HOW CAN GREATER SECURITY, SAFETY AND TRUST IN THE INTERNET BE CREATED?

The following is an invitation to participate, share ideas and best practices, the willingness to take on a new approach towards mass deployment of internet standards and best practices. So, feel free to reach out to us and start work towards a kick off meeting at the global, virtual Internet Governance Forum in November.

The IGF Dynamic Coalition on Internet Standards, Security and Safety

There is general agreement that the Internet needs to become more secure and safer. Vast sums of money are spent each year on security products and measures, many of them bought, downloaded and installed by the end user. Whether you’re a large corporation, an international organisation, a government institution, someone working in the media or a private individual, the responsibility for security and safety is something we all need to deal with ourselves.

However, there is another way to protect all end users: Ensuring ICT-related products and services are made fundamentally secure by design. In March 2020 a report was published on the website of the UN Internet Governance Forum (IGF) entitled ‘Setting the standard for a more secure and trustworthy Internet’ (https://www.intgovforum.org/multilingual/index.php?q=filedepot_download/9615/2023). This set out the conclusions and recommendations of an IGF pilot project which examined the reasons why Internet security standards and best practices, which are intended to make Internet connections, devices and services more secure, are not in practice widely adopted and deployed. The report explains why ICT services and products do not follow best practices and standards in enhancing their security, for example in email and routing systems, websites, connected devices (the so-called “Internet of Things”) and apps, data storage, software development, etc. The report makes concrete recommendations on next steps and actions that will put pressure on manufacturers and service providers to increase substantially the level of security and safety in their products, devices and services.

No organisation involved in the deployment of technical standards and network applications can achieve these aims singlehandedly. The solutions for addressing the lack of security online can only be achieved through the kind of multi-stakeholder engagement, dialogue and consensus-building that the UN Internet Governance Forum (IGF) was established to facilitate. For the follow-up to the work undertaken by the group of experts in the IGF’s pilot project, it is proposed that experts from the ICT industry, the technical community, corporate users, governments and civil society join together in an IGF Dynamic Coalition on Internet Standards, Security and Safety. It is envisaged that the coalition will undertake its work by setting up working groups on specific themes relating to the recommendations set out in the report of the pilot project. The working groups will convene over a period of two years in 2021-22 and formulate specific proposals to the coalition for creating opportunities and the means for achieving widespread and rapid deployment of Internet standards and best practices relating to security and safety.

A key area of focus for the proposed dynamic coalition will be how to build a sustainable business case for the immediate deployment of Internet standards and ICT best practices, to provide a return on investment, for example through the product procurement process.
Another major recommendation made in the report of the IGF pilot project concerned awareness-raising, training and education. Consumer welfare and child protection advocates, and related governmental and regulatory agencies are often less aware of the (final outcomes of) technical processes of standards development. In the educational sector the national curriculum rarely includes Internet policy issues and advice relating to security and safety online. It will be important therefore to involve experts from these fields in the work of the dynamic coalition. This will ensure that the work of the coalition is informed about their respective roles and potential actions.

The media also has a crucial role in creating greater public awareness about Internet security and safety. It will be important therefore to involve media experts.

The Internet has evolved to become ever more important in everyone’s daily life – and will become even more so as demonstrated by the responses to the global Covid-19 crisis. The relentless and remarkable advance in the spread of digital technologies into virtually every aspect of life puts even more focus on the wider roles and responsibilities of stakeholders for strengthening safety and security online and establishing greater trust. Security needs therefore to become the overarching standard for all ICT-related services, devices and products. Their safe use is ultimately the responsibility of the end users. The deployment of standards, however, is the responsibility of society as a whole. The overall aim of the proposed IGF Dynamic Coalition on Internet Standards, Security and Safety will be to ensure that the ICT products and services, designed, produced and procured for Internet use, are more secure and safer to use.

Wout de Natris
Mark Carvell

Testing, testing, testing for a more secure (internet) world

If there’s one analogy between the Covid-19 crisis and cyber security, it is the lack of testing in many places across the globe. In both cases to truly know how safe and secure we are, testing needs to be stepped up considerably. As this is a blog about cyber security let’s put our focus there.

Over the past days and weeks more and more organisations have switched to digital products and services to sustain working from home, to keep productivity up and to be connected. Our dependency on the internet has become even larger, with perhaps one large difference: more people are actively aware of their dependency and not as something they see as normal without thinking about it. Let’s not forget that by far most people have slipped into the digital age, without comprehending the implications. Let alone how it works. With this newly found realisation, this is the time to act where cyber security improvements are concerned. First let me give a few examples of how we slipped into the digital age.

How we moved to the internet
Over the past years we all have started to use products and services we do not truly understand nor do we have an overview of the implications coming with the use of these products. This goes for apps that transgress every basic rule of privacy without any hindrance, but also for government organisations using cloud services in the U.S.. We use Google, Facebook, Whatsapp, etc. multiple times daily without being aware that we are the product, “the user”, of these companies. Energy companies connecting a nuclear reactor to the internet as running maintenance from the home if necessary is so easy. Or, a machine in a factory that is directly connected to the manufacturer for maintenance without built in security. And what about all those connecting devices entering our home without basic security installed. Etc., etc., etc. All were decisions with large implications, usually made without security in mind, not offered, not asked for, not (fully) understood. Let’s make it more tangible.

Secure/insecure?
On Wednesday 31 March Boris Johnson, U.K. prime minister, posted a photo online, showing his cabinet’s video conference, giving away a load of data about his workplace, gear and even his unique username to the Zoom application the U.K. cabinet used for the conference. Twitter sort of exploded because of it, and yes, the lack of understanding in the PMs office is extremely disconcerting, but a part of the Twitter explosion focused on the program used. Zoom is an application that is used all over the world for video conferencing, one of many. What was pointed out yesterday, at a time that almost every organisation depends on video conferencing, that Zoom is not as secure as it advertises. Many people pointed out that Zoom blatantly lies about its level of security on offer.

And here is where I am coming to my point that we need to test, test, test. An important question ought to be: Why did some people only bother to test the service now and not last year or the year before? Can you tell me whether any of the other services are better? I can’t.

Responsibility for a secure internet
The world fully depends on ICT products and services, something that today is more clear than ever. It also means that the products and services need to become more secure. 100% Security is something no one can offer. Avoidable mistakes though should no longer be acceptable when a product or service enters the marketplace. Not in a product connecting to the internet, not in software and not in online services and hosting. If the current crisis shows us anything, it is the responsibility the internet market has where the world’s security is concerned.

Making the internet more secure
This can easily be improved if during the production phase testing becomes a prerequisite. For everything already on the market, it is quite clear that the status quo is that a company awaits an alert or a breach before taking action to amend the flaw in its product, if even then. To become more safe there are three ways forward:

1) New products are made by new rules assuring a higher level of quality and security;
2) Testing;
3) Attribution.

White hat testing
I would like to focus on the last two. Mark Goodman proposed in his book ‘Future Crimes’ to create a worldwide pool of white hat hackers who test products and alert a company or a central agency on discovered flaws that are then repaired and updated. One thing is certain, the “bad guys” test products 24/7 in search of flaws and use them for their own nefarious purposes. So why don’t the “good guys” do this in an organised way? Yes, this is a challenge to organise, but the white hat hackers already exist. So why not pool them and make use of their energy? Finding flaws before the bad guys do saves everybody money, time, losses, hurt, bankruptcy, etc. Yes, it is a burden on the manufacturers but then they are the source of the flaws. Not the consumers. In fact not even the “bad guys” are the source, they are just using what is on offer in a bad way.

A related example is the city of The Hague that organises a yearly hack contest on itself. Something more companies and organisations should do.

Consumer organisation testing
A second way of testing is through consumer organisations. Products and services with online components from now on need to be tested on cyber security aspects. Are certain internet standards deployed? Are passwords in place? Are patches guaranteed? Is data protected? Etc., etc. This way pressure is applied to manufacturers and service providers to up their game. This way consumers can compare products. The test of webshop websites in The Netherlands and privacy adherence in an app in Belgium are good examples of this.

Attribution of breaches
When hacks or other digital breaches occur, one way forward is to collectively learn from the cause(s). E.g. by making it known the breach was caused by a lack of security in product X or service Y. This puts pressure on manufacturers who currently produce sub-optimal or even less safe products. No product wants to be associated with negative news, so most likely all will progress because of it.

A milder form is to mention the cause without the name but including explicit mention of costs and losses, in combination with suggested questions consumers can ask to their vendors or demands they can make for a more secure product. This creates awareness at the customer side and puts pressure on the manufacturer.

Is this bad for innovation? All other products in the world show that rules or regulations do not stop progress. So why would the internet be different?

Security investments come with costs
More than ever before the world has become dependent on the internet. It is time that the internet business takes the responsibility for this dependency. This comes at a cost. Yes, there is another side to this debate. It has to become normal to pay for internet security. It is only fair money is made on the investment industry has to make to provide cyber security.

Conclusion: start testing!
Just like at this point in time in the Covid-19 crisis a lot of people are not aware whether they have attracted the disease and are cured because they have not been tested, many internet services and products can get on the market, even with false claims, without testing. It is time for change. Societies have to start testing.

In a recent report published on the website of the Internet Governance Forum I have identified 25 pressure points in society that can aid in making the internet more secure. If you are interested to learn more you can download it here:

https://www.intgovforum.org/multilingual/index.php?q=filedepot_download/9615/2023

Why are internet security standards badly deployed and what to do about it?

In 2019 under the aegis of the Internet Governance Forum a pilot project was conducted into the causes of and solutions for the, in general, slow deployment of internet security standards. Standards that on mass deployment make the internet and all its users safer, indiscriminately, immediately.

The report
Recently the report ‘Setting the standard. For a more Secure and Trustworthy Internet. The Identification of Pressure Points in Society to Speed up Internet Standards Deployment’, was published on the IGF website. Information was gathered by means of an international survey, breakout sessions at the IGF, dozens of interviews with stakeholders and desk research. It focused on two questions: 1) What are the reasons for slow deployment? and; 2) What are solutions to speed up deployment? This showed that underneath all other provided reasons lies a collective action problem. To break out of this state of inertia 6 recommendations, 25 identified pressure points in society and 7 action plans are presented. Including identified stakeholders who have to be(come) involved to have a chance at success in speeding up deployment.

Six standards
The project took six standards as examples to start the discussion, three internet standards by the official definition, DNSSEC, RPKI and bcp38 and three not: OWASP top 10, ISO 27001 and the Safe Software Alliance principles. For ease of writing and reading all are called internet standards within this context.

Causes
Many participants agreed on the main cause for the slow uptake: the lack of a business case. If there is no demand, in general there’s no offer. Research showed that there are underlying causes. The report shows that there is a lack of pressure on decision makers; from the sides that matter. As far it was able to ascertain and no one pointing to another conclusion, there is no(t enough) pressure from laws/regulation, media or consumer organisations. As one of the interviewees stated: “No one cares if you deploy and no one cares if you don’t”.

To add, the overwhelming majority of consumers is not willing to pay for security measures, while/because of not understanding the implications of insecurity. The entrepreneurs willing to deploy face a negative business case or operate in a niche market.

Another important conclusion is that it is not (just) technical proficient employees deciding on deployment of the standards. Yet, outreach from the technical community is often aimed at these people. Unfortunately not reaching the level of success needed to make the internet safer, as they do not decide on deployment. This calls for different aims and for a change of narrative. It is the owners, board members, financial officers who need convincing. That may take pressure from other stakeholders to achieve change.

Governments have not taken internet standards into law (ISO 27001 is a voluntary exception), as is the preferred situation of nearly all we’ve spoken to. At the same time most of the efforts of governments (agencies) but also e.g. banks concerning cyber security are aimed at the only stakeholder with limited power where deployment of standards is concerned: the consumer or “user” as the internet industry prefers to call its customers. In other words, there are no carrots and no sticks of any kind, making it far worse than having no business case.

Collective Action Problem
All this results in a collective action problem, where there is no demand and no incentive to change behaviour and deploy the internet standards. Usually it is the government that society looks towards for solutions. In many sectors this is completely normal and accepted behaviour. Health, (air)traffic , agriculture, etc., etc.. A question in need of an answer is, what makes the internet so different, it justifies the absence of governments, while the market cannot solve the enormous security challenges facing it? Perhaps it becomes necessary to look at the problem as a (digital) health issue. What perspectives does that provide to act upon?

This report does not answer these questions. It searched for potential solutions and pressure points in society that can contribute to break up the collective action problem. A few examples are presented below.

Recommendations
The six recommendations are an accumulation of advice provided. Although there is a near consensus among participants that action is needed, there is no consensus on the precise way forward. The first five were tested in the breakout sessions (number 6 came out of the sessions) at the IGF and are seen as sensible.

1. ‘Create a business case for the deployment of internet standards’.
2. ‘To deploy internet standards successfully they need to be incorporated by reference into law or legally binding regulations, including a designated regulator.’
3. ‘To deploy internet standards successfully requires building security by design / default into products and services’.
4. ‘All stakeholders should collaborate on coherent strategies for multilingual awareness raising on internet standards and their effect on internet security’.
5. ‘Internet standards and architecture must become part of education curricula.’
6. ‘Standardisation processes are advised to include a consultation phase with government and industry policy makers, and civil society experts.’

The paradox this report bares, is that a large proportion of the participants see legislation as the only option to force industry into deploying, yet no one wants it. As legislation is seen as the least desirable option this comes with a moral obligation to step up on all others. No legislation can and may not equal non-deployment. Hence the pressure on those having to deploy needs to be created elsewhere. The report mentions 25 options, from parliamentarians addressing the issue to industry, to consumer organisations testing ICT services and products, from regulation to media publications.

Pressure points in society
Where deployment of standards is concerned a government can take on a few roles. Standards could be demanded by them through procurement. Standards could be demanded on the basis of duties to care. A question in need of an answer is what regulators can achieve on the basis of current laws, whether telecommunication, privacy, consumer, etc.. When all else fails the government is the legislator but even then cooperation is of utmost importance.

Mistrust of governments is one of the reasons mentioned why the technical community remains more or less aloof from other stakeholders that could play a role in making deployment happen. It is of the greatest importance that these others understand what internet standards are, why they exist, how they are made and what the importance of deployment is for a more secure internet. To ensure that future measures are the right ones, interaction is key. Hence the reason this report invites IETF en ISOC to participate actively in the next phase and assist in the creation of a change of narrative and the direction of outreach, to prevent legislation where possible. Their role lies in leading the other stakeholders forward and to make plausible deniability of not having heard of internet standards in need of deployment impossible. At the highest levels of industry and society at that. Why? The decision to deploy seldom is a technical decision but a financial one, an investment (without return). This calls for a different approach and narrative.

All this translates into seven actions that you can find in the report. To massively deploy internet standards is and will be a herculean task involving many stakeholders with different and most likely competing interests. Deep down however all stakeholders around the globe have the same interest: not to be hacked, not to have compromised or lost data, not to lose money, etc.. This is a starting point. And, when all is said and done, all will have to pay for security. That goes without saying.

Conclusion: a no-brainer
Ideally this report is not the end but a beginning. To start work on deployment by enacting the recommendations and gather the stakeholders in the action groups. The IGF is a neutral platform where all involved are equal. The first and most difficult steps can be conducted here before the results are taken outside of the IGF to be implemented. All with one aim: to make deployment of security raising standards a no-brainer for all involved.

You can find my report on the IGF website:
https://www.intgovforum.org/multilingual/content/implementing-internet-standards-and-protocols-for-a-safer-internet

Internet consolidation at EuroDIG 2019: Questions in need of an answer

On behalf of SIDN I was the focal point and moderator of the workshop on internet consolidation at EuroDIG in The Hague, June 2019. The following is the official report of the workshop I wrote and published on the EuroDIG wikipage. It is followed by the questions that remained open and identified potential next steps forward.

The fact that this workshop was able to tie into a previous workshop on internet consolidation at the IGF in Paris, November 2018 provided focus and allowed for considerable steps to be made in The Hague. Here is the report.

The report
At EuroDIG 2019 a workshop was organised around the topic of consolidation on the Internet. It was organised around four angles: technique, competition, society and human rights and; future research. One thing became extremely clear: no one contested that consolidation is taking place nor that this already has and will have an impact on the Internet and consecutively on society. There also was consensus that this topic is not going away, that addressing it is urgent and more study/research and interaction between stakeholders is necessary. If anything, the workshop led to more questions being asked than answers given, which is telling in itself.

What is consolidation?
Consolidation, in this specific context, is the process by which internet activities and businesses get increasingly integrated, both vertically and horizontally or more simply put: where many of the same suddenly becomes fewer of the same. Another term often heard in this context is centralisation. This term is used when users have to go through one central point, e.g. to use a specific service or access a specific database. The two terms are not interchangeable.

A study by the Internet Society (https://www.internetsociety.org/blog/2019/02/is-the-internet-shrinking-the-global-internet-report-consolidation-in-the-internet-economy-explores-this-question/) shows that consolidation takes place at different levels of the internet. Applications, access provision, service infrastructure are mentioned, but beyond that deep dependencies are created e.g. through total service environments.

Potential consequences of consolidation
In the Internet governance sphere the topic of consolidation was raised by the Internet Engineering Task Force (IETF). It flagged the topic as important, something other stakeholders needed to learn more about. Jari Arkko presented on the topic at an IGF workshop in Paris, November 2018 (http://www.intgovforum.org/multilingual/content/igf-2018-ws-40-internet-mega-trends-impact-on-the-internet%E2%80%99s-architecture). The outcome led to a follow up workshop at EuroDIG dedicated fully to the topic.

In short, it was explained, the internet works because all involved, “the many to many”, follow universal, mandatory and voluntary open source rules and procedures, so called internet standards. Now that the many become less and less, it changes the internet and internet governance procedures. When one or a few organisations control large parts of the internet, they also come to control access to the internet, to data, determine success or failure of innovative products, privacy, free speech, etc. This leads to important questions societies need to address. Many of these major questions were asked during the workshop, fundamental questions that in part go right into the sort of society we all want to live in.

Already there are companies at the service level, in online retail, social media, search engines, DNS queries, etc. so big that they hold large percentages of the market and dominate at a regional and even global level. This comes with a large economic power, political influence, the (potential) stifling or co-opting of innovation, etc. Competition rules are looked at to establish fair play and a level playing field, but do they?

Although there was no explicit consensus in the room, looking at the discussion with an helicopter view shows that the process of consolidation leads to feelings of discomfort and unease from all sides. Whether people have a background in business, human rights, access to data and services, etc., they all have questions in need of an answer towards both actions in the present as the outcome in the future. Academia aside, they all look to others, e.g. governments, competition authorities and policymakers for action and to provide answers.

Potential next steps
Competition law
An important remark at the session was the following: We already have competition laws, so why would we need new ones? There was no direct answer to this question, yet is important to follow up on. It was pointed out e.g that there is a need to look at companies and their strategies in different ways. Market power could also be measured in (the availability of) access to data and not just in traditional market shares or by looking differently at overall strategies of companies in the case of mergers or acquisitions. There is a need for a debate whether current, mostly national. competition law is sufficient within a global, internet environment.

Many in the room were alerted to the fact that the Dutch competition authority (ACM) had concluded a study into market power of Apple’s app store and concluded that a formal investigation was called for (https://www.acm.nl/en/publications/acm-launches-investigation-abuse-dominance-apple-its-app-store).

Technical solutions
From the technical community came the question: ”What do you want us to do”? Several possible future technical measures and solutions were suggested. E.g. to create better functioning interfaces that allow access to systems or opening up social media systems. There came no concrete answer from the non-technical community, except the conclusion that consolidation is a non-technical topic. The people responding stated that consolidation is an economic/competition law issue, so regulatory. There seems to remains one obvious role for technicians: flagging and explaining, but let’s not conclude yet whether there is no role, as the technical community sees a potential role for itself. E.g. in assisting smaller companies to collaborate in a better way. The value of these measures have to become clear.

Net neutrality
Another point made in this context was the need for net neutrality as this creates a situation of equal access for all. Another topic for future debate was identified.

Interaction between stakeholders
Overall there was one major development compared to Paris in November 2018. It became clear that there’s a need to get to know each other, as some stakeholders were not familiar with each other, let alone with the work going on within their respective silo’s. If anything, this was the step forward set between the session in Paris and the work leading up to the workshop in The Hague. The sharing of knowledge could lead to new actions within respective silo’s. Whether by taking measures at the technical level, as information that authorities need to build cases on or as suggestions for using current policies or to create new ones. It was suggested to look into these options.

The good, the bad and the absent
Many people raised concerns, yet it proved hard to provide concrete, negative examples coming out of consolidation. “I cannot run my own private mail server anymore”, was the most concrete one. A conclusion that can be drawn is that it seems that at this point in time those actively involved have grave concerns, because market power has come to rest in too few hands. A situation that may come with potential negative effects (soon). Attention was drawn to the fact that not all stakeholders seem aware of the current developments and what they (may come to) mean to their respective positions and interests. On the other hand, ISOC’s study shows the advantages of consolidation in e.g. cloud services and the global reach they provide even the smallest companies, although they come or may come soon with a vendor lock in, as it becomes impossible to switch to another provider (with ease).

So what are next steps? The workshop made clear that doors to other silo’s need to be opened. Knowledge needs to be exchanged and organisations can assist each other in developing answers to questions that are in need of an answer. Coordination between different stakeholders could be set up and there is a strong need to provide convincing examples whether consolidation is a good and/or a bad development. Finally, missing stakeholders need to be actively invited to these meetings.

Conclusion
This workshop contributed in a meaningful way to the debate on consolidation. It provided enlightenment to those involved, despite the fact that many questions remained in place. Fact is, many were raised for the first time with other stakeholders present. Questions that are in need of an answer that will take multiple stakeholders participating in the formulation of those answers. This starts with sharing experience and knowledge among each other. Conditions were created at EuroDIG in The Hague to do so.

Wout de Natris
Workshop focal point consolidation on behalf of SIDN
De Natris Consult

Questions in need of answers
– For now the following questions and action points were identified.
– A need to identify and understand the working of each layer of the internet within this context
– A need to identify and understand the current situation in each layer of the internet
– Establish the link between consolidation and net neutrality
– Does net neutrality also need to take into account free speech and innovation?
– Identify how each stakeholder community can contribute to answering identified questions
– Identify current and potential actions within and among stakeholder communities
– Establish how contributions from other stakeholders can assist (the actions of) others
– Do “classic” competition laws work for the internet or is this a truly new environment?
– “The people” do not seem to worry. Should they? and if so, how do we tell them?
– What can (the strategy behind) mergers and acquisitions tell us about consolidation?
– Is there a need for standardisation in regulatory reporting to truly make comparisons or conclusions at the global level?
– Are security threats limited or rising because of consolidation?
– In what way can enabling smaller players from a technical point of view become an alternative to consolidation?
– How can consolidation be measured and quantified?

A word of gratitude
This workshop was made possible through the support of SIDN but would not have had this impact without the valuable input of Carl Gahnberg, Cristian Hesselman, David Korteweg, Jari Arkko, Marie-Noémie Marquez, Zoey Tung Barthelemy and all who contributed actively in the workshop itself or shared ideas in the preparatory process. The EuroDIG secretariat’s Rainer Rodewald facilitated the whole process in a professional and extremely kind way.

Chances and opportunities or the U.S., the E.U. and privacy regulation

The European Parliament recently sent a letter to the U.S. government expressing its concerns on the U.S. government’s demands on U.S. companies to deliver (privacy sensitive) data stored in Europe to the U.S. enforcement and security agencies when so requested. U.S. court cases concerning this topic are confusing and contradictory, the stance of the U.S. government as such is not. Neither is the privacy law of the E.U. A clear case of non-compatible laws.

What surprises me is that Europe in general always complains about the dependence on U.S. cyber moguls. If this demand of the U.S. government shows anything, than it is opportunities for E.U. cloud and data companies to step into the void the U.S. companies are about to leave behind.

It is a fair question whether, due to the restricting rules of GDPR, the amount of privacy sensitive data stored today can ever be as big as it presently is. Fact is that the data companies want to store need to be compliant with E.U. privacy laws. Where better to store this data than within Europe with companies that assist their customers to be compliant?

So people let’s stop complaining and expressing concerns and step into the market, head up high and grab the opportunities presented for free by an unbending U.S. government.

The E.P. focused in its letter on the risk of splitting up the Internet because of the U.S.’s actions. The Internet is already splitting as actions of different eastern countries show. It may be time that the E.U. starts to prepare for something that might be inevitable. Even if it is just in case or as a case study. It’s always better to be well prepared. Boosting an industry is one such preparatory step in that direction and economically sound to.

Wout de Natris

Haarlem, 2 February 2018