As part of the ICANN accountability reforms, civil society activists pushed to gain a commitment from the corporation to respect fundamental human rights. This appeared to be a promising part of the ICANN reforms.
IGP has always recognized that ICANN’s regulations on domain name users and registries can affect freedom of expression, privacy, and due process online. Ideally, a commitment to fundamental human rights by ICANN could ensure that the organization does not pass domain name policies that violate or limit these fundamental rights. Our support for that agenda was strengthened by the fact that one of the leaders of the HR push in ICANN was the Article 19 organization, which has an excellent record in supporting freedom of expression both offline and online.
It is sad, therefore, to have to report that the human rights push in ICANN has become badly misdirected. If the current direction of Work Stream 2 continues, the HR effort will at best have no impact on ICANN’s policies and at worst could make ICANN into an even more controlling and intrusive regulatory force than it already is.
During the accountability reforms, there was significant debate over the wording of the commitment. Eventually, the recommendations on human rights proposed in the CCWG report were adopted as a Core Value using this bylaw language:
Text of the new Bylaws Core Value as adopted in May:
(viii) Subject to the limitations set forth in Section 27.2, within the scope of its Mission and other Core Values, respecting internationally recognized human rights as required by applicable law. This Core Value does not create, and shall not be interpreted to create, any obligation on ICANN outside its Mission, or beyond obligations found in applicable law. This Core Value does not obligate ICANN to enforce its human rights obligations, or the human rights obligations of other parties, against other parties.
The meaning of this core value required further interpretation as to what exactly the bylaw text means for ICANN’s policy and operations. And so Work Stream 2 of the reform process – the part that comes after the IANA transition – was mandated to come up with a “Framework of Interpretation” (FoI). The FoI would interpret different parts of the bylaw in order to translate the commitment into specific, implementable practices.
Since then, quite a few of the HR advocates within ICANN have focused their efforts upon getting ICANN to recognize something called the “Ruggie principles.” Ruggie Principles is shorthand for “The UN Guiding Principles on Business and Human Rights.” They were proposed by UN Special Representative on business & human rights John Ruggie, and endorsed by the UN Human Rights Council in June 2011. In essence, they are a set of guidelines for States and companies to prevent, address and remedy human rights abuses committed in business operations.
In other words, the Ruggie principles are focused on applying ethical standards to the supply chains, contractors and business operations of private companies. They are intended to promote a corporate obligation to avoid subcontractors or suppliers that use unpaid labor, child labor, or other abusive economic practices. They are designed to be applied to commercial producers, especially ones that sometimes have to operate in developing countries under sketchy conditions, like the oil industry, diamond miners and the like.
The Ruggie Principles are not relevant to ICANN’s substantive policies and regulations pertaining to domain names. They were not developed with organizations such as ICANN in mind. This is why all the discussions on their application to ICANN look like attempts to fit square pegs into round holes. After the workstream 2 HR team spent several calls trying to analyze their applicability, only a few parts of two of the Ruggie principles were considered as potentially applicable. Nevertheless, even now when a small part of drafting team is scheduled with the task to provide an alternative language for interpretation, there is a big push for the application of Ruggie from some members of the bigger HR group.
Domain name policies can subject domain name registrants to surveillance, rob people of the right to use generic words as domains, restrict the use of domains as forms of expression, and make domains more expensive than they need to be. That is what Human Rights advocates need to be focusing on.
Bait and switch? When human rights activists pushed their agenda in ICANN, we thought they meant an ICANN whose domain name policies do not violate or restrict fundamental human rights to free expression, privacy and due process. We were not asking that ICANN avoid the use of slave labor (aside from, ahem, its volunteers in the supporting organizations) or be turned into a body that devotes significant time and resources to investigating the business practices of its contracted parties, and possibly even non-contracted parties like ccTLD delegates.
The emphasis on the Ruggie principles diverts our attention away from ICANN policies. This diversion risks obligating ICANN to go beyond its narrow mission, and is likely to generate pushback from the industry because of the way it empowers ICANN to regulate or investigate the working conditions or subcontractors of thousands of registries and registrars. Worse, it takes all the pressure off ICANN’s policy making process. The HR focus shifts from the impact of policies to the business operations of contractors and associates or ICANN itself.
Domain name policies can subject domain name registrants to surveillance, rob people of the right to use generic words as domains, restrict the use of domains as forms of expression, and make domains more expensive than they need to be. That is what we need to be focusing on.
What HR activists should be concerned with is the need to impose constitutional limits on the policies and regulations ICANN passes, to ensure that they respect fundamental rights. As long as HR activists are using the Ruggie principles as their framework for interacting with ICANN, they are missing the target.
The best way for ICANN to respect fundamental human rights would be for all of its policies to be subjected to a human rights impact assessment before they can be implemented. HR Experts could take policies that are about to be passed and scrutinize them for their impact on privacy, freedom of expression and other internationally accepted fundamental rights. Policies that don’t meet those standards should be sent back for reconsideration.
It is to be hoped that the Workstream 2 working group on the human rights framework of interpretation can reorient itself, before all the mobilization around HR in ICANN is wasted.
 Full text of Section 27.2 as adopted:
“Section 27.2. HUMAN RIGHTS (a) The Core Value set forth in Section 1.2(b)(viii) shall have no force or effect unless and until a framework of interpretation for human rights (“FOI-HR”) is (i) approved for submission to the Board by the CCWG-Accountability as a consensus recommendation in Work Stream 2, with the CCWG Chartering Organizations having the role described in the CCWG-Accountability Charter, and (ii) approved by the Board, in each case, using the same process and criteria as for Work Stream 1 Recommendations. (b) No person or entity shall be entitled to invoke the reconsideration process provided in Section 4.2, or the independent review process provided in Section 4.3, based solely on the inclusion of the Core Value set forth in Section 1.2(b)(viii) (i) until after the FOI-HR contemplated by Section 27.2(a) is in place or (ii) for actions of ICANN or the Board that occurred prior to the effectiveness of the FOI-HR.
U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Select Committee on Intelligence and co-founder of the bipartisan Senate Cybersecurity Caucus, has released a letter asking three federal agencies for information on the tools available that prevent cyber criminals from compromising consumer products, such as Internet of Things (IoT) devices. "The weak security of many of the new connected consumer devices provides an attractive target for attackers, leveraging the bandwidth and processing power of millions of devices, many of them with few privacy or security measures, to swamp internet sites and servers with an overwhelming volume of traffic," Sen. Warner says.
— Prohibition of harmful devices: "Under the Federal Communications Commission's (FCC's) Open Internet rules, ISPs cannot prohibit the attachment of "non-harmful devices" to their networks. It seems entirely reasonable to conclude under the present circumstances, however, that devices with certain insecure attributes could be deemed harmful to the "network" – whether the ISP's own network or the networks to which it is connected. While remaining vigilant to ensure that such prohibitions do not serve as a pretext for anticompetitive or exclusionary behavior, I would encourage regulators to provide greater clarity to internet service providers in this area."
— "Mirai’s efficacy depends, in large part, on the unacceptably low level of security... Juniper Research has projected that by the end of 2020, the number of IoT devices will grow from 13.4 to 38.5 billion – yet there is no requirement that devices incorporate even minimal levels of security. The internet's open architecture has been a catalyst for its growth ... The lack of gating functions, however, has potentially created a systemic risk to the resiliency of the internet."
Follow CircleID on Twitter
"Tech companies like Snapchat and Skype's owner Microsoft are failing to adopt basic privacy protections on their instant messaging services, putting users' human rights at risk," says Amnesty International in a new report. The organization's new 'Message Privacy Ranking' assesses the 11 companies with the most popular messaging apps on the way they use encryption to protect users' privacy and freedom of expression across their messaging apps.
— Amnesty International has highlighted end-to end encryption as a minimum requirement for technology companies to ensure that private information in messaging apps stays private. The companies that ranked lowest on the scorecard do not have adequate levels of encryption in place on their messaging apps.
— "If you think instant messaging services are private, you are in for a big surprise. The reality is that our communications are under constant threat from cybercriminals and spying by state authorities. Young people, the most prolific sharers of personal details and photos over apps like Snapchat, are especially at risk," said Sherif Elsayed-Ali, Head of Amnesty International's Technology and Human Rights Team.
Follow CircleID on Twitter
"We often refer to the Cuyahoga River in Cleveland that caught on fire over 20 times before we actually did something to introduce the Clean Water Act," says Allan Friedman, the director of cybersecurity initiatives for the Department of Commerce's National Telecommunications and Information Administration (NTIA), in conference call on Monday. "I don't know if you can count this [Friday's masive DDoS attack] as an internet on fire — I know a lot of the people who were affected called it an internet on fire — but it may take several of these before we are sufficiently motivated. ... Given the very uncomfortable nature of some of the policy responses and the very long lead time to implement them and bring new problems to market, I think now is the time to start." Government should start working to prevent future attacks immediately, Friedman warned.
— "Baby Steps" / Tim Starks reporting in Politico, quoting Homeland Security Secretary Jeh Johnson: "The recovery from last week's attack that downed major websites like Twitter and Netflix appears to be complete. But preparing for the next huge distributed denial-of-service attack like the one that hit domain name system provider Dyn is still making baby steps. ... the department is working with law enforcement and the private sector to defend against Mirai and similar threats. And he pledged that DHS [Department of Homeland Security] would produce a strategic plan "in the coming weeks" to protect internet of things devices."
— "Internet Under Siege: The Cost of Connectivity," Rachel Ansley reporting from the Atlantic Council: "In the rush to produce cost-effective connected devices, not enough focus has been placed on security measures. ... [Joshua] Corman [the director of the Atlantic Council’s Cyber Statecraft Initiative] described how the widespread dependence on connected technology is exceeding the ability to secure devices. 'In our race to adopt technologies for their immediate and obvious benefits, we seldom do the cost-benefit equation to notice the deferred cost in security risks these [devices] incur,' he said. Once the devices are sent to market, security is no longer accounted for. Corman claimed that if the default posture of these devices is insecure, they will continue to pose a greater and eventually unmanageable threat."
Follow CircleID on Twitter
A venerable old International Telecommunication Union (ITU) tradition got underway today. Its Telecommunication Standardization body, known as the ITU-T, gathered, as it has done every four years for much of the past 100 years in a conclave of nations, to contemplate what they should be doing at their Geneva intergovernmental standards meetings for the next four years. The gathering is called the WTSA — World Telecommunications Standardization Assembly. Old intergovernmental institutional habits still continue, so the participants are gathered in a remote location in Tunisia called Hammamet. Their real challenge today is severely diminished ITU-T participation and the actual use of their work. What is now unfolding, unfortunately, will not improve that trend.
So what appears at the top of the list for proposals for what the ITU-T should be doing? Nearly a dozen documents have almost identical text from three country blocs — the Russian Communications Commonwealth (RCC), the Arab States Administrations, and the African Telecommunication Union — purporting to make the world safe for users of the internet, mobile phones, and all forms of telecommunication. The promises are enticing: flawless identity integrity, network trust, privacy, counterfeiting mitigation, cybersecurity, eHealth, Internet of Things, Smart Cities. The proposals offer a kind of nirvana for accomplishing all these things, if only the nations of the world, via ITU agreement, buys into a service platform being proffered by an almost unknown new organization called The DONA Foundation.
If one digs a little deeper, however, it gets interesting. The DONA Foundation, it turns out, is a private organization based in Switzerland whose members are drawn from the same country blocs making the proposals. The DONA platform itself is a twenty year old scheme, known as Handles, to build a master global database allowing every networked device in the world to be uniquely tagged so that any desired information can then be added, tracked, and queried. Russia has had a special affinity for the platform - which it has been championing over nearly the past decade in the ITU.
For many reasons - including usefulness of the technology, cost, and the existence of more effective alternative platforms - industry and technical communities have ignored the DONA platform over the past two decades. However, the ITU as an intergovernmental body operates under a different paradigm — political processes where Nation State blocs can simply propose anything they wish — as they have at the Hammamet meeting. Russia knows the process well, and the Russian, Arabic and ATU blocs control a significant number of votes.
There are some really sad, unfortunate dimensions to what is unfolding here. One of the more obvious known to experts in the field is that the ITU-T itself pioneered an effective means for tagging information objects thirty years ago known as OIDs (Object IDentifiers), and the platform has been usefully deployed across internet and telecommunication networks for many purposes.
Another related aspect is that major global industry standards bodies have developed their own specialized tagging platforms that could be adversely affected by the patently anticompetitive ITU action of promoting the DONA platform for global use.
The concerns do not stop there. There are other reasons why the DONA scheme has remained almost unused after twenty years. A single overlay global information system for tagging, tracking, and querying the existence of every network device is the equivalent of Snake Oil. No network singularity can scale to the degree required. Furthermore, it would be costly and difficult to even attempt to create and maintain — certainly by economically challenged countries. Lastly, such an overlay would itself be constantly exposed to all kinds of cybersecurity threats and constitute a major global vulnerability. Indeed, MobilePhoneSecurity.org recently described significant IOT vulnerabilities of the DONA software.
Sadly, these proposals fly in the face of the theme of the WTSA itself — "security, privacy and trust in ICTs" — and depreciate the already diminished stature of the ITU-T. No competent body would adopt resolutions for outsourcing the purported basis for global security, privacy, and trust to a small, closed, private foundation led by Russia and a handful of friendly allies. Hopefully the nations in Hammamet will reject the Snake Oil sales pitch and the limited resources of the ITU can be used for more productive endeavors.
Written by Anthony Rutkowski, Principal, Netmagic Associates LLC
Follow CircleID on Twitter
U.S. Department of Transportation issues Federal guidance to the automotive industry for improving motor vehicle cybersecurity. The guidance covers cybersecurity best practices for all motor vehicles, individuals and organizations manufacturing and designing vehicle systems and software.
— Cybersecurity Best Practices for Modern Vehicles / Page 5: "Vehicles are cyber-physical systems and cybersecurity vulnerabilities could impact safety of life. Therefore, NHTSA’s authority would be able to cover vehicle cybersecurity, even though it is not covered by an existing Federal Motor Vehicle Safety Standard at this time. Nevertheless, motor vehicle and motor vehicle equipment manufacturers are required by the National Traffic and Motor Vehicle Safety Act, as amended, to ensure that systems are designed free of unreasonable risks to motor vehicle safety, including those that may result due to existence of potential cybersecurity vulnerabilities."
— Aftermarket Devices / Page 20: "The automotive industry should consider that consumers may bring aftermarket devices (e.g., insurance dongles) and personal equipment (e.g., cell phones) onto cars and connect them with vehicle systems through the interfaces that manufacturers provide (Bluetooth, USB, OBD-II port, etc.). The automotive industry should consider the incremental risks that could be presented by these devices and provide reasonable protections."
Follow CircleID on Twitter
Last week, millions of infected devices directed Internet traffic to DNS service provider Dyn, resulting in a Distributed Denial of Service (DDoS) attack that took down major websites including Twitter, Amazon, Netflix, and more. In a recent blog post, security expert Bruce Schneier argued that "someone has been probing the defences of the companies that run critical pieces of the Internet". This attack seems to be part of that trend.
This disruption begs the question: Can we trust the Internet?
The answer to that question is not yes, or no, or even "it depends."
First, it is important to realise that there is no security czar on the internet; there is nobody who can force the global Internet and its users to solve any of these cyber issues. Various actors on the internet must take responsibility, often in collaboration with others, taking into account the fundamental values and properties that underpin the Open Internet. We call this approach the collaborative security approach. For now, it is sufficient to realise that security of the Internet depends on many actors taking responsibility. In this post, I look at this attack through the lens of the internet 'as a system', and I identify one success, share one observation, talk a failure, and outline an agenda that we must adopt.
The success lies in the collaborative nature of how Dyn worked with others to mitigate the attack.
As mentioned in their statement, Dyn had to work with the technical community to mitigate the attack. My speculations will not be far off if I say that this must have involved work with network operators, computer security specialists, law enforcement, computer security incident response teams, DNS providers, and their customers. Given the size and scale of the attack, I see their reactive work as a testament to the effectiveness of the coordination. So, kudos to Dyn for thwarting the attack even though, metaphorically, this is the success of a fire truck arriving on time and limiting damage and not a success of preventing the fire in the first place.
We should not take the sort of collaboration that happened here for granted. These sort of attacks can only be stopped when network operators collaborate to address issues that are not exclusively impacting their own network (the firemen from other areas coming to aid). At the Internet Society our Routing Manifesto, or MANRS, initiative speaks to just that: We are growing the community that commits to taking measures against certain types of attacks and takes action that allows for effective collaboration. MANRS acts as a signal to customers that they are dealing with an entity that understands their responsibility. I'll get back to signalling below.
One of the benefits of having a site's DNS service managed by one or a few consolidated companies is that specialist expertise can be outsourced and these few organisations can efficiently deal with problems quickly. However, it also means that chokepoints are created and those few managed DNS service providers are becoming very big targets. The failure lies herein that the target painted seems to have become too big, and many major companies and websites now share their fate with these consolidated DNS providers. Given that one of the services often offered by DNS service providers is load balancing, untangling these hefty integrations may be a bit tricky. But since some companies and websites got a real hit last week, I think there may be some market-driven evolution in this space.
Now for the failure: Why is it that we are shipping an Internet of Things (IoT) that is so insecure?
These types of attacks depend on malicious software (usually referred to as "bot," from robot) being installed on various devices that connect to the internet. The installation can happen because users (accidentally) open links that download software or because devices are open to attack from the internet. There are some actors involved here. Any device — a computer, a phone, or an IoT thing — is made out of a large number of software components. When bugs are discovered in the software, the fixes need to make their way into the software and then onto the devices. There is a lot of collaborative effort in identifying the problems, and creating and distributing the fixes. In involves processes like responsible disclosure of bugs, software patch policies and procedures, and device end-of-life policies. It also, somewhat, unfortunately, involves the actions of end-users since they need to pay attention that they change the default password on the camera, printer, or car they just bought.
So from this follows an agenda. Inspired by the IoT Security Questions from our Internet of Things Overview, we need to get to a point where:
- Producers follow, and share, good design practices;
- For every product sold there is a way that security researchers can responsibly disclose vulnerabilities found;
- Producers can fix, or patch, these vulnerabilities during the lifetime of the device (Field Upgradability);
- We clearly understand what happens if the product, or the supporting producers, reach end-of-life (Device Obsolescence);
- Consumers can make informed choices based on these properties (Cost vs. Security trade-offs);
- Data that IoT devices collect are protected and dealt with in privacy-honoring ways (Data Confidentiality and Access Control); and
- Those who go about device security in an irresponsible way get penalised.
This is not a trivial agenda.
Take, for instance, consumers making informed choices. While consumers may care about their devices being hacked and used against them, they usually do not know that their camera may be used to bring down the Internet, so the latter isn't part of their purchasing decision and hence an afterthought for the producers. These types of issues can be resolved through signalling mechanisms that indicate devices have at least minimal security. Getting to these signalling mechanisms could be done by consorted industry action, but may also involve regulation.
The fact that Internet of Things security is riddled with cases where manufacturers do not incur costs for any lack of security, and the fact that the global industry ships devices without having good answers for questions like responsible disclosure of bugs, software patch policies and procedures, and device end-of-life policies makes for a rather toxic mix.
We are shipping a lot of Things, so these issues need to be taken head-on with urgency. However, not through a central authority, but by consumers, producers, researchers and regulators coming up with mechanisms that allow the internet to remain open. There are multiple examples of communities taking responsibility and trying to move the needle. Let me name a few that I encountered in the past weeks:
- the NTIA Multistakeholder Process; on Internet of Things Security Upgradability and Patching;
- the work by the IAB on IoT software updates – see the report summarising the workshop; and
- the framework for IoT published by the Online Trust Alliance.
The fact that many organisations are looking at several pieces of the agenda is reassuring; that means that good solutions will surface. Solutions that are relevant in the context in which they will need to be applied. The call to action is to get involved. To take your piece of the agenda and address that piece that you, as a consumer, as a producer, as an insurer, as a stock broker, or as a regulator can address. Together in collaboration, bring your expertise.
In the Dyn blog that reports on the DDoS attack, Kyle York says: "It is said that eternal vigilance is the price of liberty.”
I believe that quote is central to the collaborative security approach. It implies that we collectively need to work to keep the Internet open, that sometimes we will feel the pain of openness — for this attack will probably not be the last one — and that most importantly the open Internet brings liberty.
Note: an earlier version of this post appeared on the Internet Society blog
Written by Olaf Kolkman, Chief Internet Technology Officer (CITO), Internet Society
Follow CircleID on Twitter
There is no doubt that the number of online consumers is on a rise and that this is a trend that will not stop any time soon. Over the last couple of years, the number of digital buyers has grown by a steady 150 million each year. This number is expected to stay stable for a few more years to come. By 2020, about two billion people will be purchasing things online and making online money transactions on a regular basis.
Perhaps the most interesting thing is that this increase in numbers could have been even more spectacular if not for one factor that makes a world of difference for many online shoppers — security.
An Unsafe World
Online stores and other organizations that sell their services or products online have traditionally been among the most attractive targets for cyber criminals. The reasons for this are numerous and very understandable. For one, such organizations and their data systems will hold a bounty of personal financial information, including people's credit card details and more.
In 2015, we have seen a number of high-profile data breaches where consumer data was stolen. And while 2016 has seen more ransomware attacks (where no data is compromised) than anything else, it is not like it has been without its data breaches. While not all of the biggest breaches this year have involved online stores or service providers, they were definitely among the victims.
For example, in June this year, Acer suffered a serious data breach when personal details (including credit card numbers) of more than 30,000 of their U.S. and Canadian online shoppers were stolen. The fault was with a third-party payment processing system, but that does not in any way absolve Acer of responsibility.
Still, it is a perfect example of how even the world's biggest and most technologically advanced companies can be compromised just like anyone else.
How the Consumers See It
It is really not that difficult to understand why many of the people are discouraged from shopping or purchasing anything online when they hear stories like this. We live in an age of information and people are aware of how easily their data can be accessed by people and organizations that should never be in possession of such data.
Back in the early days of online shopping, a paper was published in the Journal of Business Research which showed that the financial risk was the most commonly perceived risk on the behalf of online shoppers (followed by product performance and time/convenience risks). More recently, Connexity did a survey which found out that almost two thirds of American online shoppers are concerned about how the companies they do business with are securing their data. Other research also reinforces this view where security has become one of the main concerns for online shoppers.
It is not just the problem of data security. For example, there are certain online shopping models such as online marketplaces which come with their own slew of potential problems. Besides having to handle data, such websites and services also need to ensure that both the sellers and the buyers will honor the agreement.
How It Is Being Handled
At times, it feels that ecommerce sellers, marketplace operators and companies that sell their services online are always a step behind. In many ways, they are. This is mostly due to the very nature of cybersecurity solutions that are in the vast majority of cases reactive, i.e. they are introduced when vulnerabilities are discovered.
The good news is that the majority of online service providers and shops are still secure. Cybersecurity companies around the world are working on providing the best security measures to such companies and they are doing a great job. Furthermore, most governments have already started initiatives to keep online consumers secure and they are insisting on cooperation to reduce the risks.
Ecommerce business owners and those who do business online are also constantly looking for ways to improve their security and minimize the chances of suffering data breaches.
We are also seeing a trend where more and more companies, services and merchants are reporting their security breaches and reporting fraud in order to provide more information that will, in future, help reduce the number of attacks and their success rate.
It is difficult to say whether online shopping and online money transactions will ever be 100% safe. Still, there are definitely a few trends that we can see and that make us optimistic in this regard, cooperation most of all. Until this day comes, be smart when shopping online.
Written by Nate Vickery, Consultant
Follow CircleID on Twitter
During the last Computer Law Conference organized by ADIAR (Argentina Computer Law Association) and the Universidad Nacional de Sur, I gave a conference on the Internet of Things, cybercrime and the dangerous situation presented by the lack of proper regulation — a topic in which I have one of my research projects. At the moment some people argued that I was talking about something that might happen in a relatively distant future, dissenting with my view that the possibility was imminent… the massive cyberattack a few days ago only showed the scenario to which I referred to that day.
Reports talk about the huge DDoS attack being conducted using multiple devices connected to Internet, devices that are more vulnerable to malware due to lack of security measures in them, devices that form what is known as the Internet of Things.
Even if we forget that too many users don't even have antivirus software in their computers, most users have no knowledge nor capabilities to secure Internet enabled devices, only the connection itself, which is not always enough in these cases. So, what is the authorities response to it?
Different jurisdictions are dealing with the issue in different manners, but there is deafening silent about putting forward some kind of compulsory security regulatory framework directed to manufacturers and vendors, and too many talks about educating consumers and hopes of self-regulation, and attacks like the one on Friday show how insufficient those approaches are.
Like many thing in the Information society, things are left to self-regulation with the highly ideological basis that the technology in question is too dynamic to be properly regulated and that, taking into account the need to keep consumers' trust, the companies would do what is proper. The problem with that idea, not usually supported by facts like we've just seen, is that it forgets that companies in general, also those in the IT sector, are there to make profits and, regardless of how much "do no evil" they can try to promote, they may have the legal obligation to maximize profits for shareholders even if it means doing some evil (like censoring sites in some jurisdictions such as China). So, understandably, in the same way manufacturers and vendors will spend on security no more than what is strictly necessary to avoid a potential lawsuits, which currently represents quite less than what it would take to make their devices more secure than what they are today.
One of the arguments to not regulate IT has been the possibility that such a regulation would stifle its development, but it can be strongly said that it is time to leave that argument aside. IT and its companies have resulted in one of the fasted and biggest concentration of income in recent memory and new billionaires have been popping like mushrooms after the rain… it is hard to believe that strong regulation forcing companies to produce and sell secure Internet-connected devices would disincentivize too many of those companies to develop more of them, having — as worse case scenario — just fewer luxury items sold to IT-billonaires around the world in exchange of a more secure digital environment…
Written by Fernando Barrio, Professor of Law at Universidad Nacional de Río Negro
Follow CircleID on Twitter
The recent Internet outages caused by the DDoS attack on Dyn's infrastructure highlights deep architectural issues that need resolution. Security and performance are intertwined, and both need fundamental upgrades.
A few days ago I was working at a friend's house. He likes to have Magic FM on during the day. They regurgitate the same playlist of inoffensive 70s, 80s and 90s pop music, with live drive-time shows. Later in the day I heard the DJ sputter how their Twitter access had gone wonky, so you couldn't expect to interact with them via that channel. I thought little of it.
Many of you will have seen news stories that explained what was going on: a huge DDoS attack on the infrastructure of Dyn had taken down access to many large websites like Twitter. A great deal of digital ink has since been spilled in the mainstream press on the insecurity of the Internet of Things, as a botnet of webcams was being used.
Here are some additional issues that might get missed in the resulting discussion.
An unfit-for-purpose security model
The Internet's security model is completely unsuitable for these connected devices. The default is that anyone can route to anyone, and that all routes are always active. This is completely backwards. The default ought to be that nobody can route to anybody until some routing policy is established that is suitable for that device.
This process is called "association", and it precedes the "connection" that is done by protocols like TCP. The camera needed to be on its own virtual network that should be isolated from websites like Twitter. This is a fundamental architecture issue, and one that cannot be fixed by tinkering around with DDoS mitigation code in routers.
The present Internet has been likened to running MS-DOS. It has a single address space, and doesn't have any real concept of "multitasking". We now have to move to the Windows or Unix level of sophistication, where different concurrent users and uses exist, but are suitably isolated from one another in terms of network resource access.
This issue highlights why investment in new modern architectures like RINA is essential. TCP/IP is just the prototype, and lacks the necessary association functions for future demands!
Weak technical contracts on demand
The very nature of a DDoS attack is to aggregate lots of small innocuous flows into a large and dangerous one. The essential nature of the attack is to overload the resources of the target. This means we need to master a new skill: managing network (and networks of networks) in overload.
This is a problem faced by the military, since their networks are under active attack by an enemy. Part of the solution is to have clear technical "performance contracts" between supply and demand at ingress and traffic exchange points. These not only specify a floor on the supply quality, but also impose a ceiling on demand.
With the present Internet we typically have weak contracts at those points, which don't set a supply quality floor or demand ceiling, or do so in a fashion that can't sufficiently contain problems. A DDoS attack is merely a special case of performance management in overload, and the real issue is broader than security management.
The Internet needs an upgrade to be able to manage quality issues.
Lack of economic incentives
My final point is that we don't have good feedback mechanisms in the long run to prevent this problem from getting worse. It's a kind of "environmental pollution" issue where the cost of insecure devices and poor operational practises is not borne by those who designed and deployed them. There has to be a way of putting more "skin in the game".
That could partly come from resolving the above two technical issues. Breach of the technical contact on the demand ceiling would result in some kind of commercial penalty for overloading downstream resources. In the extreme case it should be possible to end the association, so that it becomes impossible to route to the destination that is overloaded.
Ultimately the knowledge of which devices are involved in attacks versus legitimate interactions is distributed at the network edge. If a user is willing to pay for the additional resources to raise the contracted quality when the network is stressed, then the traffic probably isn't a denial of service attack, as the costs don't scale.
These attacks are exploiting economic arbitrage opportunities of mispriced resources. A solution to DDoS attacks will come from a wider re-thinking of the economic model for the Internet. We need one that favours price signals and market feedback over "net neutrality" style rationing and government diktat.
People demand a better living environment as they get older and richer, and today's Internet is a shanty town next to a festering garbage dump, built from many ramshackle structures. Now it is time to clean up the neighbourhood and modernise our architecture and engineering.
Written by Martin Geddes, Founder, Martin Geddes Consulting Ltd
Follow CircleID on Twitter