Shaping the Internet's Future

Internet Society and UNESCO Offer a Capacity Building Program for Judges

Trust is vital to the future of the Internet. The best way to build it is to let a diverse group of people and interested organizations contribute their experience and knowledge. For this reason, the Internet Society and the UNESCO Regional Office has developed a capacity-building program for judges, prosecutors, public defenders, and other judicial operators in Latin America and the Caribbean.

This program shares our vision for an open, globally-connected, trustworthy, and secure Internet for everyone. We allied with UNESCO to incorporate a plan related to freedom of expression, privacy, encryption, and access to public information. In this way the program responds to the needs of judicial operators facing real cases related to the use of the Internet.

For Raquel Gatto, Senior Policy Advisor of the Internet Society, the program represents an unprecedented opportunity: “The technical foundations of the Internet show us that collaboration is a fundamental factor for the functioning of the network. The Internet is a network of networks that trust each other, allowing interconnection. The Internet can not exist without such collaboration”.

Guilherme Canela, Regional Councilor for Communication and Information of UNESCO, says, “For 5 years, UNESCO, in cooperation with the Special Rapporteur for Freedom of Expression of the Inter-American Human Rights System, and many other international partners, has developed the Judges Initiative, which seeks to deepen the dialogue with Ibero-American judicial operators on Freedom of Expression, Access to Information and Security for Journalists. In this framework, more than 8,000 judges, prosecutors, public defenders, and other judicial operators have already gone through the training offered by the initiative. In the interaction with these operators, their interest in deepening knowledge about the broad Internet agenda is clear. That is why we are proud of this cooperation with the Internet Society, which will offer this opportunity for additional training for those who have already gone through the basic modules of the Judges Initiative”.

The program will be divided into two phases and will have a capacity for 1,000 people. During the first phase, participants will have access to topics related to the technical and policy principles of the Internet ecosystem, the foundations of the Internet Governance system, and the actors involved in the community. Participants who successfully complete the first phase of the program will access a second phase, consisting of a series of discussions led by experts on current issues of the Internet ecosystem, including privacy, freedom of expression, and encryption on the Internet.

Interested applicants can request registration through a simple form. The registration period is open from 21 March to 12 April. Those selected will receive a notification on 16 April to start the first phase of the course on the 22 April.

The Internet is a network of networks that interact with each other on a voluntary basis. Collaboration is part of the fundamental architecture of the Internet, which is why we promote this approach for security and trust. Together, as a community, we can contribute to trust in the ecosystem and continue working for an open, globally-connected, trustworthy, and secure Internet for everyone.

Read about the collaborative security approach to tackling Internet issues.

Internet Governance Internet of Things (IoT)

Collaborative Governance Leaders, Canada, and Senegal Exchange Notes on IoT Security Frameworks

Canada and Senegal partners are meeting for a comparative learning exchange on developing robust Internet of Things (IoT) Security frameworks in Ottawa, Canada 18-19 July. The Senegalese delegation visiting Ottawa is composed of representatives from the Ministry of Communication, Telecommunication, Posts and Digital Economy, the Authority for Telecommunications and Postal Regulations, and the ISOC Senegal Chapter. They are also accompanied by Internet Society directors for North America and Africa.

The two countries are strong supporters of the collaborative governance or multistakeholder model in addressing problems they encounter as Internet technology develops. Both countries have already begun adopting the model for domestic policy development focusing on IoT security. The learning exchange is part of the Internet Society supported Internet Governance campaign activity for both countries and will explore issues of mutual interest, connect stakeholders and exchange notes on the process.

In Canada, the Internet Society partnered with Innovation, Science and Economic Development, the Canadian Internet Registration Authority, CANARIE, and CIPPIC to convene stakeholders to develop recommendations for a set of norms/policy to secure the Internet of Things. The partners have agreed to focus on two specific thematic areas: consumer protection and network resilience. While in Senegal, the Internet Society partnered the ISOC Senegal Chapter, the Ministry of Telecommunications and Digital Economy and the Senegalese Commission for Data Protection to explore the same.

Canada and Senegal are amongst the countries that are leading in demonstrating the collaborative, multistakeholder model of Internet governance.  These countries are showing leadership both in the region and globally in embracing the MS model to address pertinent Internet-related issues and effectively demonstrating commitment to tackle emerging issues related to technology. These two case studies may provide a powerful benchmark for using the MS model in addressing critical Internet issues in both the developed and developing world.

The focus subject matter, IoT is an evolving area and is changing rapidly and organically. New capabilities are added and new security weaknesses are being discovered almost every day. Understanding the growing impact that IoT security has on the Internet and its users is critical for safeguarding the future of the Internet. IoT manufacturers, IoT service providers, users, standards developing organizations (SDOs), policymakers, and regulators will all need to take action to protect against threats to Internet infrastructure, such as IoT-based DDoS attacks.

Do you know the risks of what you’re buying? Get IoT smart!

Building Trust Improving Technical Security Internet of Things (IoT) Mutually Agreed Norms for Routing Security (MANRS)

The Cybersecurity Tech Accord Fits Squarely in the Collaborative Security Approach

Last week at RSA, more than 30 global companies came together to sign the Cybersecurity Tech Accord “to protect and empower civilians online and to improve the security, stability and resilience of cyberspace.”  It is an example of collaboration, which demonstrates the commitment and focus of the signatory companies to take action in order to tackle the significant security threats we are currently facing. It is this type of collective action we have promoted as part of our collaborative security

The Tech Accord is a positive step by large corporations across the globe involved in security to come together in the name of collaboration and make security commitments that resonate with the demands of Internet users everywhere. Per the Accord’s website, there are four main tenets of the Tech Accord:

  • Stronger defense
    The companies will mount a stronger defense against cyberattacks. As part of this, recognizing that everyone deserves protection, the companies pledged to protect all customers globally regardless of the motivation for attacks online.
  • No offense
    The companies will not help governments launch cyberattacks against innocent citizens and enterprises, and will protect against tampering or exploitation of their products and services through every stage of technology development, design and distribution.
  • Capacity building
    The companies will do more to empower developers and the people and businesses that use their technology, helping them improve their capacity for protecting themselves. This may include joint work on new security practices and new features the companies can deploy in their individual products and services.
  • Collective action
    The companies will build on existing relationships and together establish new formal and informal partnerships with industry, civil society and security researchers to improve technical collaboration, coordinate vulnerability disclosures, share threats and minimize the potential for malicious code to be introduced into cyberspace.

We support these principles!

This is all movement in the right direction: Norms and principles are being developed to tackle the issues that cause diminishing trust in the Internet.  Many of them fall in line with our own Key Issues of 2018 in the Internet of Things, Routing Security, and Internet Governance. This collaborative security approach has already manifested itself in multiple ways:

  • The MANRS initiative, to bring together network operators and IXPs to provide crucial fixes to reduce the most common routing threats that can lead to things like DoS attacks and traffic inspection.
  • The to establish internationally agreed ‘rules of the road’ for behavior in cyberspace, and create a more focused and inclusive dialogue between all those with a stake in the Internet (governments, civil society and industry) on how to implement them.
  • The GFCE, a global platform for countries, international organizations and private companies to exchange best practices and expertise on cyber capacity building
  • The call to protect the public core of the Internet comes from this diverse set of experts and stakeholders.
  • The Canadian IoT Security Project, to create a set of norms and/or policies to secure IoT in Canada.
  • The Internet Infrastructure Security Guidelines for Africa, to emphasize the importance of a collaborative security approach.
  • And so many more, as outlined on our Collaborative Security pages.

We believe more entities should adhere to the principles laid out in the Cybersecurity Tech Accord. However, in moving forward it becomes crucial that these principles are implemented in actions. Creating momentum involves engagement with more actors and key players who have a vested interest in expanding and implementing those principles and working across the globe, across industries, and across communities to make real change. In order for this to happen though, it is paramount that the process becomes more transparent and multistakeholder to ensure as many organizations as possible are engaged.

Take these principles with you, incorporate them into your organizational cyber defense strategy and let’s all strive for better security together.

Learn more about Collaborative Security and how you can contribute to a trusted Internet.

About Internet Society Internet Governance Internet of Things (IoT)

Kathy Brown’s Op-Ed in the Hill Times: Canada’s Unique Opportunity to Lead the Future of the Internet

Kathy Brown, CEO of the Internet Society, recently penned an Op-Ed for Canada’s the Hill Times calling for a multistakeholder approach to Internet governance: “an approach that is collaborative, one that engages the entire Internet community.” According to Brown, “The time has come to expand this inclusive model of governance to more places around the world.”

“No one party, government, corporation, or non-profit controls the Internet and we are all better for it. Nor does any one party have the knowledge or the ability to identify the solutions to these complex policy challenges. It has been this approach—what we call the multistakeholder model—that has allowed humankind’s most advanced and powerful communications tool to spread so far and so fast.”

She cites the partnership between the Internet Society, Innovation, Science and Economic Development, the Canadian Internet Registration AuthorityCANARIE, and CIPPIC as an example of the multistakeholder approach working successfully. “[Canada] is addressing cybersecurity head-on by working with the Internet Society to engage the Canadian Internet community in a process to develop recommendations to secure the Internet of Things.”

Read the entire Op-Ed, then learn how you can participate in the Collaborative Governance Project, which aims to expand global knowledge and use of collaborative governance processes to solve problems and develop norms. You can also register for the April 4th meeting in Ottawa, “Canadian Multistakeholder Process: Enhancing IoT Security,” which is the first in a year-long process to develop recommendations to secure IoT in Canada.

Building Trust Improving Technical Security

Meltdown and Spectre: Why We Need Vigilance, Upgradeability, and Collaborative Security

Today the tech media is focused on the announcement of two security vulnerabilities, nicknamed Meltdown and Spectre, that are found in almost all CPUs used in modern devices. Mobile phones, laptops, desktop computers, cloud services, and Internet of Things (IoT) devices are all vulnerable.

There are many articles being published on this topic. The best source of information I’ve found is this site by the security researchers at the Graz University of Technology:

At the bottom of that page are links to the security blog posts, advisories, and other statements from companies and organizations across the industry. In an excellent example of the principles of Collaborative Security, the announcement was coordinated with the release of patches and updates for a wide range of operating systems and devices.

For readers wanting a deeper technical dive, the site from Graz University has links to multiple academic papers. Google’s Project Zero team also published a detailed technical analysis.

From our perspective, today’s news highlights a couple of points:

  • Keeping up to date on patches is critical. We each need to ensure that we upgrade our own systems and devices. If we work for organizations/companies, we need to ensure that processes are in place for patches to be applied rapidly. Vigilance is critical.
  • “Upgradeability” is necessary. We’ve mentioned this particularly in the IoT context, but devices need to be able to be upgraded. They can’t just be distributed or sold to people without some mechanism for updates. We see approaches such as the Online Trust Alliance IoT Framework as critical to help on this issue.
  • Independent security research is essential. These vulnerabilities were discovered by different groups of researchers at companies, security firms, and universities. If we didn’t have people doing this research for the benefit of all of us, we would be open to attacks by those who might find these vulnerabilities and exploit them for malicious purposes.
  • Collaborative security is the key. Sharing this research – and coordinating activity across the industry – is critical to ensuring a secure and trusted Internet.  We need the kind of collaboration shown today to be the norm across the industry.

The key point right now for everyone reading this is simply this: get out there and patch your systems! Don’t delay installing the latest security updates for your computers, mobile phones and other devices.

Each of us play a critical role in ensuring the security of an open, global and trusted Internet!

Improving Technical Security Internet of Things (IoT)

There is No Perimeter in IoT Security

The Internet of Things (IoT) is not just a device connected to the Internet – it is a complex, rapidly evolving system. To understand the implications, analyse risks, and come up with effective security solutions we need to look ahead and take into account other components, such as Big Data and Artificial Intelligence (AI).

On Thursday, 8 June, at 1:30PM CEST, I am participating in a panel discussion called “Emerging Threats and Paradigm Shift” during the IoT Week 2017 in Geneva, where we will talk about many of these issues. In this post, I’ll expand on some of my thinking that will inform my comments on the panel.

It is still common to think of an IoT as a “thing” – a smart object, something that is not just a general-purpose computer, connected to the Internet. But this is not what the IoT already is, and certainly not where it is heading. And if we want to address the challenges the IoT brings, we need to look ahead.

We do not want just to have a light bulb whose colour we can change using a smartphone application. We want to automate our whole house so when we dine the ambient light is different from when we read a book, maybe different depending on the season, room temperature, or mood.

We do not want just to measure traffic movements along the city transportation system, but tie it with the temperature, air pollution, and other data gathered by thousands of sensors. And we want to optimize it by managing traffic lights and signalling preferred routes to cars.

Even now, the IoT is a complex system, where devices are just one component. Each component might be the system’s weakest link, so we need a holistic approach to security. Besides the complexity of the IoT system, we shouldn’t forget that it strongly ties with Big Data and AI, each with its own host of issues. And behind each of the components there are specific security challenges, and various parties involved.

The IoT is a system that should be analysed and addressed as a whole. Focusing on isolated components without holistic risk and threat analysis tends to provide temporal fixes (if any), and may significantly hinder the innovative potential of the IoT.

IoT Security is the responsibility of many

When we look at it as a system, we can enumerate quite a number of parties that can and should contribute to the IoT security:

  • Vendors of sensors and actuators (devices)
  • Middleware developers
  • Application developers
  • Protocol developers
  • Middleware platform operators
  • Application services operators

Outside the technical realm the number of entities is also significant:

  • Retailers and resellers
  • End-users: Home and Office users
  • ISPs and service providers
  • Insurance companies
  • Policymakers and regulators

To scale up we need a collective approach, addressing security challenges on all fronts. The Online Trust Alliance IoT Security Framework provides a great foundation listing the baseline requirements for security and privacy.

Guidance and recommendations, along with reusable security building blocks, are essential components of addressing the IoT security challenge, but why is security so hard? We need a collaborative security approach to ignite action and change in addressing IoT security challenges.

IoT security is hampered by negative economic factors, such as negative externalities and information asymmetry. This is not unique to the IoT; our recent analysis of data breaches revealed similar issues.

For instance, device vendors do not provide strong security because they do not bear the costs of security exploits. And consumers have no way to assess the security of the IoT system as a whole, thus diminishing motivation for the vendors to deliver secure solutions. Vendors are under intense competitive pressures to get their products to market as quickly and cheaply as possible, and to iterate with new versions rapidly. Security by design, done properly, costs money, requires skilled staff or consultants, and slows down the process. It cannot be “bolted on” as an afterthought – but that is how it is treated by many vendors, if they give it any attention at all.

When devices reach the end of their supported lifetimes, they usually do not vanish or become inoperable. They often end up in developing areas of the world where they may continue to operate for years or decades longer – un-locatable, unpatched, and vulnerable. There are other examples.

To understand how we can change this situation we need to look at the forces that can potentially drive improvements in this area. In my opinion, there are three main ones:

  • Market forces
  • Regulation forces
  • Societal forces

Market Forces

We hear loud voices that qualify the state of affairs as market failure. Indeed, businesses need to internalize some of the insecurity costs now spread among many others.

First of all, business should recognize the value of security. This may take time, but as the trends show it wouldn’t be too long before their customers see that value and demand adequate security and privacy protection. And then, those vendors who were looking forward and are prepared will have competitive advantage.

Now, companies also need affordable security. Why are known patches not applied? In many cases it is negligence – yes, but to a great extent it is because many companies do not even have a process in place for vulnerability management, nor a patching policy. Security is a process, not a state, and must be treated as such.

An important component here is affordable security – rational frameworks, security building blocks, automation, and information sharing.

Regulation Forces

The question – what and how?

One of the approaches is to use some level of regulation to support baseline security recommendations for connected devices. The challenge is to make it effective without stifling innovation. It must be not too coarse so that the requirements are meaningless, and not too rigid so that compliance tests are unbearable. How do we make sure that compliance requirements do not hinder agile development and feature and security updates to the devices? And as we know the IoT is not just devices, so it should be extended to systems and services.

As we said, security is not a state, it is a process, so the security posture of a vendor, or developer, or service provider in terms of QA and information security management processes gives better assurance than a one-off compliance check. For instance, a once compliant device may not meet the same requirements with the next software update. And here again, how to make this affordable, such that not only giants can afford certification?

And of course, not all IoT systems have the same security requirements, but for many of them security means safety and such systems should be in focus.

Importantly, regulators and policymakers should focus on supporting societal activities and foster the culture of security.

Societal Forces

We shouldn’t underestimate the societal force – at the end of the day, all parties involved are interested in innovative and secure IoT. They simply cannot afford losing consumer trust.

I mentioned several key players that take part in the development and operation of the IoT ecosystem. But simply calling on them to take responsibility and clean up their part of the street may not be effective enough.

Understanding the relationships between them, their motivations, and their incentives helps steer their behaviour and operation toward most favourable outcomes. For example, raising consumer awareness of the risks of connected devices can help establish ranking or certification programmes, like the one led by Consumer Reports in the USA: “The Digital Standard.”

What is crucial here is “norm setting” based on industry-developed and agreed principles and recommendations. A great example of such an effort is the Internet Society Online Trust Alliance IoT Trust Framework that includes 37 principles addressing privacy, security, and sustainability of IoT systems.

“Platforms” – the middleware that glues sensors and actuators in one coherent system, plays a key role here, not only by ensuring that the system is secure by design, but also by providing necessary pressure on the component suppliers (for example, through programs like MFi by Apple). They are in a good position in assessing security and privacy of the system as a whole, sometimes including the apps. Think of an IoT as a distributed smartphone!

If leading platform operators agree to a reasonable security baseline, like the already mentioned Trust Framework, and enforce compliance, that will have a significant impact on the whole IoT ecosystem.

The Internet and distributed information systems built on it demand a significant paradigm shift in how security challenges should be addressed. There is no perimeter one can protect, the “outward” risks are as important as “inward,” and care needs to be taken not to damage the fundamental properties of the Internet that allowed it to flourish. The key here is finding points of maximum impact for creating a collaborative environment centred around security and privacy. That is the only way to scale up to match the IoT phenomenon.

Building Trust Improving Technical Security Technology

Internet Society and African Union Commission Launch Internet Infrastructure Security Guidelines for Africa

The first ever Internet Infrastructure Security Guidelines for Africa (“the Guidelines”) was launched at the African Internet Summit (AIS2017) in Nairobi, Kenya on 30 May 2017. The Guidelines are developed by the Internet Society jointly with the African Union Commission (AUC) and advances four essential principles of Internet infrastructure security — Awareness, Responsibility, Cooperation, and adherence to Fundamental Rights and Internet Properties. It aims to help African Union States in approaching their cyber security preparedness and is a significant first step in producing a visible and positive change in the African Internet infrastructure security landscape.

Africa has achieved major strides in developing its Internet Infrastructure in the past decade. However, the Internet can’t improve Africans’ lives unless they can trust it. Unfortunately, Africa is not immune from cyber-attacks and other security threats and an increasing number of Africans are becoming fearful of the Internet. The Guidelines will help African countries implement the necessary measures to increase the security of their Internet infrastructure and can play a key role in helping Africa prepare for and respond to the kind of Internet attacks that have recently paralyzed critical public and government services such as hospitals and financial services.

The Guidelines recommend critical actions for stakeholders, which are tailored to the African environment’s unique features: a shortage of skilled human resources; limited resources (including financial) for governments and organizations to allocate for cyber security; limited levels of awareness of cyber security issues among stakeholders; and a general lack of awareness of the risks involved in the use of information and communication technologies (ICTs). They were created with contributions from regional and global Internet infrastructure security experts, government and CERT representatives, and network and ccTLD DNS operators, and in that spirit emphasize the importance of a collaborative security approach as well as the multistakeholder model at the regional, national, ISP/operator, and organizational level to respond to Internet attacks in protecting Internet infrastructure.

These recommendations can play a key role in helping Africa mitigate the increasing cyber security risks. In particular, it advises the first steps that all stakeholders can take to make the Internet more secure; we therefore encourage regional and sub-regional organisations, governments, network operators, universities and private and public organizations across Africa to take action to implement the Internet Infrastructure Security Guidelines.

Read the Internet Infrastructure Security Guidelines for Africa here.

Building Trust Improving Technical Security

WannaCry Ransomware Attacks: A Test of Africa’s Cybersecurity Preparedness

A number of African countries including South Africa, Nigeria, Angola, Egypt, Mozambique, Tanzania, Niger, Morocco and Tunisia have reportedly been attacked by the recent “WannaCry” ransomware malware that hit institutions around the world. Ransomware is a type of malicious software designed to block access to data or a computer system until a sum of money is paid. The ransomware attack has compromised mostly public institutions and businesses in over 150 countries. The malware, which has gone by multiple names, including WannaCry, WannaDecryptor, and WannaCrypt threatens to erode Internet trust and cripple businesses.

While, the incidents are widespread and expected to continue, they beg two questions:

Should Africa be alarmed by cyberthreats, such as this recent attack?

Does Africa have the cybersecurity preparedness and capacity to deal with these types of threats?  

Africa is home to some of the world’s fastest growing economies, with Internet playing a catalytic role to this growth. Africa’s Internet penetration rate is 27% (Internet World Statistics, March 2017) and the mobile penetration rate is 47% (GSMA). Without a doubt, Africa has experienced explosive growth in the use of technology and ICTs in recent years. African hospitals, banks, government institutions, and other organizations rely on computers and the Internet – any interruption can cause major damage to their economy and society. There is no doubt Africa should be as concerned as the rest of the world about these kinds of cyberthreats.

To answer to the second question, we need to discuss how Africa can prepare against such risks. No one person can solve these problems alone. The Internet is developed and managed thanks to the contribution of many stakeholders from around the world and the solution to cybersecurity is no different. Everybody should contribute to making the Internet safe. An individual or organization who doesn’t protect their computers endangers the whole the Internet.

The Internet Society advocates the Collaborative Security approach to tackle security issues. It offers guidance on how we can secure the Internet without comprising its fundamental values.

Africans have a role to play in making the Internet safe for them and for the rest of the world, though there are some challenges ahead. Africa lacks adequately skilled professionals, it has limited public awareness on the risks of cyber attacks, it lacks knowledge of cyber law enforcement mechanisms and lacks practical regulatory guidance from governments, etc. The Africa Union Convention on Cyber Security and Data Protection is a great tool and recognition that African policy makers acknowledge the problem of cyber security – but it is not a silver bullet. All stakeholders at the regional, national, organizational, and individual level should work together to mitigate the risk.

The Internet Society urges a multi stakeholder approach in resolving these challenges. Olaf Kolkman’s blog It’s Up To Each Of Us: Why I WannaCry For Collaboration details the Collaborative Security approach, while Niel Harper provides tactical “how to” advice in 6 Tips for Protecting Against Ransomware.

In addition, ISOC and its partners at the Geneva Internet Platform/Diplo Foundation are organizing a webinar about WannaCry on 18 May 2017 at 11:00 UTC, which is open to all. You may also be interested in this detailed collection of WannaCry information from GIP Digital Watch: WannaCry: The ransomware cyber attack explained.

Read more about Collaborative Security

Improving Technical Security

It’s Up To Each Of Us: Why I WannaCry For Collaboration

WannaCry, or WannaCrypt, is one of the many names of the piece of ransomware that impacted the Internet last week, and will likely continue to make the rounds this week.

There are a number of takeaways and lessons to learn from the far-reaching attack that we witnessed. Let me tie those to voluntary cooperation and collaboration which together represent the foundation for the Internet’s development. The reason for making this connection is because they provide the way to get the global cyber threat under control. Not just to keep ourselves and our vital systems and services protected, but to reverse the erosion of trust in the Internet.

The attack impacted financial services, hospitals, medium and small size businesses. It was an attack that will also impact trust in the Internet because it immediately and directly impacted people in their day-to-day lives. One specific environment raises everybody’s eyebrows: Hospitals.

Let’s share a few takeaways:

On Shared Responsibility

The solutions here are not easy: they depend on the actions of many. Solutions depend on individual actors to take action and solutions depend on shared responsibility.

Fortunately, there are a number of actors that take their responsibility. There is a whole set of early responders, funded by private and public sector, and sometimes volunteers, that immediately set out to analyze the malware and collaborate to find root-causes, share experience, work with vendors, and provide insights to provide specific counter attack.

On the other hand, it is clear that not all players are up to par. Some have done things (clicked on links in mails that spread the damage) or not done things (deployed a firewall, not backed up data, or upgraded to the latest OS version) that exaggerated this problem.

When you are connected to the Internet, you are part of the Internet, and you have a responsibility to do your part.

On proliferation of digital knowledge

The bug that was exploited by this malware purportedly came out of a leaked NSA cache of stockpiled zero-days. There are many lessons, but fundamentally the lesson is that data one keeps can, and perhaps will, eventually leak. Whether we talk about privacy related data-breaches or ‘backdoors’ in cryptography, one needs to assume that knowledge, once out, is available on the whole of the Internet.

Permissionless innovation

The attackers abused the openness of the environment – one of the fundamental properties of the Internet itself. That open environment allows for new ideas to be developed on a daily basis and also allows those to become global. Unfortunately, those new innovations are available for abuse too. The uses of Bitcoins for the payment of ransom is an example of that. We should try to preserve the inventiveness of the Internet.

It is also our collective responsibility to promote innovation for the benefit of the people and to deal collectively with bad use of tools. Above all, the solutions to the security challenges we face should not limit the power of innovation that the Internet allows.

Internet and Society

Society is impacted by these attacks. This is clearly not an Internet-only issue. This attack upset people, rightfully so. People have to solve these issues, technology doesn’t have all the answers, nor does a specific sector. When looking for leadership, the idea that there is a central authority that can solve all this is a mistake.

The leadership is with us all, we have to tackle these issues with urgency, in a networked way. At the Internet Society we call that Collaborative Security. Let’s get to work.

See also:

Improving Technical Security Internet of Things (IoT) Technology

Using the Collaborative Security Approach to Address Internet of Things Security Challenges

Two years ago, our “Collaborative Security Approach” proposed a way of tackling Internet security issues based on the fundamental properties of the Internet and the voluntary cooperation and collaboration that’s been prominent throughout the Internet’s history. In this post, let us look at each of the five key Collaborative Security characteristics as they apply to security of the Internet of Things (IoT).

Fostering Confidence and Protecting Opportunities. In short, we should always have these objectives in sight when developing security solutions.

The IoT is a rapidly developing industry sector. Beginning with providing internet connectivity to isolated systems (e.g. cars, early generation SCADA systems), it is evolving into complex distributed systems enabling communication between (embedded) sensors and actuators with application, data storage and middleware components.

The main drivers for this explosive development are:

  • cheap and small sensors and actuators that can be attached to almost any physical object;
  • ubiquitous wireless connectivity;
  • application clouds, allowing to separate an upgradable intellect from the “smart” objects themselves (a more appropriate name would in fact be “dumb objects”).

Unfortunately, as is often the case with fast-pace developments, security of IoT components and the system as a whole is lagging. Price and functionality features take higher priority.

We need to make security and privacy the most important features. Never before has the virtual world penetrated so deep into our physical lives, and if the gap isn’t shortened there is a high risk of long-term damage to user confidence in the IoT.

Addressing security challenges must be done while preserving the fundamental drivers. For example, too rigorous security requirements for devices may stifle innovation and development, while addressing system wide security is a more appropriate and long-term strategy.

Collective Responsibility. This notes that participation on the Internet means global interdependency. If participants act solely in their own self-interest, not only is the security of the internet affected, the social and economic potential of the internet to the global community also diminishes.

The IoT is not a thing, not even zillions of things; it is an interconnected system. Subsequently, there are many parties with a stake in security, including:

  • Vendors of sensors and actuators (devices)
  • Middleware developers
  • Application developers
  • Protocol developers
  • Middleware operators
  • Application services operators

Figure 1: Generic IoT model

All of them are interested in a sustainable IoT, but not all of them realize its dependence on security. Each player has responsibility in the overall security of the system, and each of them can be the weakest link that undermines it.

And we should not forget another important “stakeholder” – the user, be it an organization, municipality, government, or individual. All of them have a stake and responsibility. Their choices define how valuable security features are.

Fundamental Properties and Values. In short, solutions should be compatible with human rights, values, and expectations (e.g. privacy), and what we call the “Internet Invariants” (open standards, voluntary collaboration, reusable building blocks, integrity, permission-free innovation, and global reach).

As I just emphasized, the IoT is a system that should be analysed and addressed as a whole. Focusing on isolated components without holistic risk and threat analysis tends to provide temporal fixes (if any), and may significantly hinder the innovative potential of the IoT.

Because the Things in IoT are part of the bigger internet, it is important that the solutions build on and do not harm the fundamental properties of the internet – the Internet invariants.

Privacy implications of unsecured IoT systems are far reaching. Even if the system is secure, the breadth of the data collection should be carefully assessed. Recommendations outlined in the 2016 Global Internet Report provide an essential baseline.

In the IoT world, security and privacy often translate into human safety; these crucial factors should be part of the overall risk analysis and risk management.

Evolution and Consensus. In summary, security solutions must be grounded in experience, developed by consensus, and evolutionary in outlook. They need to be flexible enough to evolve over time. In a quickly evolving system, an open, consensus-based participatory approach is the most robust, flexible, and agile.

Security building blocks with a proven track record of protection and deployment in the greater Internet should be used as much as possible. Not every solution works for the Internet; some take off quickly and some never see wide deployment. This experience should be used when looking at security solutions for the IoT.

IoT is rapidly evolving. The most effective solutions are those that anticipate the development trend and address the problems of tomorrow. In developing such solutions, all players need to be brought to the table to produce most robust, flexible, and agile outcomes.

Today, there is a tendency to associate almost any device connected to the Internet with the IoT. Many such devices, like modems, routers etc., have existed since the birth of the Internet, and if we only focus on solving their problems we will miss important emerging threats. IoT systems are distinct in how the “things” are communicating, and how they are administered and controlled. Recognizing these patterns and trends is a key to effective long-term solutions.

Think Globally, Act Locally. For greater effectiveness and efficiency, solutions should be defined and implemented by the smallest, lowest, or least centralized competent community at the point in the system where they can have the most impact.

IoT security is hampered by negative economic factors, such as negative externalities and information asymmetry. This is not unique to the IoT; our recent analysis of data breaches revealed similar issues.

For instance, device vendors do not provide strong security because they do not bear the costs of security exploits. And consumers have no way to assess the security of the IoT system as a whole, thus diminishing motivation for the vendors to deliver secure solutions. There are other examples.

I mentioned several key players that take part in creating an IoT ecosystem. Understanding the relationships between them, their motivations, and incentives helps steer their behaviour and operation toward most favourable outcomes.

For example, raising consumer awareness of the risks of connected devices can help establish ranking or certification programmes, like the one started by Consumer Reports in the USA.

What is crucial here is “norm setting” based on industry-developed and agreed principles and recommendations. A great example of such an effort is the Online Trust Alliance IoT Trust Framework that includes 37 principles addressing privacy, security, and sustainability of the IoT systems.

Looking at the trends again, it seems that consumers will be less interested in do-it-yourself IoT installations, but rather go for a “platform,” like HomeKit, Alljoyn or Weave. The platform vendors and operators can differentiate themselves based on security and privacy protection of their systems, as well as provide necessary pressure on the component suppliers (for example, through programs like MFi by Apple. Providing independent assessment of the security level of the platforms and associated certification or ranking can have a significant impact on the whole IoT ecosystem. Again, security frameworks like the OTA IoT Trust framework provide a good foundation for such activity.


It is unrealistic to expect we can achieve absolute security for the IoT. Nor it is necessarily desirable, as getting closer to this goal may have unbearable costs. It is about how to keep pace and strike right balances when trade-offs are encountered. We hope that the collaborative security approach can help us think about both.

To learn more, you can read about our Collaborative Security Approach and our work on the Internet of Things.

Building Trust Improving Technical Security

If we lose trust, we lose the power of the Internet to change lives for the better (Remarks at OECD Ministerial)

On 22 June 2016, Internet Society President & CEO Kathy Brown spoke at the OECD Ministerial on the Digital Economy in the “Armchair Discussion” as a member of the OECD Internet Technical Advisory Committee (ITAC). These are her remarks as prepared.

I am pleased to a speak on behalf of the Internet Technical Advisory Committee this morning.

Our message today is that the aspirations of this OECD Ministerial Meeting – that the Digital Economy will bring Innovation, Growth and Social Prosperity – will not be met without an open, trusted Internet.

We are acutely aware of how the Internet impacts and transforms the world. It has the potential to accelerate human progress, bridge the digital divide and develop knowledge-based societies.

Over the past 20 years, we’ve seen the Internet change how people work, socialise, learn, share, and innovate. We’ve seen its impact on economies, on business, on government.

Today we are at a defining moment. We face a situation where we risk undoing all of the progress we have made over the past three decades.

More explicitly, we face a choice between an Internet that is open and that encourages innovation and one that is more tightly controlled which may have the opposite effect of stifling progress.

We are concerned that the growing anxiety of users around security and privacy issues may encourage governments to close and fragment the Internet for more control. We are worried that this could undermine individuals’ ability to use the Internet to improve their lives and the lives of others.

This makes trust the key issue in defining the future value of the Internet.

Each week we seem to hear of more massive data breaches. A recent survey in the US found that 45% of users had changed their behaviour online because of their fears. These concerns were amplified by the One Internet report released yesterday by the Global Commission on Internet Governance.

This must change.

Trust can only be ensured through collaborative solutions, and by making multistakeholder participation the norm in all aspects of the Internet’s governance.

Governments alone cannot create a more trusted Internet. Businesses alone cannot create a more trusted Internet. The technical community alone cannot create a more trusted Internet.

This collaborative approach to security was a great area of focus at yesterday’s ITAC Forum.

The key point is that a trusted Internet is not achieved by a single treaty or piece of legislation; it is not solved by a single technical fix, nor can it come about because one company, government or individual decides security is important.

At the Internet Society, we are trying to make more explicit the different dimensions of a framework for trust. We have identified four building blocks that we believe are the foundation for a trusted Internet:

· User trust

· Trusted networks

· Trustworthy ecosystem

· Technologies for trust

We are posting a paper today on this framework in which we suggest policy initiatives for each of these elements to build best practices across the Internet. We seek input from the community on the viability of this approach.

The framework seeks to capture the attributes of successful models for addressing the challenges of trust. I was recently in Japan and was intrigued by how the Japanese Internet community has organised itself in preparing for the Internet of Things (IoT).  They understand that to be successful with the IoT; they need to do two critical things: deploy IPv6 so there can be enough addresses; and build in security from the start.

How the community is addressing these issues is what, in my view, will ensure its success.

Rather than taking a top-down regulatory approach, they have formed working groups across all stakeholders – government, business, universities, the technical community – to collaborate on addressing areas of concern. This multistakeholder process takes time and requires a commitment to intentional cooperation and win-win outcomes. And, it requires some degree of humility on the part of all to recognise that a joint, cooperative approach is more likely to result in a sustainable plan. I commend the report of their efforts – presented yesterday at the ITAC meeting by our ISOC Trustee Hiroshi Esaki.

We need to build a greater trust in the Internet urgently to open up the growth and prosperity promised by the digital economy. The way to do this is through collaboration. The OECD has led the way on multistakeholder decision-making.  We look forward to further work on this issue at this week’s meeting and urge the member states to adopt this forward thinking in building a better future for the Internet.

Thank you.

Improving Technical Security Internet of Things (IoT) Open Internet Standards Technology

Video: Olaf Kolkman's TNC '16 Keynote on Collaborative Security and the Internet of Things

On Tuesday, 14 June, Chief Internet Technology Officer Olaf Kolkman gave a keynote presentation at TNC ’16 on collaborative security and the Internet of Things.

During “Collaborative Security – Reflections about Security and the Open Internet,” he discussed how an open Internet is a powerful driver for social, technical, and economic interaction. Its success is based on Invariants like openness and permissionless innovation – properties that not only create opportunities but also contribute an increased threat surface to the Internet.

Security responses are often premised at preventing bad things locally and not on the global properties that need protection. Individual actors need to take into account an external perspective to trade off their actions toward the bigger Internet. He reflects on resiliency, outward facing security, and governance, and gives some examples of collaborative security and the difficulty of them getting traction.

His slides are also available online at

We hope you enjoy Olaf’s keynote, and read our Collaborative Security paper to learn more.