Internet security needs to be based on collaboration

July 8, 2016

By Robin Wilton, Technical Outreach Director for Identity and Privacy, Internet Robin WiltonSociety

 

During the OECD Ministerial in Cancun, I had the pleasure to moderate an ITAC panel discussion entitled “Collaborative Approach to Internet Security”.

In a very wide-ranging discussion, both the panel and the audience examined Internet security issues from a variety of perspectives. Early questions from the audience set the direction for the event and included:

  • We can all envisage how things might look in 10 years’ time, but how can we get a clearer picture of the next steps that will lead us there?
  • Security is often portrayed as consisting of Confidentiality, Integrity and Availability, yet we seem to spend 90% of our effort on confidentiality, 9% on availability, and the scant remainder on integrity. What can/should we do about that?
  • How can we increase trust in the Internet, and both the perception and reality of trustworthiness?

The panelists were Sebastian Bellagamba, Internet Society Regional Bureau Manager for Latin America; Laurent Bernat, OECD Policy Analyst (Working Party on Security and Privacy in the Digital Economy); David Conrad, Chief Technology Officer of ICANN; Yurie Ito, Director (Global Co-ordination) of JPCERT, and Karen McCabe, Senior Director, Technology Policy and International Affairs of IEEE-SA and they tackled the points raised with clarity and enthusiasm.

The very interactive audience raised a daunting set of issues but, in many areas, the issues can be broken down into simpler and more manageable pieces. For example, different kinds of bad actor (motivated by different incentives) are amenable to different kinds of intervention or remedy. If someone has caused a security risk through ignorance or incompetence, the answer is education; if it is through malice or criminal intent, then law enforcement has a role; if the incentives are economic, then market forces and/or regulation are more likely to produce change.

This range of motivations and mitigations was clear in Yurie Ito’s description of the role of Computer Emergency Response Teams (CERTs). If what you want is to understand and fix a technically-mediated problem, then definitively identifying and prosecuting the person responsible may not be your top priority. On the other hand, law enforcement will want your co-operation to fix what they see as the problem… and as David Conrad pointed out, even in forensics, no single stakeholder in a networked environment is likely to have all the information needed to resolve the issue successfully. Collaboration is key.

The need for a collaborative approach was also clear from the panel’s comments on standardization, and on localization of traffic and data. In this respect, ISOC’s collaborative security framework (which reflects the OECD’s work on security guidelines) offers a practical methodology for progress.

This panel was a just brief examination of a broad, diverse topic, but each panelist gave practical examples of how to reduce Internet security problems to more manageable dimensions. We should take those examples as the basis for generalizable principles, building on the panel’s insights.  For example:

  • Recognize that different stakeholders have different priorities, but shared responsibilities;
  • Acknowledge that another stakeholder may critically depend on your data or expertise;
  • Ensure that the remedy is well suited to the aspect of the problem you are trying to fix.

Sharing information, ideas and examples of best practice is not just a fruitful approach to addressing the challenges we face, it is the only way many of those challenges can be overcome. We share the common objective of achieving a more secure and trusted Internet: we must be prepared to approach it as a common task.

—————

Robin Wilton is the Technical Outreach Director for Identity and Privacy and has almost three decades of experience working in technical and strategic roles, focusing for the majority of that time on digital identity, privacy and public policy.