“Security” In a Digital Interconnected World

www.internetsociety.org

“SECURITY” IN A DIGITAL INTERCONNECTED WORLD

Central Asian Internet Symposium, Bishkek10 December 2014

The Internet Society 9 August 201422Image from Wikimedia Commons: The Opte Project

The Internet Society

The Internet invariants

9 October 20143

Global connectivity and integrity

– Global reach and consistent view from any point

Permission-free innovation

– Yet undiscovered functionality

Accessibility

– Anyone can contribute and become part of it

Spirit of cooperation

– Foundation for evolution and resiliency


The complexity of the security landscape

9 October 20144

Open platform

– open for attack and intrusion

Permission-free innovation

– development and deployment of malware

Global reach

– attacks and cybercrime are cross-border

Voluntary collaboration

– hard to mandate


5

Users Expectations: trust

User trust in networks, devices, and transactions essential in driving social and commercial interaction

Security, Stability, Confidentiality, Integrity, Resiliency and Scalability are tools to achieve trust


Why do we care about “security”?

We want to be “secure” and feel “secure” …

BUT …

Policy measures that are premised on stopping bad things, rather than protecting what is valued, provide no guide as to how far those measures should go.

AND …

If we are not careful, the spectre of cyber threats can be used as a vehicle for control of networks and how they are used, plus pervasive monitoring

9 October 20146


Throw out preconceptions

9 October 20147


Understanding security

Security is not an end in itself

There is no such thing as absolute security: there will always be threats

We need to think about “secure” in terms of residual risks that are considered acceptable in a specific context.

Resilience is key

There are “inward” and “outward” risks

Risks may require more than one actor to manage

Collective and shared risk management

9 October 20148


Resilience

9 October 20149


Inward and outward risks

9 October 201410

The Internet Society 9 October 2014


Ingredients for cybersecurity solutions

9 October 201412

International cooperation

– Most of the issues are cross-border

Preservation of Internet values

– A fine balance

Technical foundation

– Solutions based on open standards

Collaborative responsibility

– Industry self-regulation


Things you can do as an operator

Detect, close or protect open resolvers and other potential amplifiers

Deploy best practices aimed at improving routing hygiene

Deploy anti-spoofing measures, preventing traffic with spoofed source IP addresses

Deploy DNSSEC (validation) to secure name resolution for your customers

Detect and mitigate infected and compromised devices on your network

Cooperate with other networks in detection,tracing back and mitigation of attacks

9 October 201413


What you can do as a government

Foster a collective and shared risk management approach to security that:

draws from voluntary collaboration

preserves the fundamental characteristics of the Internet (“the Internet invariants”)

furthers objectives that will benefit citizens (e.g. economic and social prosperity, participation in a global community)

preserves fundamental rights

Focus on “cyber-resilience”

Build trust not distrust

Use the experience of your diverse stakeholders to develop policy (“the multistakeholder approach”)

Creatively use the range of tools in the policy toolbox9 October 201414


15

Example: Pervasive Monitoring


Pervasive Monitoring

9 October 201416

Statistics, Web Traffic

• HTTPS increased 4% to 17% from 2008 to 2014,

for all web traffic (Source: IIJ)

Pain Points and Hot

Debates• There is no single reason behind the increasing use of

encryption, but the change has a real impact on the

world

• Operator business models, technical solutions for

various things, censorship will be harder (both good

and bad kind), …

• All this will cause friction

• Motives of players are not fully aligned

Reality Check• “Everything is in the clear” approach is clearly unworkable

• Encryption will reduce the number of parties that see traffic

• But not eliminate them — content provider, browser vendor, CAs, proxy

provider, corporate IT department, …

• World still moves ahead on a voluntary basis on what technology is

chosen and on what technology a particular party can adopt

• Surveillance shifts, not eliminated

• Useful technical things done in different ways, not eliminated

• Some potential bad outcomes to avoid —- MITMs, regulation limiting

security, fragmentation, device control, …


20

Example: Routing Stability,

and Resilience


Spotlight on a voluntary bottom-up initiative

The MANRS (Mutually Agreed Norms for Routing Security) - https://www.routingmanifesto.org/manrs

Defines a minimum package (“a set of commitments”)

Raises awareness and encourages action through the growing numbers of supporters

Demonstrates that industry is able to address complex issues, even where they may not directly benefit

Clear and tangible message:

“WE DO AT LEAST THIS AND EXPECT YOU TO DO THE SAME”

9 October 201421

https://www.routingmanifesto.org/manrs


The MANRS … in more detail

Principles of addressing issues of routing resilience

– Interdependence and reciprocity (including collaboration)

– Commitment to Best Practices

– Encouragement of customers and peers

“The package” indicating the most important actions

– BGP Filtering

– Anti-spoofing

– Coordination and collaboration

High-level document specifying “what”

– “How” is in external documents (e.g. BCPs)

9 October 201422


Principles

1) The organization (ISP/network operator) recognizes the interdependent nature of the global routing system and its own role in contributing to a secure and resilient Internet

2) The organization integrates best current practices related to routing security and resilience in its network management processes in line with the Actions

3) The organization is committed to preventing, detecting and mitigating routing incidents through collaboration and coordination with peers and other ISPs in line with the Actions

4) The organization encourages its customers and peers to adopt these Principles and Actions

9 October 201423


Good MANRS

Prevent propagation of incorrect routing information

Prevent traffic with spoofed source IP address

Facilitate global operational communication and coordination between the network operators

Facilitate validation of routing information on a global scale.

9 October 201424


Participating in MANRS

1. The company supports the Principles and implements at least one of the Expected Actions for the majority of its infrastructure. Implemented Actions are marked with a check-box.

2. The company becomes a Participant of MANRS, helping to maintain and improve the document, for example, by suggesting new Actions and maintaining an up-to-date list of references to BCOPs and other documents with more detailed implementation guidance.

3. This category is for network operators, or other entities acting in this role (e.g. a network equipment vendor, running its own network infrastructure)

12/18/201425


Status update

9 October 201426

Launched 6 November 2014 with 9 participants

One month later: 14 participants.

Seeking committed network operators.

Contact us: [email protected]://www.routingmanifesto.org/contact/

mailto:[email protected]

https://www.routingmanifesto.org/contact/

www.internetsociety.org

Contact: Olaf M. Kolkman <[email protected]>

10 December 2014


Acknowledgement

• Network topology map from ‘The Opte Project’

• Jari Arkko for the slides on the use on encryption

• Logos and Trademarks from the respective companies

28

“Security” In a Digital Interconnected World

Internet

Transcript of “Security” In a Digital Interconnected World