Internet Security Through Multi-stakeholder Cooperation
24 October 2013 - A Workshop on in Bali,Indonesia
The following is the output of the real-time captioning taken during the Eigth Meeting of the IGF, in Bali, Indonesia. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>> MARCO HOGEWONING: Hello, my name is Marco Hogewoning, I work for the ‑‑ I will be moderating the session, together with Nurani Nimpuno, and I'll let her introduce herself first.
>> NURANI NIMPUNO: Good afternoon, everyone. My name is Nurani Nimpuno and I work for Netnod. We're based in Sweden and Marco and I will be moderating the session. So the name of the session is Internet Security Through Multi‑Stakeholder Cooperation. So the aim of the session is to explore, basically, all the components in this Internet ecosystem and different roles when it comes to ensuring security in the various aspects of security.
So we have a great panel today. We have four people here physically present and we have one participating remotely. And we want it to be an interactive session, so feel free to stand up, and maybe not throw things, but throw questions at us.
So I'm going to say who we have on the panel and then Marco is going to give an introduction.
That wasn't just me, right?
So I'm just going to mention the names of who we have on the panel and Marco is going to give introduction and set the scene a little bit, then I'm going to throw a few introductory and tell us about all the various hats you have. Say a few words about those questions.
Okay. So we have Pete Resnick. We have Merike Kaeo, Constantine, and Robert Guerra, and participating remotely, Tatiana Tropina.
>> MARCO HOGEWONING: So before we have the panel introduce themselves and explain why they're in the panel, just a quick sketch of the landscape we're operating in. This is multistakeholder and we hope we found people from multiple stakeholders for this panel. And security landscape, and it's quite broad and a lot of people involved. So, of course, we have the standardization organizations with, in Internet terms, the IETF being one of the leads there. Of course, in IETF, there's a lot of security work being done and essentially it's always considered security by design. Of course, they're not allowed in this field. We have the W3C and IEEE equally involved and coming from the same area in the technical community and building secure standards and offering people that line of work.
Of course, technical community the operators there to implement those technical standards, that's where it all starts. And not only they're the ones implementing the standards, but from basically the early start of the Internet they were also involved in making secure and responding to incidents. For instance, in spam and everything that sort of grew into the operational community, then as that world got bigger and more important, we saw within the industry specific organizations incorporating on this area and exchanging information to deal with incidents to deal with certain forms of abuse exchanging experience and together coming up with solutions.
From that you've seen things like team comery and ‑‑ dedicated industry bodies that talk about security. But, of course, also groups like RIPE or NANO, I've got security threats, I've got anti‑abuse working group, and things like that. So there's a huge participation from the technical community. And, of course, I'm inclined to say the other side, that's we're looking incorporation here. But from public sector, of course, the traditional sense, law enforcement always involved in security. Of course, when things illegal happen, ultimately, you need law enforcement there to take action. But also more recently, more dedicated units more dedicated teams to focus on cybersecurity, cyberdefense, et cetera. There you see cooperation in national levels, cooperation in international levels.
Now, unfortunately, we were expecting a participant from Interpol, but he can't join us for now.
And then somewhere in between, I think are the surge where you see a good example of public/private cooperation where surge incidents, response teams that again are primarily focused on exchanging data and protection. The moment you seeing something happening on the Internet, what's vital is you take action immediately. You want to get ‑‑ if you see your host spreading viruses, you want to take it offline. If you see mal ware being distributed, you want to act upon it, you want to update your virus scanner et cetera.
So just to introduce you to the field, the players ‑‑ I can keep going. More recently what we also see is, yeah, what I would describe as data or information clearing houses. You may have heard of the ACDC project that's being funded by the ‑‑ starting off in Germany and exchanging information about it. More local initiatives like the Dutch ‑‑ all sort of try to bring together different groups and exchanging information and together trying to make the Internet a secure place. That's sort of the take we want to have for this workshop is to let's see how we can further enhance that cooperation.
So I will leave now to I think Nurani to coordinate the panel introductions.
>> NURANI NIMPUNO: Thank you. We're not going to hog this space, though, because we've got actual experts here. But so as Marco mapped out two of the efforts and we're hoping that this will be an educational panel because we find that security is such a big bucket of things and it's hard to talk about security as just one thing, unless you go in and speak about specific issues. Also when doing so it might be good to know what existing efforts are going on because there's a lot of work going on in various parts of the Internet community. So we're hoping that the panelists in their different roles can contribute there.
As we know, the Internet is growing a lot from this very small research network to a network of two and a half billion users. There will be another billion users in 2017. That's mind boggling. That's a few years away, four years away, and there will be one more billion users. 8.2 billion global mobile connections. Alone in China, India and Indonesia there will be 3 billion connections, and Africa will be the fastest growing region. So clearly, the Internet has faced challenges in terms of growth, certainly in terms of security in the past. So it's a system that's going to have to continue to evolve.
So, what I'd like to ask the panelists as I ask you to introduce yourself is, first of all, what do we mean with security? You know, so let's ‑‑ if we're going to talk about security, let's try to go into specifics. It's often in a very broadly used term it can be entertaining to talk about, but it's not until you go into the specifics that it's helpful. You know, are we talking about someone losing their password? Are we talking about spam? Are we talking about data protect? Architectural vulnerabilities? So for you, what do you see as the most important security questions that you'd like to raise now? Are they work that's ongoing that you think is good and you'd like to share, or challenges that we need to address? What is your role in this? In what way are you involved in this? And also, what can other stakeholders in this ecosystem do? What do you see a need to talk to each other where they might not be doing so at the moment?
So those are three questions.
>> PETE RESNICK: Hello, I'm Pete Resnick. I always have this problem with which hat I'm wearing today. I am an employee of a company called Qual Com for which I do scant little work lately. I am the Applications Area Director at the IETF, which means I'm sort of out of the direct security business at the IETF. I'm not a cryptography expert or secure protocol expert, but I am in effect leading the area that uses all of that security infrastructure. And then on the side ‑‑ well, my involvement originally in the IETF was through electronic mail protocols, so I've had some experience with spam and other aspects of unsolicited commercial e‑mail.
So Nurani asked what I view security as and what are the most important security questions. Jari Arkko in his introductory remarks in the opening ceremony said something I thought was very poignant; when it comes to protocols on the Internet, the IETF builds things with security off by default. That is specific action to turn the security features of our protocols on when we decide that's important. We go to a website and we say we want to use HTTPS, secure HTTP, that is encrypted only when we're going to our bank or something that deserves security.
When we use e‑mail, it is almost always in the clear. It is plain text and we only use encryption in the most extreme of circumstances. And I would venture a guess that most people in this room, including myself, don't use encrypted e‑mail most of the time, let alone signed e‑mail, cryptographically signed. I think when I think about those important security questions, I'm thing about do we want to change those assumptions? Do we want to start moving in a way that makes us use security, use those secure protocols as a default way of dealing with the world? And some of the reason we don't do that is I think for basic principle; that we in the IETF and a lot of the technical folks have sort of made the perfect the enemy of the good. We tend to build protocols where we want to be absolutely sure they're secure, instead of ‑‑ and we can talk about this as the discussion goes on, building protocols where you get a good amount of security and if you need perfection, we give you the ability to do that. But if you don't, you still get some good amount of security out of it. And so I think those are the topics that I've been thinking about lately and that folks in the IETF have been thinking about quite a bit.
I could go on forever, so I'll leave more to the discussion.
>> MERIKE KAEO: Thank you. My name is Merike Kaeo and I currently have the title of Security Evangelist at a company called Internet Identity, also known as IID, who has been primarily for a decade doing phishing takedowns and also managing intelligence for people and is very much involved in data sharing.
Personally, I've been involved in many various aspects. So I used to build networks. I used to work for a vendor and actually wrote a book on how to create secure networks. It's a Cisco Press book. And I've also helped educate a lot of global constituents about what does security mean in their environments.
I'm also currently on the Security Advisor Council for ICANN. So when I look at security and what does it actually mean, it's a hard thing to define in a very clear manner because there's so many aspects to it. So if you look at it from businesses of critical infrastructure, it's really about risk management. And the thing with security is that it encompasses absolutely everything that deals with electronic data. So it comes down to the physical aspects; right? Who has access to the physical equipment rooms or the devices themselves. And then also it speaks to a large number of areas in terms of access control, how do you authenticate somebody? Do you want integrity? Which means if I'm sending data to somebody, that nobody can take the data and change it on route. Do I want privacy and what do you do with auditing? So the process of actually looking at all of that is everything that encompasses, quote/unquote, security, which I really look at risk management.
And then if I look at it from a technical perspective, it's really ‑‑ when you're creating protocols, what you're trying to do is you're mitigating, you're trying to mitigate abusive behavior from a technology protocol level or technology level with trade offs for performance and usability. The reason why you don't always ship everything with encryption on and all the security functionality is because there are tradeoffs with performance and usability. So you have to take all of that into account.
>> KONSTANTINOS KOMAITIS: Good afternoon. My name is Konstantinos Komaitis and I am a policy advisor at the Internet Society. I am not a techie, but I am in great company so I feel quite secure. My previously, before I joined the Internet Society I used to be an academic working especially in the field of regulation. And partly of the reason why I think I am here is to talk about the challenges of actually regulation in the context of the Internet and about this multistate called a framework that we keep referring to, especially in relation to security issues.
So, considering the definition of security, I will not even attempt to provide a technical definition. I think that what we can identify is that security as a concept is in constant transition. It changes all the time. Thus understands about security change all the time because they get carried away, if you want, from technology and the challenges that we see. What we also know is the fact that the landscape covered by the term cybersecurity includes many types of problems and it certainly includes a great number of solutions. And some of them, of these solutions can be found in the technical sphere, and I'm sure that Pete and ‑‑ I'm sure our techies will speak about it. And also can be involved through education, through policy or through regulation. However, at the same time it is very important to understand that regulation is not always the answer. And I ‑‑ it is very tempting and I understand the need of the nation state if you want to proceed to regulatory frameworks in relation to security. However, because of the fast evolving and the fast paced, actually, changes that we see, we really need at the same time to be very cautious.
I really think that cooperation and shared responsibility is crucial in the context of security issues. We are all part of the network. I mean, for me security, for example, a couple of year ago only included password and somebody stealing my password. I'm sure that this is not even now a basic. I mean, it's a stupid way of thinking of things. But a lot of people do not know what are the security risks. They don't realize what they're engaging in when they're using the Internet. And I'm not talking about first‑time users. I'm even referring to users like myself who have been using the Internet for many, many years. So it is very important that there is a consistent and dialogue that takes place in the context of security because of the technical difficulties in the complexity, we need to start bringing together closer the communities that are dealing with security issues. We mentioned the IETF, the Internet Society provides institutional home for the IETF and there's a lot of work being done here that it doesn't get the exposure that it should be getting, not only at the level of users, but also at the level of policy makers.
So I will stop here and just want to say that, you know, as a first step, let's start, folks, the cooperation and we'll, of course, continue this discussion. Thank you.
>> ROBERT GUERRA: So good afternoon, everyone. My name is Robert Guerra, I'm with Citizen Lab from University of Toronto. So for those of you not familiar with the Citizen Lab, I can speak in more detail. Suffice it to say that it's an inter‑disciplinary laboratory that's working at the nexus of ITT's, human rights and global security. That's kind of institutional hat. Long before then been working on issues of, you could say, kind of digital security for human rights organizations and kind of NGOs. And so that's kind of the framing in terms of the, what I would say kind of the least resource actor at the table that works on slightly different issues, but also is using technology and using very sensitive data.
In terms of ‑‑ in terms of the definition based on the type of stakeholders or subtypes of stakeholders which are groups really working with time sensitive data for a variety of reasons, they can be for legal cases, corruption cases, a lot of times it's data that if in the wrong hands could lead to serious consequences on people's lives. Then if one uses the definition from that perspective, it could be security for them is making sure when they use technology and the Internet that they can be safe from harm, safe from danger, and they can be protected in either with protocols or with procedures in place to make sure that stays safe and confidential.
In terms of the role of the citizen lab, as I mentioned earlier, it does work on a couple different things. But in this context is we've been working for many years on advanced research, don cybersecurity, particularly mal ware. We had a study several years ago that discovered that the office of His Holiness, the Dalai Lama, was affected by male ware but so were a variety of different governments, companies around the world, and other involved in this made headlines in the New York Times and many other press. So we've been really following how this resource factor gets attacked and we study and work with a variety of organizations, do forensic analysis ourselves.
And the importance to that I think is how we can contribute, a lot of times there are a lot of assumptions in terms of what the challenges different organizations are. There's a lot of training that takes place for NGOs. U.S. alone spent well over $150 million supporting initiatives. But where's the data? Where's the research to try and drive that? So we in our humble way try to do that. We'll be coming out with a report later this year. So I think the importance there is what I would say is working on research‑based policy and getting into the question in terms of how, so how I contribute, well, the organization works with a variety of different sectors. Because we're at university, we do something that governments and many others can do is we help convene and we help try to bring different stakeholders together.
The major issue right now, I think it varies. Had you asked me six months ago, I would say targeted threats and the huge growth of the zero day industry. I think after the revelations of the summer, I think it's the erosion of trust and the changing in terms of the issue of SERTs came up earlier. What we heard earlier in the sessions, I think yesterday at the IGF, is because of national security, the trust is not as realtime, the conversation is realtime, there's a lot of national security agencies that are now being involved in SERTs more and a lot more vulnerabilities I think are in the system.
And I think another thing in terms of how we contribute, we've been discussing over the last couple months, recently in terms of that it's really important to bridge and create bridges between the technical community and the NGO or research community as well. So we've been saying that and you put me on a panel that bridges the technical community and the research community and the IGF is about bridging. So I'll leave it with that and look forward to the conversation.
>> MARCO HOGEWONING: Okay. We've got ‑‑ in the meantime we've got our second remote panelist, which I'll introduce you in a second. But I'll leave it to Tatiana Tropina now.
Tatiana, if can you still hear me, you can briefly introduce yourself.
We can see you, but I can't hear you yet.
>> TATIANA TROPINA: (Audio difficulties.)
>> MARCO HOGEWONING: She is speaking. Tatiana, I can't hear you.
>> TATIANA TROPINA: (Audio difficulties.)
>> MARCO HOGEWONING: This goes nowhere.
Apart from we are on right track building the next rage in music, may I suggest our remote panelist use the chat and hopefully Chris can relay it without echoing.
Who do we have online? We've got the channel line from the Max‑Planck Institute and the other one who joined and who already admitted he had audio problems is Kimmo who works in the outreach Department of Interpol. Maybe you both can give a brief opening statement on chat and we'll have ‑‑ we'll come back as soon as Chris has them in, if that's okay.
Shall we just kick off? Your question?
>> NURANI NIMPUNO: All right. I have a few questions I think a few people touched upon. So one is this multi‑set. You can't say that multistakeholderism; right? It's like swearing in church. Of course, we're into multistakeholderism. But aren't there challenges with that? Really, I mean security is a really complex thing. Sometimes you need bigger responses. What's good about multistakeholderism is you get several different views, but it's not always the most efficient process. I think anyone that has been involved with the idea knows that it's about ‑‑ yeah, it can be quite a painful process.
Do we really need that? Isn't it better if we leave to it one party to fix these things for us?
>> PETE RESNICK: I'm happy to jump into the fray, because as Konstantinos was talking about this, I was scribbling some notes. One of the things I think is really important about the multi‑stakeholder model is that you're bringing together not just people with different stakes which is, of course, definitionally true, but different expertise. So really has scant little expertise in what it is to make a proper regulation and how to enforce those laws.
The government has scant little expertise in the technology, and maybe even at different levels what the business community needs out of security.
One of the things that ‑‑ and we've seen in both directions, one of the things that we run into trouble with is that we either jump into each other’s pools, or we expect the other group, the other stakeholder to take care of everything. And I think neither is useful. So, for instance, government needs to understand when they're making a regulation what technologies are available, and needs to know what they can address and what they can't. And going to the IETF, for instance, and saying why haven't you solved the spam problem? Why haven't you solved the Botnet problem? Is a little silly to us. The answer is because we can't. You're missing ‑‑ we can provide you tools and those tools can help a lot, but someone else has to provide the economic incentives, the regulations, the rest of the things that go with that.
So I think, yes, there is a problem with trying to make a decision collectively as a multi‑stakeholder group. But understanding each of the groups individual ‑‑ each of the stakeholders individual expertise and using those strengths is the way to accomplish that.
>> MERIKE KAEO: Whatever happened to women first?
Yeah, I will ‑‑ actually, want to make two comments here. I absolutely agree with my colleague Pete here about the multi‑stakeholder model just absolutely needs to happen. What is quite interesting, that lawyers spent many, many years understanding the legal frameworks and their policies. Technical people spent many, many, many years understanding the fundamentals of the technologies and creating them. You know, politician, same thing. So we all have our fields of expertise and I think sometimes the challenge is having the patience to understand each other's viewpoints. You can always say, oh, they don't get it, they don't get me. It's okay.
What I have found, personally, is that I have learned a lot about human rights issues. You know, some of the legislative issues that varying geographic areas have to deal with. That's another point that is extremely challenging from a security perspective when you start talking about different geographic areas because different countries have different laws, you know, sometimes tied to cultural issues. So even, you know, trying to figure out what is actually cybercrime across different countries may be challenging as a definition.
So I think bringing together multi‑stakeholder model we're educating each other on all of these issues and then collectively in some forms we have to come to some kind of agreement in terms of what is best for all of us. We're not going to have the best solution, but step by step hopefully we'll get there. That's ‑‑ I think the model so far is really working and this is my very first Internet governance forum meeting and I can say I've learned a lot already.
>> KONSTANTINOS KOMAITIS: So what's the alternative if it's not multistakeholder? The alternative is for additional regulation. We have already seen that this is really not working in the context of the Internet. So, that's the first thing. And it's not working because the nation state as an entity really wants to preserve what they feel are their priorities. And the priorities of one country are not necessarily the priorities of the other country. And the understanding of security of one country is not necessarily the same as understanding security of the other country. So regulation ‑‑ and by regulation we are referring to this traditional form of regulation ‑‑ has a tendency of being trapped and should be on subjectivity and be based on national needs. And we're talking here about the Internet which is global.
The second thing, multi ‑‑ so, by default, we are thinking of multistakeholder, government structures that are anxious to discuss those issues. We also need to understand that just because we mention multistakeholderism it doesn't mean automatically we get solutions. Multistakeholderism is not an all‑inclusive concept and it doesn't come with a magic wand that we just wave and suddenly everything is fixed. But one of the great things that it does is that it brings people together that share a common value. And through this common value they share also responsibility. And in the context of the Internet and multistakeholder, this nexus, is the fact this common value is preserving the Internet. It's preserving the open, and interoperable and the generic nature of the Internet. This is a good starting point to bring parties together, us, we've just heard and actually make them sit down and work with one another because there is a lot ‑‑ and governments do not necessarily get it. And I hear it all the time.
But my response, my automatic response is because I am a policy person, why should they to begin with? The same way that the technical community doesn't really understand the way regulation and policy making is working, governments ‑‑ we cannot expect governments to automatically understand the challenges, the technical especially challenges, surrounding security. That's why we need the technical community to come and explain what these challenges are.
We saw this happening. Unless we start working together, we will see this happening all the time. Just, you know, a little bit of security, a very clear example has been in the digital context in IPR. Suddenly we saw loss coming about but were endangering things and it's simply the nature of the architect of the Internet simply because policy makers do not understand what those challenges were. So we really need multi‑stakeholder participation. I know it's slow. I know it's occasionally tedious and I know it can be very frustrating. But the alternative positions, I personally believe, are ‑‑ may lead us to paths that might be more challenging and tricky than what we're facing now.
>> ROBERT GUERRA: So I may be a little bit of devil's advocate here. I'm a supporter of the multi‑stakeholder model, but I think we've been talking about it since the very first IGF and kind of where we ‑‑ and what are some of the challenges? So I think in an ideal world, I would say ‑‑ and I hate to use this word, in a kumbaya world ‑‑ we're all talking about multistakeholder and it means that we can all come to the table even though we have different views and different ideas. You say the word and magically we all talk together.
We've been talking together for six or seven years, and in some cases that then comes back in a national and regional level and it cause ‑‑ it creates a window of opportunity for dialogue and conversation. So I think that's a good thing. But let's not forget there are other factors and other tendencies also that are pushing back not against the multi‑stakeholder model, but national security is the big elephant in the room as was discussed in the high‑level meeting and throughout as well, too. I think where we need to see that is that there are a lot of great challenges to make the multi‑stakeholder model work. We just can't invoke it.
So I think what organizations here, and I would say a recommendation going forward, is we have to practice what we preach. If we're saying we're going to be working together with different stakeholders, then the technical sector, the government and the one stakeholder group that has not been mentioned by my previous colleagues is the Civil Society. Other than Konstantinos, but everyone else all needs to work together. They're all different skill levels and practical things, whether it's skill share, it's not inviting just folks here. So, for example, from a research perspective what we do is we realize there's been a gap that some of the research that we do around mal ware or attacks, realize that there's a great wealth of knowledge, but also analytical tools and an approach that would help us understand what we're doing.
I would say the flip side for the technical community is how are tools going to be deployed? Or if you see certain traffic taking place, if you had a better sense of the context, you would realize. I'm just remembering something from a conversation or a discussion on the S‑AK list about a week ago is there's a whole issue with Katari Top Level Domain kind of went down. For a long time everyone was talking about, oh, it's down and just kind of a reaction around it. I think other communities, other parts of the technical community were talking the same thing. Had you been looking at this in a multi‑stakeholder lens, we would have realized there was a set of geo‑political events taking place at the same time and there was a context that was feeling that.
So that would have better understood that it had to do with something far more nuance and complex.
So I'll finish and the thing is that the challenge is that we have to put it into practice. And it's hard. And it has to make ‑‑ and there has to be a way to audit. And I would say that so the role of government might be to enforce the multi‑stakeholder model. I'll challenge that because in a lot of panelists who are having places that's not taking place and maybe a regulation says, yes, all the stakeholders have to get together. If you don't, don't call it multistakeholder, just call it a meeting of private sector and the government.
>> MARCO HOGEWONING: Thank you, Robert.
I believe we have some comments from our online panelist then, Chris.
>> CHRIS BUCKRIDGE: So we do have two online panelists who are having trouble hearing the audio and seeing the video but are bravely following the transcript live. So this is a bit out of order of discussion. They both asked me to read their introductory statements here. First is Kimmo Ulkuniemi and he says, "Hello, everyone. My name is Kimmo Ulkuniemi and I'm working for Interpol Global Complex for Innovation in Singapore. IGCI is the only global law enforcement organization responsible of supporting cybercrime investigation. I'm Assistant Director of Strategy and Outreach and my subdirector is responsible for all the public‑private partnerships regarding cybersecurity in Interpol."
And then Tatiana Tropina has her opening statement. "I wanted to say, so about multi‑stakeholder models in cybersecurity, I think we need to understand that there are several fields or pillars of cybersecurity, and depending on the pillars, the players' interactions between them would be very different. For me those pillars are cybercrime, prevention, detection and investigation, critical information infrastructure protection, and national security.
"We will have different models in each area because they do overlap. I doubt we can extend what we've already achieved in multi‑stakeholder cooperation in fighting cybercrime. We cannot achieve the same cooperation in national security issues where fewer stakeholders are participating and governments are not willing to collaborate but rather to regulate. And because of the blurred borders between these areas and the absence of clear legal frameworks, we have some gray areas and problems with trust between government industry and Civil Society.
"So basically I wanted to say that the cooperation and participation of different stakeholders will depend on the area we are operating in. And if in some areas governments would be willing to collaborate, in others we will have strict requirements, security clearances, regulation, lack of transparency and trust, and possible abuse."
>> MARCO HOGEWONING: Thank you. I was about to ask this of Konstantinos. And it's nice, a nice way to channel. You mentioned ‑‑ you sort of dropped the word trust into your statement. And then now to challenge, to make it much clearer is, yes, we cannot expect governments to understand everything and we cannot ‑‑ we cannot expect them to solve everything. At the same time, Peter in his opening statement said yeah, the default measure at the IETF was to by default switch security off. And as he already mentioned in his opening statement, that's likely to change.
But what can we do or what should be done? Or where can we do ‑‑ where can we go in restoring the trust? Is there a need to restore the trust in this field?
>> PETE RESNICK: There's something ‑‑ I'm trying to collect together a couple of different threads here because some folks did set this up as the technical community versus or most communities even versus the government community. And I don't think that's exactly the only opposition. So, let's talk about that security owned by default.
There are loads of interesting ways, technically, that we can address things like people snooping at our traffic, including governments. But those things ‑‑ those technical solutions have very interesting consequences, not just for governments and not ‑‑ but also for businesses and for the Civil Society. So, for instance, it would be very straightforward for us to re‑jigger the protocols so that all electronic mail was end‑to‑end encrypted by default. And, yes, there could be man‑in‑the‑middle attacks where people can sniff at that stuff. But we can start out with the bar being quite high. There's a problem. First of all, there's some governments who are happy to have that security on by default, so as long as it's not their ability to sniff their own citizens e‑mail. So, yes, the governments probably have some of their own stake that they're worried about there.
But, for instance, think about Google's business model. Everybody with a G‑mail account, that e‑mail becomes part of Google's very important data to figure out what they can give you advertising for. Well, if we start saying to Google, all of the e‑mail is going to be end‑to‑end encrypted from the user to their destination and you at Google don't get to see the contents of that e‑mail, that changes an entire business model.
Think about the companies that track their employees' e‑mail. And if things started getting encrypted end to end, the companies would not be able to, by default, see their employees e‑mail.
And does Civil Society really want to go all the way down that path? Many people like the idea that they are having some of this information from other people, generally, not from themselves, reviewed by government agencies to see if there is terrorism going on that is being ‑‑ for which e‑mail is being used.
There are civil liberty issues that are clearly at stake here. So I think we want to be careful, A, about pointing to one particular stakeholder, but also be concerned that these things are doing the kinds of things technically that we could do, might start to wash over into all of the stakeholders in very interesting ways.
>> ROBERT GUERRA: So just a quick follow‑up in the work that we've done, and I've done around security for NGOs, the simplistic view, and that's what a lot of the funding was a couple years back, was all around just secure e‑mail or secure browsing, and it totally disregarded habits. It totally disregarded the change in the threat landscape moving from surveillance to targeted mal ware. You can have the most sophisticated end‑to‑end encryption system, but if you have a target mal ware exploit in your computer, they'll see everything. And so I think what the technical community ‑‑ and I would say, you know, government and private sector they have best practices in regards to non‑digital security issues and being able to have the different groups actually share those best practices. I mean, one thing I did mention in terms of the big challenge for the multistakeholder is actually the culture and the language of each of the different stakeholders is very, very different at times and to build trust to be able just to talk. So you can tell everyone, go in the room and talk. But if they're having a different discourse, you know, some of the ‑‑ even the Internet governance community, as well. Imagine someone new coming to the IGF or ICANN meeting for the first time, the amount of acronyms alone is incredible, at IETF with all the RFCs even more so. So I think what we can do is we can realize that that is ‑‑ that's a challenge. And in our own stakeholder groups we've been working on that and trying to figure out ways to share that.
And, you know, something that might be possible is are there mentors from one stakeholder group to the other that could be useful? Some of the outreach efforts. Again, there's probably a lot of stuff that's been done. And I would say for the e‑mail, you know, it ‑‑ I can't agree with you more in terms of that being a simplistic view, but sometimes the simplistic message wins the day. And it creates a false sense of security in that we've seen, particularly, you know, in the developments not over ‑‑ not only over the last six months, but since all of the kind of uprising in the Middle East over the last couple years is that false sense of security has led people to communicate on a variety of different platforms, then they've been shocked and they realize when they're picked up, taken to court and their complete transcripts of all their chats have been presented to them as evidence and they've had to spend 50‑plus years. So they thought that it was safe and it wasn't.
I think where we can work is just on the perceptions and helping people understand risk and threats, more so than this tool is the panacea.
>> MARCO HOGEWONING: Okay. Thank you.
Yes, I was about to say we're about to open to the floor. But I'll leave the next comment to Merike.
>> MERIKE KAEO: Yeah, I want to bring it to trust and transparency. One of the questions in my mind, I'm not a very huge proponent of regulation, but I'm a huge proponent for measurements. Also what I see is even when protocols are designed very securely, okay, it's not necessarily the protocols that get circumvented but equipment manufacturers who are actually building equipment that may not be as technical savvy as one would hope. So how they've implemented the protocol that is supposed to be secure, but they've implemented it in a way that is not secure. And also when equipment vendors ship with certain defaults, default behavior, that is not very transparent to users of this equipment. So I think trust is really at the heart of security at all levels.
You know, just understanding exactly how things work, either from a protocol level, why certain choices have been made, there's always in the IETF a security section, security considerations that actually discusses where some protocols may not be as secure as they could be, but the tradeoffs from an engineering level were made looking at what's best for the overall community with everybody involved in these IETF working groups. So it is a very complex problem. But I think we do have to really work on the transparency as well.
>> MARCO HOGEWONING: Konstantinos.
>> KONSTANTINOS KOMAITIS: Yeah, it's all about using different words. It's all about contextualizing this thing. It's all about trying to make everybody understand what it is. I would like to go back to what Merike say, if we are to judge a little bit the past few months, what has been happening, the issue of transparency has been manifested as a key driver behind all this. People need, to the extent that it is feasible, understand and know what is happening. And because you have this medium right in front of me right now where we are all used to getting information, having access to information, when suddenly that stops due to a curtain or whatever, a wall, then this creates more issues.
So it is very important that we try to ‑‑ we save face. As far as I'm concerned, we see this as opportunity to restore trust. Also go beyond the trust as we had before and also do the same with transparency.
>> MARCO HOGEWONING: Thank you.
What I would like to do is collect a few questions from the floor and then after we'll give the panel a chance to respond. Raj, I see your hand up. Please state your name and the affiliation, if you have comments.
>> NURANI NIMPUNO: And just maybe to make it a little bit more interactive, instead of having one question, one answer, one question, one answer, if we can get a handful of questions, we can throw all those on the panel.
>> RAJ: Thank you, my name is Raj ‑‑ we just did a similar panel like this just before the break and I think some of the people were in the room also. I have one comment, two questions. The first one, I think that we say about common values, Konstantinos, I think perhaps we don't have common values here in the IGF because you hear very descending voices and I think there are two major countries that just don't show up here and say anything anymore because they've stated we want to be this different model in the U.N. or whatever and we're not coming here anymore. So I think it's important to understand that perhaps we don't have common values. But from there, we're in the room and we still discuss things.
One is that the way of discussion when Jari Arkko presented as Chairman of the IETF last week in Athens at the RIPE meeting, at center stage asked him, who is your enemy? Because there were all these things going on. In the room we have Google, et cetera, all the sudden that became an enemy because of all the data mining they do. Then we had the governments that were definitely not a white elephant, but they were definitely discussed there. And the third one was the ‑‑ now I'm forgetting what the third one is. Can you help me, Marco, remember?
>> MARCO HOGEWONING: Sorry, I'm not wrapping it up here.
>> RAJ: I'll come back to it later and go back to the other question.
The other one is that we have so many different layers responsible for products on ICT and the Internet and et cetera, so many layers in the communication that when I start to contemplate the session I was going to have, I imagined a row of a table that would belong to the end of the conference hall and we still would not have them all, and half of them we could not reach because nobody knows who they are. There's just app makers somewhere in the world that shoots something into nobody knows each other. You have a new app that may be vulnerable enough. And that goes just from play things to very serious things. Is it possible to look at the chain of the Internet and see who is the dominant key player here that could actually be somehow made responsible for the security of that part of the chain?
And, of course, that is going to be the hardest thing possible, but could that be some sort of product driver we were talking about in the previous panel that actually said, well, if the government says this is the product it wants to have, a lot of people will follow that and then you have a higher standard because of it. But then you have to know who the key drivers are.
If I think of what number three is, I'll come back. But it's about who is your enemy and who are you actually going to deal with first? The criminals ‑‑ yes, I got it. The third one are the criminals. So we have the Googles, the criminals, and the government. Who is your enemy? And who would you want to tackle first?
And perhaps by tackling the first one, you'll discipline the rest in the direction you actually wanted to go. So your thoughts on that, please.
>> NURANI NIMPUNO: Maybe we can do Google this week, government next week, and the criminals.
Okay. So let's get a few more questions and we can throw them at the panel. Anyone else?
>> MARCO HOGEWONING: I thought I saw more hands earlier on.
>> NURANI NIMPUNO: They look shy.
>> MARCO HOGEWONING: Ah, yes, Meredith.
>> MEREDITH WHITTAKER: Hi, great panel. This is Meredith Whittaker from Google Research. I just have a quick comment, and this might get to Robert's sort of kumbaya proscription, so I apologize. One of the things I love about this discussion, the discussions that bubble up from the technical community who are familiar with those processes is this sort of approach to transparency and self‑correction. So built into these processes is constant self‑correction, is constant, you know, steering and recalibrating based on models that are assessed, you know, in reality in realtime. And I think part of what is important there is ability for being wrong not to be a crisis. So you have to be able to say I don't know, to say I was incorrect to say that doesn't make sense to look at the data, to measure that as Merike said, and to recalibrate your assumptions based on that. I think thinking about how that could work in a multi‑stakeholder, whatever that means, framework, is a really, you know, I don't have an answer to that, but a really salutary exercise. How do governments, how do regulators, how do people whose careers may be based on some prescriptive idea of what needs to be done be integrated into a process that's constantly recalibrating, that needs to adjust. In June 2013, there's before and after. Adjustments need to be made and that needs to be realistic and timely. That's not a question, but that's something that I think you guys were pointing to and I really appreciate it.
>> MARCO HOGEWONING: Thank you.
I see this gentleman here.
>> PATRICK JONES: Patrick Jones from ICANN's security team. This has been good. And I wanted to raise a point that I wanted to raise in the Dutch session before lunch and didn't have a chance to raise it then, so I'm going to raise it now.
With national cybersecurity strategies and the European commission's efforts, potentially bringing in Internet technical operations that are globally distributed, having these regional types of regulations raise challenges, so it would be good for the panel to talk about the impact of national strategies on global technical operations and globally distributed resource.
>> MARCO HOGEWONING: Thank you.
And the lady behind you also had a question, then we'll fall back to the panel to gather some responses.
>> CHRISTINE: Hi, I'm Christine from ‑‑
I think two questions. This morning I was in multistakeholder panel. We're talking a lot about security and that area. But I think one stakeholder always missing in all these areas are the software developers. We don't see them here and they are the real cause we are all here trying to correct something. And every time we think about software vulnerabilities and problems in software, we always ‑‑ the technical community, IETF developers, and people from networking, all have created a standard trying to cope with that. But then a standard is, again, developed by a software developer and more vulnerabilities are inserted. It's just to think about the whole community, whole software engineering community, they don't want to talk about security and they are just creating now. What we were talking about the right incentives and one of the incentives is right; the first software out is the one that is going to be adopted. The first standard out is the one to be adopted. People in universities are being taught or not taught about software security and you have just a mobile getting worse and worse and worse.
So I think this is one area that, from my perspective as a sir‑perspective, we try to reach but is one of the hardest. We have been talking to people from legal area, from policy makers, and I think it's easier to reach to them than even to reach to developers.
Then just as a point maybe to have a take from people from the panel, something that worries me a lot is that we are seeing more and more security as a scapegoat for different agendas and as a scapegoat for control measures and not for something that would actually improve security, but just not really to implement different and weird things. As you said in the opening, it's very complex. Security is not an easy area. It's very complex for people to understand, then it's very complex and easy for people to manipulate. So I think we're in a very worrying time now that we really need to work as a community how not to let ‑‑ actually not have security, but have a worse Internet in name of security. I think this is something that could come up a lot in the next few months and years.
>> NURANI NIMPUNO: Very interesting, thank you.
>> JAN MALINOWSKI: Yes. Hello, Jan Malinowski from the Council of Europe. I would like to make three quick points. I hope they are quick.
Yes, I hope they are quick.
The first one is that total security doesn't exist. It always comes at the ‑‑ the higher security comes at the expense of a reduction in freedom and liberty. So if you want more security, you will trade off certain things that you may not always want to trade off. That's a blanket statement. One can moderate it, but at least it is ‑‑ it does give an indication of the thinking.
The second one is that multistakeholderism is about dialogue. It's not about co‑decision making. It's about ‑‑ not even about common values. There may be certain common areas of agreement, but at the end of the day multistakeholderism is about good governance, which is about listening to the others. It's about taking into account what the others have to say in order to be better informed when making a decision. Whoever is the relevant body or person or community that will take the decision at the end of the day. So it is a good governance issue.
And the final one is related to the question of security and so on. Going into an example, to show a bit what I mean.
Crime, cybercrime, for example, it is a security issue. Now, normally, traditionally, the repression of crime is the monopoly of the state. We are talking multistakeholderism; how to incorporate the multi‑stakeholder dialogue and identifying the roles and responsibilities of different parts of the community, of the Internet community or different communities within the broader world of the Internet in respect of combatting cybercrime.
What I would say is, if I can give an example of a tricky area where more debate needs to be had ‑‑ sorry, before I go into that, criminal law will never resolve crime. We know that. Criminal law puts a few people in prison. It dissuades others from doing and it educates others ‑‑ it dissuades some that would be minded to engage in crime not to do it. And then it educates others that might have wanted to engage in criminality that it's perhaps better not to do it. So that is a bit the background. We know that in any community the vast majority of criminal activity is not tackled by the criminal law system and it will be the same in the cyberspace area.
One concrete example in the criminal activity area on the Internet. We have the question of peaceful protest. In the physical world, peaceful protest has been addressed and has been regulated and teased out by the courts and interpreted and so on. It has evolved over time. Peaceful protest can be disruptive and can be very annoying for some, and it can even carry a price tag for those who protest and for those who are at the targets of the protest. Now, that is an area which for the time being in the cyberspace is considered automatically to be a criminal activity. So any intervention, interference with someone else's transit or website or whatever, even if it is simply to make a political statement, it is immediately considered cybercrime. Now that ‑‑ I'm not trying to suggest an answer to that. It's simply to indicate that the answer is not yet there and that more dialogue is needed. And we need to listen to each other more in order to come up with the right answer. Thank you.
>> NURANI NIMPUNO: Great set of questions. If other people have questions, please hold them. We'll throw them to the panelists, because there are so many questions. I'm going to try to throw out some of the issues there.
So the idea about multistakeholderism not being a question of common values, but I love the part he said about despite good governance, but listening to each other. But also the part about the ‑‑ I guess the relationship between governments and those, for example, in the operational community and how you get that ‑‑ how you get governments and decisions they make into an ever‑changing operational world.
The part about trust, I think we've touched upon that, but I think you might have some interesting things to say about that. But then I'd also like to put the thing about so we often talk about security versus privacy. And, you know, we have to find a balance. But I think some of the things that Robert touched upon was also about security and anonymity in terms of privacy and that it can it protect civil rights. So security in what sense? For who? To what end?
Yeah, I think you're ready to pounce, so I'll let you go.
>> ROBERT GUERRA: Just maybe add something in regards to kind of trade‑offs as well that haven't been mentioned going back to e‑mail analogy and making it difficult or not. I would say it's not just about freedom and the balance of security and freedom, but from a user perspective in just using the technology, you have to factor in usability and convenience. There's some wonderful tools out there but they're so hard or so geeky that your average user or, as the trainers say, the grand mums can't use the tool. So it makes it difficult. So this may be one thing to add.
Another thing is someone mentioned earlier something about enemies and which is the enemy of the week, but then earlier we talked about an ecosystem, so we're all in the same bounded space together. So I think if we can talk about the environment and even though there are actors, I think there might be a need sometimes to have regulation to just regulate how the ‑‑ if there's something deemed an activity but it's also the community working together.
And then I'm maybe going to add an explosive comment or a question. Just going back in terms of offline and online, so you're talking about protests and all those consequences, it reminds me of something I don't prescribe to, but someone in Civil Society if you're thinking of digital equivalence of online space, then the offline space when those that want to have some sort of action and get the attention of others, they'll strike, they'll protest, and they'll barricade. So something that's come up in the past that the technical community quivers about is D‑DOS a protest measure? If you're going to say that or not. I think that's something else that if you're going to bring that up brings up a whole bunch of other things. Something you mentioned, I think you quoted in the multi‑stakeholder model, you defined it well, but I think, too, it's how do we bring traditional offline expressions and rights that we have and not just have it by default being secured, going to prison if it's in digital?
So I'll maybe put that and hopefully it will be an interesting set of answers.
>> MERIKE KAEO: All right. I'm going to address the question like primarily does somebody own security, should somebody be in charge? Just really quickly, I made a list, from a technical perspective, what's all involved. You have to deal with equipment vendors, these are your home routers, firewalls, switches, routers what have you. Then consumer electronics, my dryer will tell me whether or not, you know, it needs to be repaired. Your TVs, your music systems, your refrigerators; right, all of them are going to be on the Internet. Somebody has written their software. Do we know whether or not somebody can use that in a service attack? Then you have the chip vendors, your hardware. You have software writers. You have mobile application creators. You have protocols themselves. You have the Internet service providers. You have the businesses. You have the end users; right? There's probably a lot that I've missed. So I think you get the point that there are a lot of people involved. And they are all responsible. We are all responsible. And if I'm at home and I have, you know, I have to be cognizant what my device does. Whoever I buy my electronics from, I drive them crazy, because, first of all, I ask if they support IPv6, but I do. You're trying to figure out, well can I filter anything? What? Can I upgrade my software on this television? What? Right? This is part of the growing problem that we have to look at.
So it's an expanding problem because everything is going to be on the Internet. I mean, there's just more and more things on it. And so, you know, I don't think that there's one entity that can be responsible. I think collectively; right, as technologists, as policy makers, as law enforcement, we have to try and figure out how to mitigate the risk as much as possible.
I will also echo the point about software development.
So I have an engineering degree and I have to take some software classes. I got a very good grade when the program gave the result that it needed, not that I did error checking. All right. I believe that this is still true today. This is the problem. Okay. It starts with the education where I wish you would get a lot of extra points the more error checking you did.
So anyway, that's it.
>> NURANI NIMPUNO: Could I just quickly follow‑up on that. So you're saying you do not want to be responsible for all these different ‑‑ you personally. You seem like a very reasonable person. But if ‑‑ so basically you're talking about this shared responsibility that we also hear about in various context. We have a shared responsibility as end user. As a consumer you have a responsibility to do certain ‑‑ to be aware of what tools you're using and what you are doing and everyone through the whole value chain has a responsibility. But ‑‑ and that sounds great, but really, how realistic is that?
My mother‑in‑law is 80 something. She's got an iPad. She doesn't know what she's doing. How ‑‑ you know, governance are not techies, you can expect some dialogue, but, really, how much responsibility can you expect them to take? And how much can you expect the technical community to take?
>> MERIKE KAEO: And I think this has no clear delineation, but I will bring it back to education. I know a few countries that have actually spent a lot of time educating their constituents. My mother is 80 years old and she has to do a lot of things online. I will mention that my background is that I'm Estonian. So whenever she goes to Estonia, she has to renew her insurance. She has to do her banking online. She has national ID card which she has to know every five years she has to go to bank and get new certificate. She is able to do that without calling me. I can definitively say that I have 90 gigabytes. I have a lot of data that shows all the TV shows and advertisements that they have done to educate children, older people. Usually we're not good at doing that, there's too much jargon. So I think educating at the level that people can comprehend, not that they need to learn the technical jargon, but we bring it into terms that they will understand.
I think that's really needed.
>> MARCO HOGEWONING: I have a few comments online, Chris.
>> CHRIS BUCKRIDGE: We have one coming in from Tatiana Tropina. It's responding to Mr. Malinowski's question, comment from the Council of Europe. She says, "The