Global coordination of technical responses to Internet challenges (was: Re: [governance] Ad hoc Best Bits strategy meeting tomorrow lunchtime)

John Curran jcurran at istaff.org
Thu Oct 24 19:05:07 EDT 2013 

On Oct 25, 2013, at 2:11 AM, Milton L Mueller <mueller at syr.edu> wrote:

> 
> > There are also inherent limits what can be accomplished based on principles 
> > which are basically voluntary in nature.  For example, even if there were common, 
> > global agreement on social norms regarding unsolicited commercial email, the 
> > mechanisms that would be provided from an entirely techno-centric Internet 
> > cooperation system would be limited to various voluntary measures of increasing 
> > complexity, in the typical "arms race" of increasing subterfuge and improved 
> > detection and mitigation.  These not really a solutions at all, just a sequence of 
> > coping strategies which result in increasing costs and pain for the users.
>    
> Not necessarily. Most of the real mitigation of Internet problems occurs in exactly this way.

Milton - In many cases, the mitigation strategies are borderline effective, and it's not 
clear that we have solutions that always keep up, nor that we've actually considered
the price and impact that they inflict on end users of the Internet.  

For example,  Distributed Denial of Service (DDoS) attacks are becoming so large that 
the mitigation is becoming near impossible for the largest attacks -

<http://www.infoworld.com/d/networking/ddos-attack-against-spamhaus-was-reportedly-the-largest-in-history-215352?page=0,0>

Now, you might say everything is just fine; it's okay if large portions of the Internet
(innocent third parties) are impacted during these attacks, but note they are effectively 
the side effect of cyber-vigilantism mitigation against a organization which is itself a
mitigation effort  (i.e. spam blocklists).   

Should we wait for an anti-DDoS cyber vigilanteism mitigation effort to arise (who 
knows, maybe they'll decide to use routing attacks) to take on those who are using
DDoS attacks (in the process of mitigation against on those who run blocklists, 
which is only being done for the mitigation of spam)?

How many layers of countermeasures/counterattacks do we need to render the net 
effectively unusable?  Every one of these measures has unproductive impacts on
innocent parties, and there is no consideration of the cumulative impact as these
half-measures are heaped atop one another.

> This may be a terrible way of approaching problems it is just that in 95% of the cases it is better than all the alternatives. 

Actually, let's go with 98 or 99%, since the downside risks of disproportionate regulation,
unintended consequences, etc. etc. are all very real, and in general, the folks who have the
ability to actually mandate (i.e. governments) generally have shallow understanding of the
the situation and political factors that may unduly influence any outcome.  

In fact, this one of the reasons why actual multi-lateral governmental approaches to nearly
any Internet challenge is (in my personal view) very likely a mistake.  Nearly anything which
is _mandated_ from such high level regarding the deeply technical and pervasive Internet  
is almost certainly going to miss many potential ramifications that could result, and it does
not help that such discussions are inherently inter-governmental, the meaning of outcomes
subject to reinterpretation when brought back to national scope and implementation.

That does not mean that getting multiple parties (governmental, civil society, business, 
technical, etc.) to agree that "DDoS attacks are bad" then collaborative consider how to 
reduce them" is necessarily a mistake.  In the ideal world, this would result in some form
of coordinated discussion of the problem, various technical solutions, the various societal
and business implications of the solutions, and potentially nothing else due to lack of 
consensus.  However by some miracle, consensus were to emerge on a specific technical
measure for a problem that could be applied globally, then that would be very good to know.  

It's possible that may be the end of it; some countries may note the specific technical measure
as a best practice for industry to consider for self-improvement, some countries may decide to 
engage in further discussions on a national basis about "rulemaking", etc. and some may do 
nothing at all.  All of this variation is good; different countries and citizens have different ways 
of looking at these matters; the important part is any technical measure to address a given 
challenge has been confirmed to interoperate on a global scale if implemented, so that any 
deployment that occurs doesn't endanger the interconnected nature of the Internet.  

> > Whereas, if there were a common and global agreement on acceptable social norms in 
> > this area (hypothetically), and given engagement of all parties (including governments),
> > there likely would be far superior mechanisms available which provide a higher level of 
> > assurance and lower costs to users globally.
> 
> Your lack of familiarity with the broader field of policy studies may lead you to overstate the potential of collective action involving states, especially at the international level. Would you like to provide an example or two of a successful effort of this sort in a highly technical field? 

I'm not certain that getting common agreement that "servers should not be left publicly
open and exploitable" rises to the same level as climate change or global monetary 
policy...  In fact, most ISPs would agree that there's no reason not to do it right aside
from the minor incremental cost, as it is just additional configuration to set DNS rate 
limiting for your DNS servers and BCP38 source filtering on customer connections.)

The fact that we understand the problem (and know of the right technical solutions) 
doesn't actually do anything to solve the problem, since it's not required for ISPs have 
solid configurations and no business wishes to take on costs on a voluntarily good 
samaritan basis if their competitor doesn't do likewise.   It doesn't really matter if they 
know it is the right thing to do, as it has real costs in competitive marketplace and the 
downside of not doing is indiscernible locally but adds up globally to a very serious 
problem -

<http://news.cnet.com/8301-1009_3-57576947-83/how-the-spamhaus-ddos-attack-could-have-been-prevented/>

Industry is simply not going to adopt such practices, just as businesses are less likely to 
adopt voluntary fire safety measures.   The Internet means that every server is "next door"
to every other one, and that means that we need global agreement on the norms (and the
actual interoperable technical mechanisms) if we want to actually prevent conflagrations
when it comes to distributed denial of service attacks.  The private sector isn't particularly 
excited about this, and in fact, some of them even make good money off the ever increasing 
capabilities of products and services in the industries which have been enabled as a result 
of simple misconfiguration repeated globally...

The fact that uninvolved users are often caught in the middle of these attacks is actually
good news - it creates more headlines and helps sell more products.  I imagine that the 
building construction industry would be equally happy to dispense with firecodes; not only 
does it reduce their costs, it creates even more business rebuilding the buildings that burn 
down.   The equivalent to what we have in Internet security industry would be no building
codes, and a robust market in _personal_ fire extinguishers -  "Been caught in a burning 
building this year?  It's becoming a fact of life, so carry your own personal extinguisher to
help you get out!  Here's some articles about last months victims - don't get caught without
your own personal protection!" ;-)

FYI,
/John

Disclaimers:  My views alone. (and apologies for length, I lacked the time to make it shorter...)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/governance/attachments/20131025/dec8cd16/attachment.htm>
-------------- next part --------------
____________________________________________________________
You received this message as a subscriber on the list:
     governance at lists.igcaucus.org
To be removed from the list, visit:
     http://www.igcaucus.org/unsubscribing

For all other list information and functions, see:
     http://lists.igcaucus.org/info/governance
To edit your profile and to find the IGC's charter, see:
     http://www.igcaucus.org/

Translate this email: http://translate.google.com/translate_t

More information about the Governance mailing list