Dangers to Internet Economy from Irresponsibility at Scale
24 October 2013 - A Workshop on in Bali,Indonesia
The following is the output of the real-time captioning taken during the Eigth Meeting of the IGF, in Bali, Indonesia. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>> So we will be starting in about three minutes. We are just checking the technology, so thank you.
>> MODERATOR: So good afternoon, everyone, just a one minute check, for those of you who want to be in the room, please stay. For those of you who may be enjoying the wonderful wine that was supplied outside, I please ask you to go outside and close the door. Thank you. So some people are probably going to trickle in. This is a workshop that's being organized by ICANN Security and Stability Advisory Committee of which I'm a member and so is one of the panelists as well.
For the last couple of years, ICANN has a variety of different entities in its structure and there is one advisory group which works on security and stability issues at ICANN and we for the last couple of year have proposed and have had sessions accepted at the IGF it's on the workshop description. And for this IGF what we thought we would do and we the get into it, this is going to be a quite lively and dynamic session. The title is Dangers to the Internet Economy from Irresponsibility at Scale.
I will get more into this at the end of the talk. But it's more stakeholders working together and sharing best practices achieve better results than, and if not, not working together can cause great consequences and economic harm. I am co‑moderating this session with my colleague, Jenny Philips from the citizen lab and what I'm going to ask is we have two parts of the presentation which Jenny will describe, but there is two parts, and the second half will be a bit more interactive than the first. And for the first time in the SSAC, if you include the moderator it is an all female cast that will be involved in the security session at the IGF.
I will pass it to Jenny. We will start with the panel and proceed to the second half.
>> JENNY PHILIPS: So we are going to try to stand for a lot of this discussion, just because it's the end of the day and we want to keep the energy up. So I'm going to do a little bit of an introduction and then we will get into the discussion. I will show you our objectives so you know where we are going to go today. So primarily we are looking to demonstrate risks associated with preparing for crisis.
We will be presenting strategies to help you prepare for crisis. Demonstrating the value of collaboration, prior to, during and post crisis and demonstrating the value added to this area of research. We have broken down the workshop in two parts but I have explained it in three here. We have four separate talks that are going to happen. We are going to be starting with Merike and then we will do a remote participation from our colleague Chris who is awake now at 4:30 a.m. in the morning, so we are happy to have him with us, and then we will have a discussion by Cristine Hoepers and each will introduce themselves and I will go last.
The discussion I will be giving if it goes, this workshop was a research project in itself. Prior to designing this workshop we came up with a list of questions and interviewed experts in a variety of fields. So we tried to talk to people in emergency management, people in health, business, and take different perspectives on security, and different perspectives on crisis and preparedness and things like that.
So just to give you a quick overview, these are the questions we asked. When I give my talk, I will be going through what the answers from the experts were on each of these questions, but it's worth it just to keep, to do a quick skim of the questions to think in the back of your mind when you watch the other presentations. And then the last part will be a situation room. It's going to be really exciting, we will do a little bit of role playing.
So I will pass the mic to Merike who is going to try to do this.
>> MERIKE KAEO: I will stand up since it is the end of the day and I will ask the moderators to switch the slide. I guess get to the title slide. So this is work that we have already been talking about in the ICANN meeting I am a member of SSAC and we have been looking very in detail to DNS related amplification attacks which we have already done over the last ten years, so I'm going to actually talk about what they are and in language that I'm hoping that the non‑technical community here will understand and just say, you know, why are we talking this and why is this such a big issue? So first slide.
So basically I will have a review of what these DNS amplification attacks are, why is this a huge issue, why are these attacks possible and what can we all collectively do about it? So this just shows you what role a recursive DNS server plays. You have a user device and I have pictured a laptop, but the user device can be a washer or dryer that is connected to the internet, tablet, phone, anything connecting to the internet that somebody is using.
So if you on your laptops if you want to go to WWW.ICANN.org to see what's happening, basically what happens on the technology level is that there is, the user device goes to something called recursive DNS resolver and there is multiple of these around the globe and it says what is the IP address of the website the user wants to go to. These servers may not have that information so they go ask other devices who are authoritative to say I don't know the answer, but I need to ask an authoritative source and these are called authoritative DNS servers.
There are interactions that and the recursive DNS centers get a reply and they relay that to the device and you get to the website. Users don't notice this. There are probably several interchanges that happen, but you in a matter of seconds get the website, good to go. Why do I care about the recursive DNS servers?
Amplification attacks are happening and they are happening at very severe levels which are causing denial of service to many, many services. So will what happens during the attacks. First you have compromised user devices. How that happens is basically you have malware in them and that can happen in many, many different ways so these compromised user devices, what ends up happening is that when you are ‑‑ let's say your laptop is compromised, so when you are trying to get to WWW.ICANN.org when you are sending that question to the recursive DNS servers as to how do I get there is, your device will pretend to be Robert's laptop. What ends up happening is it looks to the DNS recursive servers like Robert's lap to be is asking the question. So normal stuff happens, the recursive DNS servers don't initially know the answer they go to the authoritative serve servers and get the answer back and rather than sending it to your laptop, all replies go to Robert's laptop because you were forging at the time query.
So what happens if you have thousands of machines that pretend to be Robert's laptop, you get a large denial of service attack to Robert's laptop or whoever the intended victim is. So why is this a huge issue? It's a huge issue because they use identifiers of legitimate users and the forging is possible due to compromised hosts. So if you are combining these forged identifiers, it makes litigation because how do you filter, what do you filter on? Recent trends have been utilizing domain name servers as an attack vector since it’s a fundamentally used internet technology.
How many of you know what the DNS is, have heard of it? Okay. Just checking. And basically how you can exploit this or why it's possible because there is unmanaged open recursive DNS servers. So basically these particular DNS servers answer queries from absolutely anybody who asks from all around the world.
Also you have large hosting providers, right, hosting providers, Cloud networks, they may have 100,000, 200,000, a million virtual machines. If they get compromised, all of a sudden you have a million machines at your disposal with large amounts of bandwidth which means you could take out even small countries if you wanted to. Think about island countries that may not have that much bandwidth.
And also it's not just relevant to the DNS protocol. There is many, many other protocols that can also be circumvented and if you are using any kind of forged IP addresses this can be a huge problem. Next slide. So why does it work so well? Here is the problem with dealing with them that a victim cannot actually see the originator of the attack. So there is most of these packets come from real DNS servers. So you can't tell whether or not it's legitimate or actually something that's not legitimate.
And so you cannot just block the queries. The DNS servers, right, if you are looking at your audit logs, it looks like it's just legitimate traffic. The ISPs that are originating the traffic aren't impacted, and they only see usually small apples of data. What makes the attack so interesting is that you see packets from all around the world, and the only one that's really impacted where you see a large amount of traffic is directly to the victim.
So what needs to be done? This is the interesting part. These are best practices that have been known for at least ten years. So there are two things. One is that equipment vendors need to ship these open, these recursive DNS servers as closed, which means that you should be able to limit who is able to ask the questions. So, for example, if you are in a Government environment, then you have a Government network. Only the devices that are on that network should be able to ask the questions of the recursive DNS servers that are responsible for that Government network.
You should not be able to ask ‑‑ if banks open recursive DNS servers for how do I get to WWW.ICANN.org so you should be restricting access. If you don't, that's called an open recursive DNS server. The problem also is that many, many best current practice documents when they show how to configure these devices, these recursive DNS servers, they just happen to show how you configure them and they leave them as open.
So this is a problem in the industry where you have to make sure that the best current practice documents actually meet what needs to be done from a security perspective. So who is going to be looking at them? Who is going to be changing them? But what's even more important, and, you know, we in the technical community who have been understanding that this is an issue struggle with understanding why people are not doing this on an operational level, which is you have to get everybody to participate in stopping the ability to forth identifiers.
So anybody here in this room when you are asking the question as to how do I get to WWW.ICANN.org , you should not be able to spoof traffic or forth traffic that looks like it came from Robert's laptop. And so how does this get done? Well, ISPs or businesses both need to be involved and to some end maybe end users even. The only way you can stop it and I have a picture so you kind of see what ingress or egress means is ISPs should do ingress filtering which means they only accept inbound traffic that has a source address from allocated IP address blocks for their particular customers.
And enterprises or small businesses or Governments really need to implant egress filters and allow only traffic to exit their network that have a source address from their allocated IP address block. And equipment vendors really should have better defaults. Another aspect with all of this is that I think research measurements are always very useful to actually get definitive data on where this kind of forging is possible so people know where it's happening and can get educated.
So this slide is quite technical. The only thing I want to point out is that in my house, I have a CP device, maybe because I have a DSL line still, and my device that connects me to my ISP, I actually have it configured so that the only traffic that gets sent out knows that it's from an address that I got from my ISP. And businesses should do that too. That's called egress filtering.
So from any router or business router that connects up to an ISP, if you put some kind of filter on there to say, yes, allow only this traffic, then that's called egress filtering because you are leaving the network. On the flip side you have ingress traffic that's coming into your network so from ISP perspective they should only be filtering traffic that they know came from me or from a business.
I think you will have slides available, there is an open resolver project.org. We have to stop spoof traffic, the ability for people to be able to forge traffic and with that problem we need to be able to stop unmanaged recursive resolvers.
I show this slide because people, and I have been in a number of different sessions where people ask what is security, what do I do? I always look at five or six things that I recommend, and it doesn't matter what area of network you look at, application, host, network, but these are the six principle that's I always tell people you should look at. One is effective credentialed management process, whether or not you are using certificates or two factor authentication or pass words how do you create it, revoke it, distribute it, all of that. I mean, create an effective process for that.
Number two is restrict access to applications, hosts and network segments. This restriction, this principle speaks directly to not having open recursive DNS servers, but having closed ones. It also speaks to make sure you have anti-spoof filters because you are restricting access for specific network segments and who is allowed to have access to certain devices.
So it's a major principle. It's a fundamental security practice, and it's interesting how many people don't really follow that. The other ones I won't go through because of time. So parting thought is we do need continued international collaboration to help equipment manufacturers and users. There is already extremely great die nothing between operational and CERT communities and it's getting to be inclusive of law enforcement and Government as well.
Measurements to identify problem areas are useful to ascertain which constituents need better education. And so that's it for my presentation right now. Thank you.
>> MODERATOR: So just before the next speaker, we can something which is a remote participant plus, recognizing the differences in time zone, we actually had a remote participant basically have his presentation ready and actually record it, and so we are actually going to play because it's 4:00 a.m. in the morning for the participant, so Chris Gore will introduce himself and go over his slides. We just have a technology issue. Cristine, could you go, please.
>> CRISTINE HOEPERS: I think people are having a lot of technology issues now so I am going to try and have time here. So I'm going to talk a little bit about this irresponsibility at scale from the perspective of a CERT. I'm from CERT.br. I have been at CERT.br for 15 years and we have been seeing problems and issues to evolve in these past few years, and basically from our perspective what we see is basically any attacks that are possible or that are amplified like Merike just explained to us by the lack of implementation of best practices.
And usually we are talking about denial of service or in the case of open recursive or other technologists people call denial refractive distributed service or whatever, but it's really, you can go to the next one. So it's really that from the perspective of someone that is actually perpetrating the attack, the attack, there is no immediate benefit into implementing a best practice. So what do I gain from it? Usually that is the question.
And the effect of the attack as in the specific example of DNS amplification and recursion, it's that the network or computers being abused, they don't actually see that much activity. For them it's not an impact. And usually to implement something, there is a cost. From the perspective of the person being attacked, it usually means that there is almost nothing that you can do to prevent that attack.
For example, in the recent attacks, there was no way you could actually survive that. It is really too much attack from the perspective of networks attacking, that was not big. For the respect of the victim, that's big. And I think spam is also a problem like that because from the perspective of the networks that are actually being abused by spammers, there is not traffic lost. There are no problems. Those are machines in fact, that's a problem, that's piling up, but from the respective of people receiving emails we are all crazy with spam filters with our messages being lost, with phishing with crime ware going around and we are just struggling into doing that.
So I think if I would summarize what that problem is it's really a problem that there is no incentive to implement best practice. They are out there, several of them, but there is no economic incentive and there ant any other ones so next slide, please. I would expand a little bit without talking about policy making but really I think is not only a ISP problem is that vision that someone else needs to do something. That happens a lot, that we see, oh, that's not my problem.
And usually that goes also for software development that they think security is something someone else is going to did at some time at some point at some cost that's not mine, it's not my problem. And they don't see it as something that needs to be incorporated from the design to the deployment to the maintenance. And that is a problem with the whole industry. And I see something similar with the standards community that usually they think about a new standard just from the point of view, okay, let's do it, and then, let's create another standard to try to tackle that. And it's really this lack of security mind set is really thinking about security and the impacts. And this has a big impact in what we are talking now because most of the best practices we need to implement are to mitigate bad design of similar technology.
So I think it's just thinking about the future. One of the things we are seeing as she said for DNS and open recursives, we have best practice for more than ten years now and no one is implementing them. They are just being postponed. People are just thinking I don't need to do it. So we are going for anti-spoofing as she was describing for botnet remediation. That's a big problem, and I'm not talking about mitigations of attacks perpetrated by botnets, but how to disinfect all of the devices and how to prevent them from being reinfected. It's a huge problem.
And user awareness is something that really people tend to say oh, that's too complicated, so we actually tend not to do anything. But at least end users need to have the right to know the risks. We know the risks of crossing the street, the risk of doing something, and more common than not we see that sometimes users, they overestimate the risk.
So it's a problem that they just get scared. What we are seeing a lot too with best practices, I put here the chicken and egg dilemma that we are seeing with some of the technologies we have there. Like DNSA, what we hear, but why you don't sign your zone, why you don't use it, oh, because no one is checking. Then we ask ISP why are you not checking and it's oh, no one is signing. No one is willing to start the whole thing.
The same thing with routing security. So the standards are there, but it's that feeling that everybody needs to jump at the same time. And there are other problems that will become worse and worse, like ISP, show it's really something that the community needs to talk and needs to think about what to do. So I would just like to give some examples of some things that we are trying to implement in Brazil, some were implemented with success, that are some of the ways that we are trying to deal with it. We haven't solved the problem yet. We gave some first steps but I think these are some of the challenges.
One, I will talk a little bit about ‑‑ you don't need actually to think too much about the technical thing here, but really, this is one technique to stop infected machines from delivering spam. It's been a recommendation since 2005 from MTC, from almost all of the bodies, but not all countries have implemented and not all networks so the recommendation is there, so why people don't implement? Like we had this problem in Brazil we were recommending forever and why, why you are not adopting? And then when we started some conversations with different sectors, several issues came.
So legal issues, consumer protection organizations were afraid that would affect the consumers' rights. We had regulatory problems, we had technical people saying my network is going to stop working. There are costs involved. The managers are saying, oh, but I need to spend money to implement that and what's my gain? What am I going to gain with stopping spam from leaving my network? So I think this is really one of the issues. And it was not easy, but we tried to get all of the people on the table.
We thought that we got all of the people when we got regulators, ISP, telecom and everyone, then we needed to go for federal pursuit officers for consumer defense organizations and try to explain why that was good. And then at the end we had to go to a very formal process of agreements for people to do it, and it was not an easy process, but the result was good.
What we saw after seven years of meetings, talks, we actually implemented.
In the beginning of 2013, we started in 2011, we could see a drop in spam complaints to CERT.br, and Brazil was labeled in 2009 as the king of spam. It was the country that would generate most spam in the world. We were the front lines of all of the technical organizations, on CBA we are number one and after implementing we just went to a much better place now. And a lot of people in the beginning didn't believe that best practice would work. They would just say this is not going to have any effect, or they would say is this going to solve 100% of the problems and then said no, but it's going to solve part of the problem.
It's going to make it more expensive to send spam. It is going to stop people abusing our networks and it would get us to a better place. And I think some other examples we are seeing a lot of people talked about the European Union, AC DC initiative, but really to think about end users and end user protection is important because we have today this huge base of infected machines. We are starting to see end user devices, mobile devices, other devices infected, and we all need to be more proactive.
We are hearing now from the ISPs, oh, the end user device is not my problem. Then we tend to say, okay, you were the one that has a user that can reach them. We are seeing here, we just made a list of all of the initiatives that we know that people are already doing something. We are starting to try and do this in Brazil too, to get this problem that is really this idea that it's not my problem and try to make it, try to educate the users into doing that and enlist the ISPs.
Can we go for the next one? Another thing we need to try and make security more appealing for end users. So, of course, they will not pay attention to us talking about PCPs and whatever that we talk in geek talk, but we need to try and make them understand risks so we are trying to do a lot of material to reach them. But we also need to try and make it easier for the ISPs and system administrators to implement the PCPs.
When we were talking about anti-spoofing specifically for DNS recursive, most of the people said, yes, but those RFCs are very complex and most of the information is in English and they don't have examples on how to implement it and I'm afraid I'm going to break something. So another thing we are trying to do is how to translate to some easier language and make it easier for people to really implement that.
So this is more or less our take. I think this is the last slide. And it's just I hope that this could bring to people some of the challenges we are seeing. We don't have all of the answers, but we are trying to enlist more people to deal with the problem now. Thank you.
>> We have had to MacGyver sound work around, so we will try.
>> CHRISTOPER GORE: Hi, everyone, my name is Christopher Gore I'm professor the politics in Toronto Canada. I'm sorry I could not join you in person today but I'm delighted to have the opportunity to share some thoughts with the panel remotely, and hopefully respond to some questions or participate in the discussion on line.
In the last few years I have had the opportunity to collaborate with the citizens lab at the University of Toronto. My thoughts today arise from on going conversations with the citizen lab and the many cyber CERTs that they are working with. Most often at events like IGF or other events focused on is cyber issues an eclectic group of people are present with varying interests and focuses. As a researcher one of the broad issues that seems to hold the community together is a question about how social and political systems are responding to the technological evolution or revolution we are witnessing.
And questions about how various interests respond that to that evolution. Furthermore, how do the technical, social, economic and political systems converge and compete to produce various outcomes for those systems, in particular, cyber infrastructure. So one of the last ten years one of the things I have been studying is how international organizations, Civil Society and national Governments have responded to the provision of one critical infrastructure system and that's electricity.
For me, this interest began a decade ago when conducting research in the country of Uganda a country at the time where only 5% of population had access to electricity, but that was at the same time starting to see the emergence of phenomenal transformation in mobile phone and contract access. Many people were anticipating a parallel revolution in information and communications technology.
But in Uganda the telecommunication market had been liberalized, web cafes were springing up. Internet access and use was increasing and the rate of mobile phone adoption was expanding exponentially. Two questions struck me as unclear at this time. The first is how are these various infrastructure systems being governed? Independently or with consideration of the other? And more pragmatically how can this cyber revolution take place in the absence of the electrical power necessary to support the technology?
So one of the central issues I want to height lie is whether this there are lessons about security and governance from electricity that can be applied to cyber issues today. Particularly into the ongoing debates and intentions about the decentralized character and governance of the internet. Statistics about internet uptake are imperfect, in most cases there is a pretty obvious trend we can see in many countries and that is that the percent increase in individual internet users usually correlates with the character of a give regime and the character of the market for internet access.
So looking at this table, you see that there is an overall upward trend with the exception of Ethiopia. So how is India and Uganda different than Ethiopia with respect to internet access? The state provides access to the internet while in Ethiopia, and while Kenya and Uganda are more liberalized markets. What it does not tell us is how other infrastructure, regulatory and governance systems influence access to and freedom and security of internet use in other countries under various regimes.
So a big challenge that is confronted is how to think about these various systems simultaneously to facilitate the benefits of access being realized, secured and maintained. But this is a very big task. From studies of infrastructure systems, we know that three things shape people's use and access, the physical or technical system, the governance of the system and individual behavior. And each of these factors are influenced by multiple other systems.
Now the parallels between internet infrastructure are imperfect, but I think there are important lessons about the provision and governance of electricity that can be helpful when considering access, governance and security of the internet. So what can we learn about cyber infrastructure and access from electricity?
I want to highlight three lessons or three things I think are important to consider. First is we talk about how access to infrastructure influences policies and programs that facilitate and regulate that access. Infrastructure systems are not neutral and are certainly not universal. For example, the map of fiberoptic cables show is there are only three transatlantic cables that each the east coast of Africa while three cables reach the small American country of Panama.
For electricity we used to measure success and expansion of electricity in relation to the number of people that were connected. Now, international organizations don't talk about universal connections, they talk about universal access. That is how many people could have access even if that doesn't mean that they actually have any connection to their household. This means that you could be counted as having access even if you do not have connection to that infrastructure system.
Hence, if electricity is near your home but you can't afford to be connected to it, you are still deemed to have access. The lesson here is that how we talk about access to infrastructure systems influences the programs and the practices that guide expansion and guide access. So precision is needed. Secondly, the history of electricity infrastructure is replete with debates about centralization and decentralization. When electricity systems were expanding originally, many private providers existed and were delivering electricity at different voltages in a decentralized system. There was no ICANN for electricity.
Eventually Governments decided that this was not safe and not reliable, nor was it going to facilitate access quickly. So in the name of improved access and security and safety, electricity systems were monopolized and standards were put in place and investments and expansion were widespread. That worked well for countries quickly industrializing but was not a model not maintained for poor countries as it was costly to provide electricity for Governments and owing to new Governments that reliance on centralized systems could be less resilient than decentralized systems.
The outcome of this, particularly in the developing world and particularly in Africa was to privatize electricity systems and hope that competition would lead to faster expansion. Now, while some called this deregulation, in reality, what it was was re‑regulation, and it was not supposed to be a lessening role for the state, but a new role for the state.
The result is that advocacy for decentralized system in electricity provision increased the importance of the state in guiding security and advocating for access. The degree of success was dependent on Civil Society and very care and constant monitoring of private providers. If left to their own devices, private firms would only offer electricity where it was profitable. As infrastructure systems evolve there is need for a careful reflection on the balance and guidance the state offers in the evolution of decentralized systems. The last lesson I want to highlight is that infrastructure systems are complimentary.
For most, this is very well known. But we can't think about expanding internet access without also thinking about access to other complimentary systems. For example, because electricity is unreliable in Kenya, one of the leading mobile providers safari come maintains a fleet of 100 fuel trucks in the case of blackouts so it can refuel the diesel generators used as back up for mobile phone towers. Hence, internet infrastructure security and reliability are a function of multiple systems and the onus is on Civil Society and Governments and researchers to consider their interaction.
When we talk about Internet Governance it's important to think about how Internet Governance relates to other governance systems. We know that the internet is a decentralized system this which has helped promote its innovation. We think about the telecom industry and radio, television and phone we see a high degree of regulation which governs both private access or private roles and the Government oversight. With electricity, we see a very mixed medley of systems that are both centralized and decentralized, liberalized and monopolies that have weak innovations and high barriers to entry.
We need to recognize the systems that compete and converge with the structure of internet governance and lessons from those other systems. What happens, for example, in a national context when you have a liberalized telecommunication but a monopoly in electricity provision, two systems complimentary but regulated by different actors.
Let's take the example of Uganda as a final case. It has a liberalized telecommunications network with a national regulator. When there is an interruption in SMS services or access to Facebook, who is to blame? Who is accountable? Interruptions in telecom services in Uganda occurred in the last few years particularly around times of civil unrest or civil protest. The regulator said, no, it wasn't them. The telecom said, no, it wasn't them, but Facebook and SMS sites were blocked and some power is out in pars of the country.
The onus is, therefore, to more carefully examine lines of accountability in a decentralized system and to push for transparency. I want to conclude by raising questions about you governance of truck specifically. From studies of infrastructure in risk preparedness we know that society and Government are usually better prepared for low probability, high risk events for earthquake than for low probability low impact events.
This is because the impact of the high risk event is large. Each country, the impact of an internet shutdown will vary, for example, but the probability of shutdown is going to be a function of the integrity and resiliency of multiple systems including infrastructure and the character of how those systems are governed and the character state society relations.
So my first observation is that there is benefit in trying to think about cyber security issues in anticipation of the conditions and systems that security is dependent on. In turn, if the probability of shutdown is high or failure is high, how does Civil Society prepare for this and work to minimize the impact. From this observation, I want to end with two questions that I think should be considered and certainly arise about the responsibility for infrastructure and cyber security governance.
Many will know the work of John Tip case. One of the things he has discussed a great deal is that technology functions as a tool to delegate our activities. Given the impact of failure in infrastructure systems and the risks and vulnerabilities that follow true failures in infrastructure systems, it is also important to consider delegation in relation to the governance of infrastructure systems.
What responsibilities do we want to delegate to ourselves, to Governments and to third parties? I know that this question is under deep debate and ongoing debate amongst the cyber community, but under what conditions do we want to delegate security to various actors.
I think it's important to start to think about cyber security in relation to other systems and structures that affect the integrity and openness of cyber systems and to think about how the governance of different systems connected to the internet can have deep impacts on the vulnerability and integrity of cyber infrastructure. What, for example, are the implications of a decentralized electricity distribution system in a country with a civilized telecommunications sector? Is that a model we will insure security and regulatory and accountability?
Lastly we can recognize that the decentralized character of the internet is what has enabled its innovation and democratizing potential, but as the character of this decentralized system is challenged by Governments it is important to understand that the integrity of the internet is a function of the integrity of the other systems and there are lessons to be learned from these other systems with respect to how organizations, Governments, citizens have debated the rationale for more open and closed governance. Hence, collectively there is a need to examine under what conditions social, political, technical vulnerability of infrastructure systems, higher or lower, and work selectively to promote those conditions. Thank you very much for your time.
>> MODERATOR: As I mentioned, there are two parts of the presentation, of the session we are going to pick up a pace and have a far more interactive piece, but before I get to that second part, if we have any question for the two panelists that are here and the one that's remote, Ali is doing the remote participation, just any question from the audience?
>> I'm Willie Desufcuf. The question is about DNS security, you may have heard that ICANN in 46 in Beijing had given work hope about DNS security and how it's important to begin implementing it on various levels from rural to local and national servers. So what do you take out of this and do you believe it could be really the solution to many of those fraudulent methods of DNS? Thank you.
>> As with any security practice, not one particular technology will actually solve all issues. So I do believe that DNS sec will help a lot of issues where DNS can be circumvented. I also believe that looking at closing these unmanaged open DNS recursive servers is another aspect along with also helping to stop being able to forge traffic. So forge, stop being able to do spoofing of IP addresses. So, but I think that DNS sec is one part of the overall equation. And a comment that I want to make here is that, you know, the title of this talk is really one where, and I think Christine will absolutely agree with me, is that the best current practices have been around for so long and what we find is that people are not doing the fundamentals.
And I think we all have heard of attacks that are happening almost on a daily, weekly basis that are now getting in the widespread media. I am not at all surprised that this is going on because I see that nobody has been implementing the fundamental best practices which are really enabling the criminal underground to take advantage of all of these devices and then, you know, create news service attacks or other criminal activity.
The reason for this session is that really we want to raise awareness that something needs to be done. I don't think it's necessarily regulation, but I very much applaud Brazil for spending seven years bringing their constituents together, but actually solving at least one piece of the puzzle. And we, how do we do this within our own countries, or own nations to really help the overall resiliency of the entire global internet?
>> Just a small comment on DNS sec. It's important to know and this is something I will say you do not solve all problems and it will not solve all means that people can do fraud and phishing and whatever. It solves one big problem of DNS. And it lays a path for us to be able to use DNS sec as a tool to help in other areas.
We can use DNS sec to implement other protocols. So it's a move that needs to be done and if people second guess and say it's not going to solve our problems so I'm not going to do it and this is what we are seeing, these fundamental practices are not implemented because people are looking for something that does not exist. There is no solution for all, and there is no one single solution, and especially we need just to keep the problem more manageable.
We need to be able to have a problem in the smaller scale than the problem that we have today. And I think this is something that we all need to work and need to understand, and we need to understand that some people have doubts and some people will actually be afraid, okay, this is going to impact me on a daily basis and how do I move and guarantee that this best practice will not hinder other areas like privacy, Human Rights or other issues, so I think this is why it took us so many years to implement something in Brazil, but it really laid the path for us to now move forward to other areas of best practices. Now, I think it's not going to take that long anymore for other practices.
>> MODERATOR: So now we are going to proceed to part 2.
>> JENNY PHILIPS: Okay. So looking around the room, I see some people nodding off. So I will try to up the energy a little bit. I will do what I can. So I didn't really introduce myself before, but I'm Jenny Philips. I'm a doctoral student at the University of Toronto. I research emergency management related things, so I'm specifically looking at how to develop resilience using virtual networks. I have had cool experiences. I have worked with Prime Minister's office, foreign affairs in Canada on different emergency management related training sorts of initiatives. I was a training specialist there so I have been working in the area for a while. Most people don't like to think about dooms day, but I get to think about it every day.
So it's good times. So my talk is called Security from Multiple Lenses. Can you tell what that's a picture of? What are multiple lenses? Robert thought it was a beehive when actually it's supposed to be the parts of a fly. You know how a fly has multiple lenses in the way they look.
I tried to emulate the multiple lenses with my picture here. So really the objective of this talk is to really help us get our heads out of the sand. How many of us here are techies? Okay. Not everybody. Okay. Most people would say that ‑‑ how many people work in technology but would not necessarily say they are techy? Okay. All right. Well, what I really wanted to do was to draw on experts that aren't even close to techies and aren't really working in a techy field and see what insight they might be able to add to this discussion.
I'll have to move according to where my remote wants me to go. So like I was alluding to in the beginning, I relied on four different expert groups. The first was I went to my old colleagues at foreign affairs in Canada, and talked to the emergency management physical security crew. I also talked to organizational resilience experts focused in New Zealand which is where I'm going to be going to visit in a few weeks. If you have any good travel tips, let me know.
I also talked to people in health. So I talk to Doctors Without Borders, MSF. And internet, I actually got Christine here to do the survey for me as well. So we have a little bit of the digital perspective added on. So I'm going to try to keep the context of the different experts short, the part that I find really interesting was actually looking at what lessons they have that they can share to this group, and what they would like to know from this group and from others.
So the Government piece, what is the secure Government? When I talked to them essentially to foreign affairs Government involves two people, your domestic and international R. your domestic is physical security so it's your security guard, your security cameras, and from an international perspective, it's training for harsh climates, it's the safety and security of Canadians abroad. Canadians obviously in Canada are concerned as well.
Keep in mind this is an emergency management perspective. This isn't a broader SSAC NSA type perspective. I only had a few weeks to do this research by the way so it's only in early stages. So the next one, what is a secure organisation? Some of the key points that he brought out was that it's dependent on context and that it's a, that it's change ready. And it's the safety of employees and the reputation of an organisation.
What is security in health? Protection of people, assets and reputation and what is secure internet? It's systems connected to the internet maintaining confidentiality, availability and integrity.
So what are the critical security issues for each of these groups, emergency management's main comment was the issues are unique to the service, to the point of service based on individual threats so that's where the different embassies have different security issues. That's a given. Keep in mind I'm giving you all of the he results and we could find the patterns together. In the business resilience realm, their perspective was that it's insuring impacted stakeholder are resilient enough to survive in an environment stakeholder can be anything to cities. It's insuring the protection of all staff and beneficiaries. It's a blurred line between military and humanitarian actors and communication across all parties in conflict.
Finally, internet ‑‑ I might move back. Internet ‑‑ my remote has a mind of its own, lack of understanding of basic network and security concepts is an issue, lack of best practices without financial incentive, and lack of strategies from long‑term software solutions towards user friendliness, stability and security. Now, just taking a quick glance across the four columns, do you see some relationships? Some parallels? Some of the issues in some could fall into the other fields? Say yes or no. I need head nods or I'm not moving on. No, I heard a no. You don't see any parallels. What are do other people see?
Well, the cross fertilization is beginning. We will keep going. So what is the impact of these issues that I have discussed that are not being addressed? This is a brief list of some of them that were brought up by the participants. Economic disaster ties very nicely into the theme of this presentation. As well we have death, suing the Government, reputation damage, ceased operations, failure to eradicate disease, increased or news the crime and lack of trust. Reading these it's not that clear which of the four groups they are coming from, correct? I see nods. So we are starting to see a little bit of overlap.
So how are you preparing for these critical security issues? This is a breakdown of how all four are preparing. Maybe it's my personal bias but I was very impressed with what the Canadian Government is now doing which is this corner right here.
They have actually developed a matrix based on 13 different indicators that evaluate the safety and security of all of their missions that draw on data from their threat assessments and they are using this one matrix to help them identify how to allocate resources and mitigation measures to all of their embassies overseas, which is quite progressive. And the resilience, organizational resilience world they have resilience, 13 indicator model which is actually very interesting as well. You can actually download a five minute assessment on the internet and do it, and you can do it or an organisation, you can try it on the individual level. They are working on that.
But it's pretty cool. Then over here we have got, this is the health side of things. A lot of these response or preparedness strategies are common to crisis preparedness and on the bottom we have internet preparedness strategies. How are we doing for time, Robert? Nine minutes, okay. Government role, what's the Government role? We can see there is a lot more negatives than positives. Are we surprised?
Everyone is tired or thinking about the beach. I don't know which one. So just to highlight a few key things for the Government role, I guess on the negatives, there is a big emphasis on enhancing the self‑reliance of civilians, discussion neutrality, which is very big topic that applies to a lot of our contexts, what else is important that we need to discuss?
You can read. That stuff is not as interesting, I think. What are some of the lessons learned that can be applied to these disciplines? This is where I think it gets kind of cool. So from the EM, emergency management physical security side, they say based on their ‑‑ this is some of the observations they have on security. Typically there is no common approach.
How many of you can say there is no common approach to securing things? Yes, that's a lot of hands. Good. Well, not good. But that's a common issue that I think is faced across fields which indicates we need to start work on developing something more streamlined. The second is that there is not enough emphasis on recovery. So when we think about planning for crisis or we think about securitizing, we often think about preparedness, we think about response and we also think about mitigation but we don't think about how involved the process of recovery is.
And in turn, when we think about recovery, a good example is if you think about a flood in Alberta, we think of recovery as how much money will we rely on to get us back and running. That's it. We don't think about psychosocial implications, we don't think about the community, about businesses. It's very bare bones. So there is need to think more about recovery.
The other thing is, and I liked this, I thought it was clever, security and emergency management go together like salt and pepper. Similar to the other talks we have heard just now, security is not ‑‑ is often not integrated into emergency management but it should be. Haiti wouldn't have existed without security. So there is a need to start integrating the two, especially from the cyber realm, and I will get into that more briefly.
From the organizational resilience side, the recommendation is practice. Is that a surprise? I will take the nods as a yes, as it's not a surprise. When we talk about practice in this sense, we talk about if we think about responding to crisis, preparing for crisis, we are talking about human beings, we are not talking about machines. So to be able to effectively prepare for crisis, we need to practice, and part of practicing essentially means not waiting to practice in the crisis, but practicing every day. And to do that, the three things that we can do, it's important to start relationship building and we do that on a small scale. We do that every day with our colleagues, with our families, with our communities, we start working together, caring for each other, problem solving with one another.
We also create good leaders because at the end of the day, if you have a great plan and a poor leader, what's going to happen? What? Nothing. I would be more confident if I have a good leader and a bad plan than a good plan and a bad ‑‑ we have a good leader back there. And I good ‑‑ you know where I was going with that. So, yes, so that's important. The third thing is if we practice these things on a small scale, by the time we go large scale or by the time we have a crisis, it's habitual.
So practice up! Health, they mentioned from their experience that plans are always changing. I think we all can be aware of that, but yet we often don't want to keep referring to the plan, but it is important to continuously refer to our plan. Know the context. It's important when thinking about security that you take into account all lenses so you think about all of the different factors and common languages is very helpful.
From the internet perspective cooperation and relationship building and trust, that sounds like someone else's feedback. I think that was what we found in resilience, so it's good to see that it's come out in both realms, and information sharing. Okay. So what would people like to gain from other disciplines? So what would these experts I interviewed like to know from you? From the emergency management realm, there is a huge gap between emergency management and security and academia actually.
So what they were recommending or requesting is to help bridge that gap, especially in the cyber security realm. At the moment, at lot of the staff in embassies overseas are assigned with cyber roles and assigned as security officers and responsible for securing networks and the secure communications of their stuff yet they don't have the training. So there is a lack of communication between the emergency management world that is responsible for this, and the actual cyber security information that's required.
And because of this, we need more cyber security for dummies. The problem essentially is that most of them have bare bones cyber security training so Norton antivirus is what they picked and they think that that's all that they need to pitch, but there is a need for training on cyber security that's not as high level, more low level, more generalizable to everybody. The organizational resilience, they said they would like to know more about personal community resilience. They felt that there is a lot that can be gained from talking to psychologists about how to deal with security in crisis.
Health? They wanted to know what people were doing because they are always trying to learn. MSF is very transparent, they are a successful organisation and they are trying to, as I'm sure we all know, security is very important to them, especially for the lives of their staff. So they are always wanting to know what everyone else is doing, how they are doing it, how they are coping and what are their strategies. They also need help with secure communications.
They actually use very little technology in their operations. When they think technology, they think Swiss army knives, they don't think technology in the sense of our discussions. So there is a lot of room to work with them on areas like this. And then the internet, the internet group, how does each sector work? What is critical? What are their constraints and how can we help each other? I hope that you notice that these questions are the questions we asked. So it's good that we are asking the questions that others want to know of each other it's just that we need to keep the dialogue going. This is just the beginning.
So the last question was what can the IGF do to promote and engage in constructive dialogue on this issue? We have got a little to‑do list. The community should engage with emergency management community more. They are not reaching out to the cyber world, so the cyber world should really start reaching out to them, go to conferences, start trying to get into their magazines and their journals and start talking to them. There is a lot of room in that area for the involvement of cyber.
Security EM and academia should work more together. We should be promoting dialogue, which is the whole point of this Conference. Enhance understanding of technology, internet, communication, community, information sharing. And everyone takes responsibility for their part. Oh, and read books. That was actually a recommendation by one of our interviewees.
Okay. So we have a little simulation, how are we for time? 20 minutes. So I have a ‑‑ I have tried to solicit some participants for this. If the participants that are interested in coming up with like to come up now. If anyone else is interested, just excited to get up out of their Chair and try something different, you can come up and try to get involved in what we are going to do. We are going to run you through a sample emergency. Coming on, let's see one more hand. Come on up, why not. I like that daredevil attitude.
Okay. So I should put ‑‑ I have a disclaimer there but I will read it out because it's important that we note this. The opinions expressed in this situation room, we are now pretending we are in a situation room. So when the emergency hits, we are going to be the decision makers for the world, and so this is the only room there is. So we are going to be figuring out what to do. So the opinions expressed in here it's important to know they are not a reflection of the organizations that people are representing, and they are not best practices that are being pitched by the organizations. Is that clear? Okay.
Can everybody read that? I can read it out. I love the Microphone. When I was a kid I used to talk on and on and on at weddings. It's great. I will read it out. So right now this workshop is now half over. Ugh! When will it be over you are thinking. So you have decided to check Twitter. When you checked Twitter, this is dying on me. This is what you saw. Do you see any oddities there? Can someone tell me if you see anything odd in this stream?
Yes, that's an important thing. There is a tidal wave coming. Where did you see that? So the IGF just sent us a Tweet that there is seismic activity in the Pacific, potential tidal wave headed to SEA hashtag IGF 2013, are you ready? Then Bali tourism board has sent out a Tweet. Travelers, tsunami warning in effect, verify evacuation procedures with your hotels, hashtag IGF 2013. This might be a simulation, might not, I don't know.
So right now emergency management in the context of this discussion aside just for fun, how many have actually gone to your hotels and know what to do if there is a tsunami? Okay. That's not bad. Run. I'm sorry, you said something? Oh, yes, that's probably not a good idea. Yes, I went to my, to the visitor desk the other day and I asked them and the guy at the desk is like I don't think we have emergency procedures for a tsunami. I was like, are you sure, because the hotel beside you has a lot of signs saying where to go, and he is like I don't ‑‑ no, we don't have procedures. And I was like, well, maybe, do you think you could maybe just call someone to find out. So he calls one group of people, and no one answers, and he calls someone else, and he is like they don't know. And he goes to talk to the manager. And the manager is busy. Then he ends up taking 20 minutes and finally he comes back and he has these procedures.
But it got me thinking if he doesn't know them, how many people do. It's not a good thing. So in this case, this is the situation. We see this, okay. Panelists, you might be ready. Okay. So I will pass it over to you. At this point, with this information alone, I'm curious to where you would start. And I will put it down. Would anyone like to start in? Questions what would you do? Who are you going to contact? These are questions for you to think about. This is not a discussion necessarily to the audience, this is a discussion for everyone. You can just get the ball rolling. So you can think about what would you do? Who are you going to contact? Who is responsible for what? How quickly do you need to be able to respond? How would you assess the situation, check assumptions, how can you work together?
>> So, just useful information from our previous panel because our moderator from that panel informed us that this is only two story building and apparently the people who survived tsunamis in some other places had to be in three story building so that's good information really to have that this building is not the most appropriate building to survive the tsunami, so one of the things is to at least try to identify, to try to identify place where survival chances would be higher than here. I will stop it here, I think for others.
>> It's actually funny because I thought you were going to have some kind of cyber security related scenario, and that's exactly the scenario that I was going to bring out that, hey, but from a physical perspective, what do we do, right?