RES: [governance] Cybersecurity: Speech Given at the Embassy of the Kingdom of the Netherlands in Washington D.C

[Vanda UOL]

Thank you Robert! I will share with colleagues here. 

 

De: governance-request at lists.igcaucus.org [mailto:governance-request at lists.igcaucus.org] Em nome de Robert Guerra
Enviada em: quarta-feira, 22 de fevereiro de 2012 19:58
Para: governance at lists.igcaucus.org
Assunto: [governance] Cybersecurity: Speech Given at the Embassy of the Kingdom of the Netherlands in Washington D.C

 

Wanted to share with the list the great comments given by Sally Wentworth at a Cybersecurity reception at the Dutch Embassy in Washington, DC.

 

Regards

 

Robert

---

 

http://internetsociety.org/cybersecurity-speech-given-embassy-kingdom-netherlands-washington-dc






Cybersecurity: Speech Given at the Embassy of the Kingdom of the Netherlands in Washington D.C


Event Speaker: 

Sally Shipman Wentworth

 

Thanks Martijn for that introduction, and thanks to Ambassador Jones-Bos and to the Netherlands Office for Science and Technology for inviting me to speak.

Good evening. Since so many of you have spent today talking about how you might collaborate on cybersecurity, and about specific technical projects you may be working on, I thought I'd take a step back and provide a perspective on why cybersecurity is such a huge issue, why the stakes are so high and the answers so difficult.

Today, more than two billion people around the world are online. That's two billion people who are relying on the Internet to be a trusted place to get and share information. Some subset of those two billion are using the Internet to buy real or digital goods, collaborate with business partners, and handle the tasks of everyday life, like paying their bills.

Yet many people still worry about the security of their online transactions and whether their privacy is being protected. The endless stream of news stories about cyber attacks contributes to these concerns.

Tonight, I'll lay out pieces of the cybersecurity puzzle, and put them in context of the Internet's fundamental principles. I'll end by offering a framework for policymaking that I believe will be useful in preserving those principles.

I'll start with a basic question. What is cybersecurity?

If you ask a friend or neighbor, you'll get one answer—maybe having to do with concerns over their credit card data being stolen or having gone too far in a Facebook posting that could be read by a prospective employer. If you ask parents, they will tell you they worry about what a child might be looking at, or the possibility that the child is the victim of cyber-bullying or on the receiving end of "sext" messages.

This is a view of the end user, but it’s just one perspective.

For businesses, cybersecurity has other implications— companies all need to safeguard customer information, protect commercial data, or prevent intrusions and damage to their corporate networks. Yet the business perspective of cybersecurity is far from uniform; companies vary widely in their specific needs, expectations, and sophistication. A small business may not be concerned about the same things that General Electric is concerned about, and the auto industry may not have the same cybersecurity requirements as a health care provider that relies on e-health records.

And then there is the government perspective, which has to take into account the concerns of citizens and businesses while also dealing with any national security threats that an Internet attack might pose. With many government services and national physical infrastructures increasingly tied to the Internet, the disruptive potential of a cyber attack is significant. The Minister reminded us of this, this morning, with his recounting of the details of last summer's Diginotar crisis in the Netherlands.

Governments' approaches to cybersecurity, like industries, aren't always the same. Among other things, they vary with the country's geographic location and economic development.  

For example there are differences between developed and developing countries in how they address cybersecurity. Those of us who live in developed countries have gotten used to inexpensive bandwidth and relatively easy access to security software. Doesn't mean we always take advantage of it, but it's there.

In many developing nations, unlimited access for a set fee isn't a given. Users often pay more as their use goes up, so things like spam imposes costs on people who can least afford it. Neither, in some cases, can they afford to download regular antivirus updates. In places where electricity is unreliable, an attempt to download new software can turn into a costly failure if the power shuts off.

There are other important differences in emerging economies.  People access the Internet through wireless services, and Internet users in these countries are much more likely to get on the Internet at a cybercafé or community access points like libraries.  These modes of access are extremely important for people who might otherwise never be able to get online.

But these modes of connecting have certain risks. Cybercafes can be especially problematic, because of the possibility that private information will be available to other users who sit down a few minutes later at the same computer. In Uganda, criminals took advantage of this, methodically recording online banking transactions made at cybercafés.

For all of these reasons, a developing country is likely to have a different set of priorities when it comes to the Internet, than a developed nation like the U.S. or the Netherlands. While the U.S. or Netherlands might be most focused on securing advanced computing infrastructure or funding cybersecurity R&D, a developing nation might well be more concerned with developing the technical and policy capacity to deal with online fraud.

Many developing countries lack the basic legislative frameworks to address cybercrime, particularly when the crime may not even originate in their countries.  

Which of these concerns should be the priority when it comes to our cybersecurity efforts and cybersecurity policy in general? For that matter, how do the diverse concerns of government match up against the security needs of citizens and businesses? I'm not sure that anyone can answer that question, and I certainly wouldn't want to have to prioritize among these stakeholders. They all have legitimate interests, and in many cases, the interests, though specific to them, are also intertwined.   

It is the legitimate claims of all of these stakeholder groups that explains why it is so difficult to reach consensus on how to define or address cybersecurity. That doesn’t mean we should throw up our arms in frustration. It just means we have to be smart about how we proceed.

Any framework for tackling cybersecurity needs to work back from an understanding of the different ways in which the Internet is valuable to its different stakeholders. To practically everyone, the Internet has value as a communications tool and as an engine of economic growth. It also has value as an enabler of social and even political change. What are the principles of the Internet, the building blocks, that give it this flexibility and that we should be sure preserve as we try to develop the right cybersecurity policies?

There are some basic characteristics about the Internet that really matter:

The first is the Internet’s global reach and integrity. As an Internet user, I have to feel confident that all of the endpoints are connected--that when I type in  <http://www.rabobank.com/> www.rabobank.com, that’s actually the site I go to, and not somewhere else. It’s a little like the seal on a bottle of Tylenol, which reassures me that there has been no tampering with what’s inside. This integrity is partly a result of a technical specification called DNSSEC, which has been in the news a bit lately because of the impact that the SOPA legislation would have had on DNSSEC. I'll come back to SOPA in a few minutes.

The second core Internet principle is something we at the Internet Society call permission-less innovation.  Said another way, this is the ability of anyone to create a new service on the Internet without having to get approval from a governing body. Without thinking about this too long, any of us could come up with a long list of online services that might not exist if scientists and entrepreneurs needed to vet their ideas with, say, their local phone company, their national government or the United Nations.

If Tim Berners-Lee had to ask for permission, would the World-Wide Web exist? Would the idea of a Web “spider” have been rejected, cutting off the development of Internet search services such as Google? Would Facebook have 850 million users and be headed for an IPO that could value it at $100 billion? How about Wikipedia and Twitter and Web mapping software and downloadable music and hundreds of other things we take for granted in our daily lives?

A third thing we must preserve is the accessibility of the Internet. This goes farther than people’s being able to consume whatever legal content they want; it extends to their ability to contribute content, add a server, or attach a new network, as long as they follow the Internet's technical standards.

And the fourth thing to safeguard is the Internet’s spirit of collaboration. In addressing Internet security issues, we must find a way to get all stakeholders involved, from users, to those of you in the Internet research community, to commercial companies, to policymakers. Solutions developed in isolation either don’t solve the problem or cause more harm than good.  In some cases they can create significant problems that undermine the stability of the Internet.

The last few months have furnished some clear examples of badly designed policy "solutions" that would impact these core Internet principles. Take SOPA, or the Stop Online Piracy
Act, in the United States. SOPA took aim at a legitimate problem of the Internet—the theft of copyrighted material and trafficking in counterfeit goods. In practice, users who tried to access a site considered illegal under SOPA would have been redirected to a U.S. government Web page—perhaps one run by the Department of Homeland Security – or would not have reached any site at all. This policy would have compromised the implementation of the DNS security protocol, DNSSEC that I alluded to before. The policy would require ISPs to essentially hijack legitimate queries from users and redirect them to a site they didn’t ask for.  It would cause people to constantly wonder if the website they were directed to was the same as the one they requested. This would have huge implications for Internet security.

The other thing about SOPA is that it would have forced ISPs to block entire domains.  Since a single domain can house many unrelated sites, this policy would have impacted all sorts of non-infringing sites.  It was, in the end, legislation that would have done far more harm than good, and the Internet community, including my organization and I'm sure many of you here, voiced its disapproval. We were happy when Congress shelved the plan.

Now, we have to turn our attention to the equally controversial ACTA, or anti-counterfeit trade agreement.  ACTA is an international treaty whose basic purpose is to provide an international framework and standards for the enforcement of Intellectual Property online and to address the sale of counterfeiting goods via the Internet.  As we did with SOPA, the Internet Society has gone on record criticizing ACTA, in particular for the secretive way in which this international accord was developed, with only two of the 11 negotiating texts made public.

Like SOPA though, the most effective pushback appears to be happening at a grass-roots level, with protests in many parts of central and Eastern Europe. ACTA would allow countries to block traffic or content and would give them considerable latitude in defining acts of infringement. The ambiguity of the treaty’s language raises the specter of findings of infringement or counterfeiting being used as a pretext for limiting Internet freedom. The protestors have done a good job of making their voices heard: Germany, Poland, Bulgaria, Slovakia, and the Czech Republic have all backed off their pledge to adopt the treaty—at least for now. The Netherlands did the same last week.

It's encouraging to see governments getting the message and reconsidering policies that would undermine the Internet's principles. But it would be unrealistic to expect that all governments are going learn these lessons and stop trying to control this medium.

Five months ago, China, Russia, Tajikistan and Uzbekistan approached the U.N. with a proposal for an International Code of Conduct for Information Security. The proposal included a line about “curbing the dissemination of information" that undermines other countries’ "political, economic and social stability, as well as their spiritual and cultural environments.”

>From the perspective of most of us in this room, that’s obviously too sweeping a guideline; it goes against the grain of the Internet. But it is part of the international context for addressing cybersecurity's challenges. We can't pretend it isn't out there.

Happily, there are goals related to cybersecurity that many countries already agree on.  An Internet security breach, after all, isn’t like a territorial crime, where the consequences are generally limited to the geographic area where it happens. Internet security problems have the potential to spread quickly and widely, something we first learned back in the late 1980s, with the release of the Morris worm that infected 6,000 defense, university and research computers. That was front-page news, at the time.

There have been similar incidents in recent years, some reported and some not, that have caused policymakers everywhere to pay closer attention to network security and look for ways to cooperate across borders.

In particular, many governments are looking to protect vulnerable groups, including children, from online threats and to find ways to empower them to protect themselves. Governments are eager to learn from the best cybersecurity practices of others. And no government should want a cyber criminal who launches an attack from their country to have a safe haven.

Interpol has done some great work in tracking down online criminals. And there are other mechanisms that countries have that reflect their common interests in ensuring the Internet's safety. For instance, there are computer emergency readiness teams—CERT, for short—all over the world, coordinating their countries' efforts and sharing information when there are security incidents. 

Last year, when the White House released a document called the International Strategy for Cyberspace, it talked about the importance of getting international research communities “to take on next-generation challenges to cybersecurity.”

The White House position paper also cited the “immediate and long-term benefit” of helping developing nations shore up their own cybersecurity capabilities.

Cooperation between developing and developed nations is already happening. I was in Trinidad & Tobago last week, meeting with the Caribbean Telecom Union. This is the organization responsible for working with ICT Ministries all over the Caribbean to help them implement Internet-related policies. They have a small staff—four or five people—-highly qualified-and their priority this year is squarely on cybersecurity.

Many Caribbean countries do not have the resources, technical expertise or capacity at the individual government level to forge cybersecurity policy on their own. Yet they don't want technology to pass them by. They want to be a part of the global information economy, but they know that this future depends on their ability to implement some level of cybersecurity. As a result, they are looking for private sector input and advice. They are eager to learn from governments like the U.S. and the Netherlands about what's working and what isn't.  They are reaching out to the technical community for technical solutions. Their approach is practical.

There are numerous other examples of international, multistakeholder cooperation on cybersecurity issues that are taking place within the OECD, APEC, the Internet Governance Forum, and the Organization of American States, just to name a few.

So when I talk about information sharing and international cooperation, it isn't just a fancy construct. It's real; it's happening now.

I'd like to close by discussing, more tactically, what we should be doing about cybersecurity. How should we approach it at a policy level?

First, international cooperation -to the extent possible – is essential. The reason for this is clear. If an attack hits a retail company in London, and the perpetrator is in Sarajevo, the malware may have traversed computers in three or four other countries en route to its destination. That's a situation that requires cross-border cooperation.

Cross-border cooperation is also valuable in situations that aren't as high pressure, for instance in avoiding duplication of effort in the development of security technologies or protocols. The Internet Engineering Task Force is a good example of collaborative technical standards development that is open to participation by any expert from around the world. The discussions that happened earlier today among you are another example of positive cooperation that should serve as a catalyst for further innovation.

Second, any policies we come up with should be based on open technical standards. The Internet wouldn't have had the explosive success it has had if the software that has driven its growth weren't easily adaptable for other purposes on the network. Security solutions that are developed within expert communities—again, the IETF is an example—are more likely to be effective and scalable, and consistent with the Internet's basic principals.  

Third, the policies we come up with should be flexible enough to evolve over time. We know that the technology is going to change—that's a given. The solutions need to be responsive to new challenges. We don't want to develop a policy in 2012 that is outdated in 2013.

Fourth, the policies need to be developed using a multi-stakeholder model. That means that effective policies can't be unilaterally created by government. They can't reflect a back-room deal worked out by industry leaders. They can't just be the brainchildren of engineers. All of these stakeholders must work together.

Within this policy framework, we should not overlook a few critical values, namely basic privacy protections and freedom of speech.

Privacy protection begins with better awareness and understanding by users of how their information will be collected, used and stored by those they interact with online. I consider myself an experienced online user, yet I struggle to understand the legalese in most online privacy agreements and often don't take the time to read them. If we want people to use the medium, they have to trust it.  To trust it they need some basic understandings about what will happen to their personal information and confidence that their expectations will be met.

Freedom of speech is also fundamental to the Internet for reasons that most of us in this room, coming from countries with long traditions of free personal expression, take for granted. People need to be able to share ideas and information and communicate freely; this is what makes the Internet powerful and allows people to innovate. If you institute a cybersecurity policy that disregards freedom of expression, you threaten one of the main things that make the Internet valuable.

The bottom line is that the policies we put in place should not undo the good thing we've got. There's a temptation, in many situations relating to cybersecurity, to be reactive, especially if something has happened that has jeopardized the welfare of a child or compromised financial data, or resulted in major infrastructure damage. We have to remember that it isn't the Internet that does bad things, any more than it is the post office that does bad things or the telecommunications network or transportation system. People sometimes use these mechanisms to do bad things, but it's still people doing them. We shouldn't attack the medium in an effort to deter the crime.

There is one other thing I'd like to add, which is always crucial to the development of good policy. And that is the willingness of those who are developing policy to truly listen to those affected by their decisions.

One of the remarkable things about the Internet is how quickly it allows people to rally around a good idea, or discredit a bad one. Would it be a good idea to develop a cybersecurity technology or policy approach that choked off permission-less innovation? What if cyber policies resulted in an Internet that was carved up along national boundaries?  

We could create those things, but they would leave us with a radically diminished platform, one that far fewer people would want to use. I'm not even sure it would be the Internet.

And that, we must not allow.

Thanks for listening—and for being part of this crucial effort, at such an important time


-Sally Wentworth, Dutch Embassy, Feb. 21 2012

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20120222/a043e367/attachment.htm>
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t