[discuss] Who is responsible for security
Brian E Carpenter
brian.e.carpenter at gmail.com
Sat Jan 18 00:20:53 UTC 2014
On 18/01/2014 03:37, Eliot Lear wrote:
> Hi Nick,
> On 1/17/14 6:22 AM, Nick Ashton-Hart wrote:
>> Security in its various guises is THE policy subject with respect to
>> the Internet.
That's a statement of opinion but I'm not sure it's a fact.
> Therefore, it cannot be divorced from IG
I didn't say that. What I intended to say, at least, is that most
aspects of IT security are not issues of Internet security; they are
issues of security in the boxes at the edge. Of course there are
some issues of security in the network and in services provided
by the network. Some of those security issues have a governance aspect.
What is problematic and leads to fuzzy thinking is stating or
implying that all the security issues faced by IT users who happen
to use the Internet are Internet security issues and therefore
Internet governance issues.
>> and if you try
>> policymakers will write you (you in this instance being whatever part
>> of the Internet policy community tries to suggest it isn't an IG
>> issue) out of the equation.
> And this is why we have such things as the Council Of Europe's
> Convention on Cybercrime (the Budapest Convention). Now, cybercrime !=
> cybersecurity, but it is an example of something where accession or
> congruence has been shown to correlate to reduced cybercrime. To
> Brian's point, however, what we see from many governments and some
> institutions is a classic form of over-reaching: they pick their
> favorite complaint of the day, don't bother to bring their concerns to
> those who are responsible for attempting to correct the problem, and
> just argue, “there ought to be a law”.
> This, by the way, is
> precisely what happened at WCIT with Spam.[8,9] There was a convergence
> of interests- some of those who *perhaps* legitimately feel the problems
> of spam and those who simply wanted to make inroads to Internet
> Governance. The result was, ironically, what Brian was aiming for, a
> specific remedy to a specific problem (careful with those bullets,
> Brian- you only have two feet).
Depends how fast I can dance ;-)
> Thank *goodness* ISOC is now on the scene on this issue, because at
> least one problem was a lack of understanding as to both capabilities
> and limitations of governments in these circumstances. For those of you
> who don't know her, Karen Mulberry has been crisscrossing the earth,
> trying to help governments who are concerned about Spam.
> But no matter what ISOC does they can never address those who want to
> change the power structure on the Internet through technical arguments,
> as for some Internet Governance is just that big dangling apple they
> have to have, either for job security, increased political clout, or to
> legitimize control dissent in their own countries. If you think what
> the NSA was did was bad, there could be, and there has been, lots worse.
>> There seems to be a strain of thought that issues of technical
>> governance / management can be divorced from the broader issues
>> driving Internet policy. This is just not true, nor has it been for
>> some time.
>> Inline responses
>> Roland Perry <roland at internetpolicyagency.com> wrote:
>>> In message <52D82E2D.2080806 at gmail.com>, at 08:08:29 on Fri, 17 Jan
>>> 2014, Brian E Carpenter <brian.e.carpenter at gmail.com> writes
>>>> Since most of the security exposures popularly blamed on the
>>>> Internet are actually due to weaknesses in the end systems, it's
>>>> especially important to remove most of this problem from the
>>>> Ig rubric.
>> This is simply not the case, or we wouldn't be taking about mass
>> surveillance in the way that we are. This conception, with respect,
>> became obsolete on week 1 of the Snowden disclosures.
> This brings to mind another great quote: “ Everybody complains about the
> weather, but nobody /does/ anything about it.” Realistically this is
> not something that any intergovernmental body is going to solve. There
> are hard engineering and economics problems that will make limit our
> ability to address the threat of such activities. We have, at least
> within the context of the IETF, bucketed pervasive surveillance. It is
> likely we will, as engineers, decide which problems are tractable and
> which ones aren't. Traffic and timing analysis attacks are extremely
> difficult to address, for instance. We must be careful when
> legislatures attempt to set the value of pi.
> This having been said, with all due concern toward the Snowden
> revelations, we oughtn't take our eyes off the ball with regard to
> cybersecurity. Whatever you think of states monitoring communications,
> there is a day to day cost to cybercrime that can be measured, albeit
> with difficulty. I grow concerned that in our zeal for catharsis
> over the NSA we will bite our noses to spite our faces, and the true
> losers will be children.[6,7] (Do note in  the link to catching such
> people based on the way they type and in  how takedowns for COP are
> the least economically motivated).
> And that's where I think Brian's got it right- specific remedies for
> specific concerns. Let's just hope that the Internet technical
> community can be a meaningful part of the dialog to help some
> governments not make the same mistakes they made during WCIT.
> ps: all of these comments are my own and may or may not represent the
> views of anyone else.
>  http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm
>  http://weis09.infosecon.net/files/153/index.html
>  http://www.toonopedia.com/bealaw.htm
>  http://en.wikipedia.org/wiki/Charles_Dudley_Warner
>  http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf
>  http://www.cl.cam.ac.uk/~rnc1/takedown.pdf
>  http://www.ipv.sx/wcit/
>  http://www.itu.int/en/wcit-12/Documents/final-acts-wcit-12.pdf
>  http://en.wikipedia.org/wiki/Indiana_Pi_Bill
>  http://www.internetsociety.org/what-we-do/policy/combating-spam-project
> discuss mailing list
> discuss at 1net.org
More information about the discuss