GFCE Triple-I Workshop @APRICOT2019, Daejeon, South Korea: Improve Justified Trust in the Internet, together
Triple-I (the Internet Infrastructure Initiative) is a GFCE Initiative with the objective to enhance justified trust in Internet and email through open internet security standards and sharing good practices on a global level.. Triple-I aims to organize capacity building workshops different regions with the support of the GFCE community, as well as from members of the global “technical community”. The Initiative is to facilitate awareness raising and capacity building in the region, and thus setting local priorities and stimulate local action.
On Saturday 23 February, APRICOT hosted the GFCE Triple-I Internet Infrastructure Security Day. The Dutch Ministry of Economic Affairs and Climate as a member of the Global Forum on Cyber Expertise coordinated this initiative to look for ways forward towards more trusted use of Internet and email in the region. Participants in this workshop were global experts and regional Internet stakeholder groups, including the government, business and technical community who all contributed in finding solutions to strengthen an open end-to-end Internet. This is the fourth of a series of workshops organized globally, after Dakar, Senegal (hosted by the African Internet Summit), Almaty, Kazachstan (hosted by RIPE NCC), and New Delhi, India (hosted by INSIG and the Indian Ministry of Electronics and IT).
Improving justified trust in the Internet
The workshop was opened by Kuo Wei Wu. He warned for the danger of fragmentation of the Internet, as “unintended consequence” of efforts by governments to create and manage separate root servers with the aim to ensure the Internet will continue to work, nationally, even when the Internet root is under attack. Focus of the meeting is at what can be done in the South-East Asian region on improving justified trust in the Internet. Maarten Botterman pointed out that the advancement of digital maturity in the region varies, and that collaboration between countries that are more advanced with those that are to catch up is in the interest of both – as has been recognized by the GFCE initiators.
During the first block we focused on Open Internet standards that could already be applied today, and Aftab Siddiqui (Internet Society) talked about the use and usefulness of Open Internet Standards such as DNSSEC, TLS, DANE, DMARC, DKIM, SPF, and Jordi Palet (The IPv6 Company) about progress and application of IPv6. Application of IPv6 in South-East Asia is still very low, whereas application of IPv6 is eventually inevitable. DNSSEC, TLS and DANE are important in ensuring integrity of routing and of the data exchange itself. With regards to DNSSEC, todays’ challenges range from the computational overhead, and the complexity of application which is not a problem for specialists, but currently a severe burden for regular ISPs. DMARC, DKIM and SPF are standards that help prevent email to be easily abused to confuse people with spoofing etc. There are examples of cyber extortion that could have been easily prevented when those standards had been taken into use. While the new generation of users prefers direct messaging often above email, better measures to enhance justified trust in the integrity of email and its routing continue to be important. All in the room were invited to participate and ask questions or contribute where useful.
A very good tool to measure the use of these standards by websites and mail servers is the website www.internet.nl. On this website, it is possible to fill in any website or email address to check whether it is up-to-date in its use of these open standards. As the source code will be made available to regional initiatives, adopting this and setting up a regional website seems very worthwhile considering.
Inspiration from Good Practices
The second block is the space where inspirational practices and useful ways forward are shared. Ram Mohan spoke on infrastructure stability and DNS abuse and the need to address this adequately in order to avoid erosion of trust. Examples of abuse include threats: phishing, spam, malware, cryptojacking, ransomware etc. The biggest increases in 2018 and 2019 have been in (s)extortion, especially in the AP region. He argued that providing consistent and deliberate attention to abuse is key, and that just using blocklists is not enough. Modern data mining and data analysis techniques need to come into play, as a failure to remove abuse from both IP address ranges and from domain names otherwise will significantly erodes trust: which is the single largest factor that threatens interoperability in the end-to-end Internet, as we know it.
Dr Jeong-Min Lee from KISA spoke on “Initiatives from Korea to lessen the cybersecurity divide in developing countries.” In order to enhance the resilience against attacks in the region, the Korean CERT provides programs that can be divided into three categories of education, assessment and networking. The target participants are from the OECD DAC list of ODA recipients (see http://www.oecd.org/dac/stats/daclist.htm). Lessons learned so far are that there is a need more frequently contact, thus developing a firm communication and sharing channel, and to build up a list of successful story to enhance trust.
Taiji Kimura (JPNIC) then presented on RPKI. He gave the example of myetherwallet.com, where mis-originated the BGP prefix was used to redirect to a phishing site. RPKI would have prevented this, and this can be strengthened by adopting Route Origination Authorization (ROA). ROA can be used to compare BGP route to find mis-originated routes. Origin validation is done by using a ROA validating server and BGP router and does not require end-user intervention, and is also increasingly used to do so (see https://rpki-monitor.antd.nist.gov/).
Cristian Hesselman: director of SIDN Labs (the research team of the .NL operator) and SSAC Member, explained the concept of a national DDOS clearing house, which facilitates a proactive and collaborative DDoS mitigation strategy. It resolves around providers of critical services (e.g., ISPs, banks, government agencies, and hosting providers) in the Netherlands continually collecting information on potential and active DDoS sources and automatically sharing this information with each other through the clearing house. A strategy that may provide true inspiration for initiatives in other countries and regions.
The Internet of Things (IoT) comes with opportunities for citizens as well as the digital economy. This includes applications in the home as well as in infrastructures, factories, vehicles and in nature itself. Maarten Botterman pointed at the fact that many internet-connected devices, and in particular those sold to, often lack basic cyber security provisions, which is an increasing concern for citizens and governments. There are basically two risks: <1> vulnerability of individual devices themselves for tampering; and <2> wider society faces an increasing threat of large scale DDOS attacks launched from large volumes of insecure IoT devices. How to reduce those risks is a high interest topic in many countries and regions. Tackling this requires manufactures, suppliers and users all to play a role to ensure adequate security in devices, and in systems consisting of multiple IoT devices working together to deliver specific services. How to make this apply to your region is a key concern that has now high political and increasing public interest around the world: much to be learned from best practice frameworks and experiences elsewhere.
Market place for actions to improve trust
After this fruitful session, participants were inspired and explored the three possible actions that were the results of the day, so far, and a possible answer on the question raised: “What to do, together, to improve justified trust in using the Internet and email in the region”.
The following topics came up during the day as possible actions to pick up specifically in the region, at this point in time, in order to progress trust in the use of Internet and email in the region:
(1) Awareness raising on key global Internet Standards is a first step to deeper adoption of those, and that will help make the Internet in the region more trustworthy. As too few people are aware of this, ISPs do not see it as a business priority for investing. However: this is likely to change if abuse continues to grow, and if some service providers in the region start offering more secure services. So awareness raising needs to take place on all fronts: consumers, politicians, business decision makers and service providers. When moving forward on this, the website internet.nl can be very useful, and it may be possible to set up local applications of the code that will be shared under an Open Software license.
(2) DDOS mitigation through collaboration: dealing with DDOS attacks is a key towards being able to rely on infrastructures and services – even more so for critical applications and infrastructures than for others. Whereas many companies and government recognize this already today and are building mitigation systems to reduce the risk, the big opportunity seems to be in working together, and sharing both DDOS attack sinking facilities as information about attacks, as soon as they are recognized. Such initiatives would both benefit from local and from global collaboration.
(3) IoT security is a global issues, and its consequences stretch across borders. For these devices to be trusted and used properly, users need to be educated early on what IoT devices are as well as on the risks and opportunities IoT devices present. Manufacturers need to ensure that IoT devices are secure by design from the beginning, following broadly recognized Principles and Guidelines on IoT design such as the OTA IoT Trust Framework Guidelines, and the recently published ETSI guidelines.
Many of the good practices presented on subjects like Open Standards adoption, joint DDOS mitigation, further IDN introduction accompanied with increasing Universal Acceptance, and IoT security were confirmed to be important by the well informed group of participants to this workshop during APRICOT2019. A lot of emphasis is on awareness raising – both within the industry, to politicians, and to the larger public – as this is a crucial engine for change. And this comes hand in hand with (intra- and cross-sectoral) collaboration, as many of the challenges faced are the same.
This was the fourth of a series of Triple I Workshops that will be organised in different regions globally. Big thanks to all contributors to this workshop – co-organisers, presenters and participants, and specifically the APRICOT Secretariat, APNIC, and Internet Society. The results and outcomes are shared on the Triple-I event website. More events like this workshop will take place this year and are currently being developed, and material will be generated that will allow local organizers to organize their own workshop. For the full report and more information on Triple-I, please visit the GFCE website. Organisations that want to get involved can contact the GFCE Triple-I facilitator Maarten Botterman at: firstname.lastname@example.org.