Posts Tagged ‘patrick jones’
Brief session description:
Thursday, July 26, 2012 – The US House of Representatives has passed four cybersecurity bills, and the US Senate has indicated an intent to consider cybersecurity legislation in the current session. The US Department of State is working with its global partners to develope relationships, collaborative action and norms of behavior for cyberspace. The US Department of Commerce has spearheaded a government initiative on botnets and is working with industry on botnet mitigation measures. The Department of Homeland Security is increasing its cybersecurity staffing for strategic and operational concerns. And the White House is transitioning its team on cybersecurity policy with a second cybersecurity adviser to the president. Stuxnet and Flame attacks have captured international attention. Cybersecurity remains a key theme in discussions in the United Nations, the International Telecommunications Union, the Organization for Economic Cooperation and Development, the Asia-Pacific Economic Cooperation, ICANN and the annual Global Internet Governance Forum. This workshop addressed questions such as: What are businesses, countries, and the technical community doing in this heightened era of cyber security concern? What should they be doing? What are the considerations for individual users here in the U.S. and around the world? How can all these pockets of activity help protect – and not hamper the protection of – the very medium that provides for productivity, communications, efficiencies, innovation, and expression?
Details of the session:
The session was moderated by Audrey Plonk, global security and Internet policy specialist at Intel Corporation. Panelists were:
- Tom Dukes, senior advisor, Office of the Coordinator for Cyber Issues, US Department of State
- Jeff Greene, senior policy counsel, Cyber Security and Identity, Symantec
- Kendall Burman, senior national security fellow, Center for Democracy and Technology
- Patrick Jones, senior director of security, ICANN
Panelists from the government and private sectors gathered at IGF-USA’s cybersecurity workshop to discuss how these entities are collaborating to deal with domestic cybersecurity threats and international cybersecurity issues.
This issue is especially pertinent right now. There have been a number of high-level conferences and meetings in Washington and other locales over the summer of 2012 on this topic, and, as moderator Audrey Plonk, global security and Internet policy specialist for the Intel Corporation, puts it, “Cybersecurity is the new black.”
Jeff Greene, panelist and senior policy counsel of cybersecurity and identity at Symantec, agreed. “At this time three years ago, cybersecurity was something that was mentioned in passing,” he commented. “Now the interest is exponential.”
Symantec’s business is centered on protecting enterprises from cyberthreats. Greene, who until recently worked with the Department of Homeland Security, said that according to this year’s Symantec Internet Security Threat Report, 75 percent of the enterprises Symantec deals with were threatened with a cyber attack in 2011.
He added that while the incidence of spam decreased in 2011, there has been a shift to web-based attacks. Greene also said the government and private sector are working together to reduce such threats.
“It is remarkable how much of the threat dynamic in both sectors is the same,” Greene said. “We see criminal and other malicious activity largely the same as the government does, so this is all work through government, private and international cooperation.”
Panelist Kendall Burman had a different view on government access to private sector and citizen information in terms of cybersecurity. As a senior national security fellow for the Center for Democracy and Technology, she has spent time exploring security and surveillance from the perspective of a member of a group focused on consumer privacy.
“I think that the tricky area from a civil liberties perspective is when the government is in a position of receiving that information, making sure that that information is limited to cybersecurity threats, and what the government can then do then once it receives it,” Burman said.
Panelist Tom Dukes, senior adviser for the Office of the Coordinator for Cyber Issues at the US Department of State, weighed in from a government standpoint on cybersecurity issues, including the important role of the US government in pushing other countries to increase their outreach and share their perspectives on cybersecurity issues.
“Obviously what the US says, the positions we take, are highly influential and they are certainly looked at by a great many other countries,” Dukes said.
“One thing that the US has been trying to do for the last couple years in terms of addressing cyberpolicy issues in general, cybersecurity included, is to try to take sort of a leadership role in helping shape the world debate on how we think about these issues.”
Dukes said that the US has also made progress in terms of leading a global discussion on reaching a consensus about cyber security norms. Greene said that while the U.S. would like to set its own cybersecurity policies, this could cause global problems.
“If everyone has a different set of rules, (global policymaking)’s going to be pretty difficult,” Greene said.
Panelist Patrick Jones, senior director of security for ICANN, shared his view that while US policymaking is important in terms of cybersecurity, politicians should be aware of the effects that any laws they make may have globally.
“It’s helpful for policymakers, when they’re coming up with legislation, that they think of the Internet as global and consider that the decisions they make may have technical impacts that they’re not considering that impact the way people are using the Internet today – give those a thorough understanding before decisions are made about a particular legislation,” Jones said.
One of the final points of discussion during the workshop was the differences between cybersecurity and information security.
In the discussion it was noted that cybersecurity, in the US view on Internet governance, deals primarily with protection from Internet threats. Information security, in the Russian and Chinese view, also includes censoring the civic sector and content from many Western media and knowledge organizations.
Dukes said there are two considerations for openness and freedom of information that convince most leaders in the world to find common ground in the fairly liberal US position on cybersecurity issues.
First is the basic human rights aspect of the argument; many countries accept that people should, whenever possible within the bounds of public safety, have certain rights of free speech, communication and assembly. Most countries agree that this should apply online.
Dukes’ second point is the economic benefit of keeping the Internet as open and free-flowing as possible. “Many evolving world countries are really desperate to find ways that they can harness the power of the Internet to increase economic opportunity, to increase GDP, to increase development and growth,” he said. “Those arguments seem to be very pragmatic, but it’s hard for countries to disagree with that.”
— Mary Kate Brogan
This panel, moderated by Robert Guerra of Freedom House, focused on critical Internet resources and how to ensure that the underlying principles that have led to the Internet’s success persist in the face of security challenges. These principles include openness (open standards, open technologies), accessibility transparency, bottom-up decision-making, cooperation and multi-stakeholder engagement. Key to implementing these principles is also a broadened understanding of the role of the infrastructure providers, such as global and national Internet services/connectivity providers who build and operate the backbones and edge networks. The panel was also expected to address some of the implications for the implementation of DNSSEC and IPv6 on a national basis that contribute to the security and resiliency of CIR on a global basis.
Details of the session:
The Internet’s success well into the future may be largely dependent on how it responds and reacts to increasing security challenges, according to panelists in a critical Internet resources workshop at the IGF-USA conference July 21 in Washington, D.C.
The Internet continues to evolve. It is also growing, as it becomes accessible to billions more people. The major challenge of our generation is to make the Internet more secure while continuing to promote openness, accessibility, transparency, bottom-up decision-making, cooperation and multistakeholder engagement. It is important that organizations continue to retain these values as much as possible as they react to cybersecurity and cybertrust issues.
Panelists at this workshop included:
- Moderator Robert Guerra, Freedom House
- Trent Adams, outreach specialist for the Internet Society
- Matt Larson, vice president of DNS research for VeriSign
- Steve Ryan, counsel to the American Registry for Internet Numbers
- Patrick Jones, senior manager of continuity and risk management for ICANN
- Jeff Brueggeman, vice president for public policy for AT&T
Panelists all expressed a desire to continue to engage in multifaceted talks because a single governmental entity is not the solution; it takes many people working together. As Brueggeman put it, there’s no “silver bullet” for the issue of Internet security.
“What we do on a day-to-day basis is ensure that those conversations take place,” Adams said. “The (critical Internet) resource is not a thing you can touch. You have this mesh of interconnected components that is the critical resource. You can’t pull one of those components out. Everyone must be around that table.”
So what’s the solution? The answer to that question is still a little unclear because Internet service providers and other organizations are often reactive to issues. Brueggeman said it’s time to embrace a forward-thinking approach.
“Things can get complicated when you’re reacting to an attack,” he said. “The best way to deal with these things is to try to think about them up front. How do we detect and prevent rather than react after the fact? How can we have more cooperative information sharing before attacks to try to prevent them and have the best information we can?”
Ryan stressed, though, that not all government is bad. He said citizens and organizations need to think “carefully about what the role of the government is.” But still, there should be a symbiotic relationship.
“There’s become a sense in government policy circles, including in the most sophisticated, that somehow (the Internet) runs on its own and you can’t break it,” he said. “I have news for you: You can break it. We look at government as something that has an increasingly important role because the Internet has an increasingly important role in economies.”
Ryan continued by saying non-governmental organizations have a responsibility to work with governments and to educate the people who work in them. He and the other panelists agreed that an international governmental organization wouldn’t work, though, unless core Internet values are embraced and upheld. They said a set-up that would allow countries around the world to vote on how the Internet is governed would not be a favorable solution.
“Until we get it right,” Ryan said, “I think we’re muddling along rather well.”
DNS issues and DNSSEC
Larson spoke specifically about the security of the Domain Name System because he views the DNS as an absolutely critical Internet resource. “If you don’t have the DNS, you don’t have the Internet,” he noted. He said users can’t truly trust the DNS, though, which is a bit disconcerting because of its necessity.
He supports DNSSEC—Domain Name System Security Extensions—which give users digital signatures (origin authentication) and data integrity. “Once you have that, you can validate data and have a higher level of confidence that the data you’re getting back is valid,” Larson said.
(You can read more about DNSSEC here: http://en.wikipedia.org/wiki/Dnssec.)
He also said that DNSSEC makes DNS more trustworthy and critical to users as more applications—not just host names—depend on it. “We’re going to look back and realize it enabled a whole new class of applications to put information in the DNS,” Larson said. “Now you can trust the information coming out of the DNS.”
Going from IPv4 to a combination with IPv6
Ryan emphasized the importance of Internet Protocol version 6, IPv6, a new Internet layer protocol for packet switching that will allow a “gazillion numbers” vastly expanding the address space online. There is a rapidly decreasing pool of numbers left under IPv4. Ryan said the increased flexibility of IPv6 will allow for the continued growth of the Internet, but it won’t be a free-for-all.
“The numbers we have issued are not property,” he said. “We have a legal theory that’s embodied in every contract we’ve issued. They belong to community. If you’re not using them, you have to give them back. They are in essence an intangible, non-property interest, so over the next couple of years there will be some very interesting legal issues.”
ICANN in action
Jones said ICANN, which recently passed its 10-year milestone, has continued to work collaboratively with the community to take on major initiatives, such as the introduction of internationalized domain names in the root.
“We have taken requests from countries for internationalized country codes and approved 15,” Jones said.
“There’s a huge development in those regions of the world where you can now have domain names and an Internet that reflects their own languages and scripts. That will have an impact as discussion around critical Internet resources continues, especially in the IGF space.”
Physical critical resources
Brueggeman said AT&T has a broader perspective of critical Internet resources because the company is responsible for carrying Web traffic and for the underlying infrastructure, not just involved in issues tied to the DNS. He said the transition to IPv6 is daunting because it’s not backward-compatible. His main challenge has been in outreach efforts to customers.
“We have to deal with a lot of traffic that’s generated as we’re making changes to DNSSEC and IPv6,” he said. “In some cases, you might create some new security concerns, but overall both are important essential transitions.”
Brueggeman emphasized that multistakeholder discussions will be important in the coming years.
“We really need all of the parties who have the direct stake at the table to be part of the solution,” he said. “We need to have the resources handled in a way that promotes openness and promotes interoperability. There’s a huge policy risk of not managing these resources in a multistakeholder way.”
-by Colin Donohue, http://imaginingtheinternet.org