[discuss] Who is responsible for security

Fri Jan 17 14:37:36 UTC 2014

Hi Nick,

On 1/17/14 6:22 AM, Nick Ashton-Hart wrote:
>
> Security in its various guises is THE policy subject with respect to
> the Internet. Therefore, it cannot be divorced from IG and if you try
> policymakers will write you (you in this instance being whatever part
> of the Internet policy community tries to suggest it isn't an IG
> issue) out of the equation.

And this is why we have such things as the Council Of Europe's
Convention on Cybercrime (the Budapest Convention).  Now, cybercrime !=
cybersecurity, but it is an example of something where accession or
congruence has been shown to correlate to reduced cybercrime[2].  To
Brian's point, however, what we see from many governments and some
institutions is a classic form of over-reaching: they pick their
favorite complaint of the day, don't bother to bring their concerns to
those who are responsible for attempting to correct the problem, and
just argue, “there ought to be a law”[3].  This, by the way, is
precisely what happened at WCIT with Spam.[8,9]  There was a convergence
of interests- some of those who *perhaps* legitimately feel the problems
of spam and those who simply wanted to make inroads to Internet
Governance.  The result was, ironically, what Brian was aiming for, a
specific remedy to a specific problem (careful with those bullets,
Brian- you only have two feet).

Thank *goodness* ISOC is now on the scene on this issue, because at
least one problem was a lack of understanding as to both capabilities
and limitations of governments in these circumstances.  For those of you
who don't know her, Karen Mulberry has been crisscrossing the earth,
trying to help governments who are concerned about Spam[11].

But no matter what ISOC does they can never address those who want to
change the power structure on the Internet through technical arguments,
as for some Internet Governance is just that big dangling apple they
have to have, either for job security, increased political clout, or to
legitimize control dissent in their own countries.  If you think what
the NSA was did was bad, there could be, and there has been, lots worse.

>
> There seems to be a strain of thought that issues of technical
> governance / management can be divorced from the broader issues
> driving Internet policy. This is just not true, nor has it been for
> some time.
>
> Inline responses
>
> Roland Perry <roland at internetpolicyagency.com> wrote:
> > In message <52D82E2D.2080806 at gmail.com>, at 08:08:29 on Fri, 17 Jan
> > 2014, Brian E Carpenter <brian.e.carpenter at gmail.com> writes
>
> <snip>
>
> >> Since most of the security exposures popularly blamed on the
> >> Internet are actually due to weaknesses in the end systems, it's
> >> especially important to remove most of this problem from the
> >> Ig rubric.
>
> This is simply not the case, or we wouldn't be taking about mass
> surveillance in the way that we are. This conception, with respect,
> became obsolete on week 1 of the Snowden disclosures.

This brings to mind another great quote: “ Everybody complains about the
weather, but nobody /does/ anything about it.”[4]  Realistically this is
not something that any intergovernmental body is going to solve.  There
are hard engineering and economics problems that will make limit our
ability to address the threat of such activities.  We have, at least
within the context of the IETF, bucketed pervasive surveillance.  It is
likely we will, as engineers, decide which problems are tractable and
which ones aren't.  Traffic and timing analysis attacks are extremely
difficult to address, for instance.  We must be careful when
legislatures attempt to set the value of pi.[10]

This having been said, with all due concern toward the Snowden
revelations, we oughtn't take our eyes off the ball with regard to
cybersecurity.  Whatever you think of states monitoring communications,
there is a day to day cost to cybercrime that can be measured, albeit
with difficulty.[5]  I grow concerned that in our zeal for catharsis
over the NSA we will bite our noses to spite our faces, and the true
losers will be children.[6,7]  (Do note in [6] the link to catching such
people based on the way they type and in [7] how takedowns for COP are
the least economically motivated).

And that's where I think Brian's got it right- specific remedies for
specific concerns.  Let's just hope that the Internet technical
community can be a meaningful part of the dialog to help some
governments not make the same mistakes they made during WCIT.

Eliot
ps: all of these comments are my own and may or may not represent the
views of anyone else.

[1] http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm
[2] http://weis09.infosecon.net/files/153/index.html
[3] http://www.toonopedia.com/bealaw.htm
[4] http://en.wikipedia.org/wiki/Charles_Dudley_Warner
[5] http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf
[6]
http://www.nydailynews.com/news/world/authorities-bust-international-child-cybersex-ring-article-1.1582268
[7] http://www.cl.cam.ac.uk/~rnc1/takedown.pdf
[8] http://www.ipv.sx/wcit/
[9] http://www.itu.int/en/wcit-12/Documents/final-acts-wcit-12.pdf
[10] http://en.wikipedia.org/wiki/Indiana_Pi_Bill
[11] http://www.internetsociety.org/what-we-do/policy/combating-spam-project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://1net-mail.1net.org/pipermail/discuss/attachments/20140117/519eefc5/attachment.html>