoofing measures and best practices, such as the Internet Engineering Task Force (IETF) Best Current Practices BCP 38 – Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. To learn more about our work in this area, please visit our Deploy360 Anti-Spoofing section and our MANRS initiative.

Finally, I will be joining other non-government stakeholders in a GCCS pre-event, a Civil Society Strategy Session on Wednesday, 15 April 2015, organized by the GCCS Advisory Board designed to coordinate stakeholder input in advance of the conference. On Tuesday, alongside the ONE Conference, I will also be participating in a networking breakfast organised by Women in Cyber Security (WiCS) which will be opened by the Cyber Security Director of the Netherlands Ministry of Security and Justice, Wilma van Dijk.

It will be a very busy week for all of us as we engage in these discussions and sessions.  We are very much looking forward to meeting attendees from many different stakeholder groups from all around the world. If you are at the GCCS2015 event please do find us and say hello.

We will also have some announcements of our own throughout the week.  To stay up-to-date on what we are doing, please watch this blog and also follow us on Twitter, Facebook or Google+.

Image credit: Global Conference on CyberSpace 2015