“security” in a digital interconnected world
TRANSCRIPT
www.internetsociety.org
“SECURITY” IN A DIGITAL INTERCONNECTED WORLD
Central Asian Internet Symposium, Bishkek10 December 2014
The Internet Society
The Internet invariants
9 October 20143
Global connectivity and integrity
– Global reach and consistent view from any point
Permission-free innovation
– Yet undiscovered functionality
Accessibility
– Anyone can contribute and become part of it
Spirit of cooperation
– Foundation for evolution and resiliency
The Internet Society
The complexity of the security landscape
9 October 20144
Open platform
– open for attack and intrusion
Permission-free innovation
– development and deployment of malware
Global reach
– attacks and cybercrime are cross-border
Voluntary collaboration
– hard to mandate
The Internet Society
5
Users Expectations: trust
User trust in networks, devices, and transactions essential in driving social and commercial interaction
Security, Stability, Confidentiality, Integrity, Resiliency and Scalability are tools to achieve trust
The Internet Society
Why do we care about “security”?
We want to be “secure” and feel “secure” …
BUT …
Policy measures that are premised on stopping bad things, rather than protecting what is valued, provide no guide as to how far those measures should go.
AND …
If we are not careful, the spectre of cyber threats can be used as a vehicle for control of networks and how they are used, plus pervasive monitoring
9 October 20146
The Internet Society
Understanding security
Security is not an end in itself
There is no such thing as absolute security: there will always be threats
We need to think about “secure” in terms of residual risks that are considered acceptable in a specific context.
Resilience is key
There are “inward” and “outward” risks
Risks may require more than one actor to manage
Collective and shared risk management
9 October 20148
The Internet Society
Ingredients for cybersecurity solutions
9 October 201412
International cooperation
– Most of the issues are cross-border
Preservation of Internet values
– A fine balance
Technical foundation
– Solutions based on open standards
Collaborative responsibility
– Industry self-regulation
The Internet Society
Things you can do as an operator
Detect, close or protect open resolvers and other potential amplifiers
Deploy best practices aimed at improving routing hygiene
Deploy anti-spoofing measures, preventing traffic with spoofed source IP addresses
Deploy DNSSEC (validation) to secure name resolution for your customers
Detect and mitigate infected and compromised devices on your network
Cooperate with other networks in detection,tracing back and mitigation of attacks
9 October 201413
The Internet Society
What you can do as a government
Foster a collective and shared risk management approach to security that:
draws from voluntary collaboration
preserves the fundamental characteristics of the Internet (“the Internet invariants”)
furthers objectives that will benefit citizens (e.g. economic and social prosperity, participation in a global community)
preserves fundamental rights
Focus on “cyber-resilience”
Build trust not distrust
Use the experience of your diverse stakeholders to develop policy (“the multistakeholder approach”)
Creatively use the range of tools in the policy toolbox9 October 201414
Statistics, Web Traffic
• HTTPS increased 4% to 17% from 2008 to 2014,
for all web traffic (Source: IIJ)
Pain Points and Hot
Debates• There is no single reason behind the increasing use of
encryption, but the change has a real impact on the
world
• Operator business models, technical solutions for
various things, censorship will be harder (both good
and bad kind), …
• All this will cause friction
• Motives of players are not fully aligned
Reality Check• “Everything is in the clear” approach is clearly unworkable
• Encryption will reduce the number of parties that see traffic
• But not eliminate them — content provider, browser vendor, CAs, proxy
provider, corporate IT department, …
• World still moves ahead on a voluntary basis on what technology is
chosen and on what technology a particular party can adopt
• Surveillance shifts, not eliminated
• Useful technical things done in different ways, not eliminated
• Some potential bad outcomes to avoid —- MITMs, regulation limiting
security, fragmentation, device control, …
The Internet Society
Spotlight on a voluntary bottom-up initiative
The MANRS (Mutually Agreed Norms for Routing Security) - https://www.routingmanifesto.org/manrs
Defines a minimum package (“a set of commitments”)
Raises awareness and encourages action through the growing numbers of supporters
Demonstrates that industry is able to address complex issues, even where they may not directly benefit
Clear and tangible message:
“WE DO AT LEAST THIS AND EXPECT YOU TO DO THE SAME”
9 October 201421
The Internet Society
The MANRS … in more detail
Principles of addressing issues of routing resilience
– Interdependence and reciprocity (including collaboration)
– Commitment to Best Practices
– Encouragement of customers and peers
“The package” indicating the most important actions
– BGP Filtering
– Anti-spoofing
– Coordination and collaboration
High-level document specifying “what”
– “How” is in external documents (e.g. BCPs)
9 October 201422
The Internet Society
Principles
1) The organization (ISP/network operator) recognizes the interdependent nature of the global routing system and its own role in contributing to a secure and resilient Internet
2) The organization integrates best current practices related to routing security and resilience in its network management processes in line with the Actions
3) The organization is committed to preventing, detecting and mitigating routing incidents through collaboration and coordination with peers and other ISPs in line with the Actions
4) The organization encourages its customers and peers to adopt these Principles and Actions
9 October 201423
The Internet Society
Good MANRS
Prevent propagation of incorrect routing information
Prevent traffic with spoofed source IP address
Facilitate global operational communication and coordination between the network operators
Facilitate validation of routing information on a global scale.
9 October 201424
The Internet Society
Participating in MANRS
1. The company supports the Principles and implements at least one of the Expected Actions for the majority of its infrastructure. Implemented Actions are marked with a check-box.
2. The company becomes a Participant of MANRS, helping to maintain and improve the document, for example, by suggesting new Actions and maintaining an up-to-date list of references to BCOPs and other documents with more detailed implementation guidance.
3. This category is for network operators, or other entities acting in this role (e.g. a network equipment vendor, running its own network infrastructure)
12/18/201425
The Internet Society
Status update
9 October 201426
Launched 6 November 2014 with 9 participants
One month later: 14 participants.
Seeking committed network operators.
Contact us: [email protected]://www.routingmanifesto.org/contact/