Internet Governance

Internet Society submits comments for the revision of the Ethiopian Cybercrime law

Imagine how much the Internet has changed our lives in the last few decades. Today, thanks to the Internet, we can communicate with anyone around the world, instantaneously, reliably and cheaply. This enables us not only to be close to our friends and family that may be far away but also to bridge the knowledge gap that we have with the developed world. It also opens many work opportunities that we wouldn’t even imagine just a few years back and democratize media, allowing anyone to reach instantaneously millions of people at almost no cost, forcing transparency in governance more than ever before.

At national level, our economies are benefiting from the economic opportunities, directly and indirectly related to the Internet. Experts say that this is just the tip of the iceberg and that there are many more opportunities that are yet to be discovered.

However, we cannot deny that the Internet also comes with increasing challenges. Cybercrime is endangering Internet users, organizations and even countries. Our privacies are threatened every day. And more …  It is therefore appropriate that governments act to protect its citizens from the negatives impacts of the Internet by enacting laws and regulations. It was therefore appropriate for the Ethiopian government to enact a cybercrime law. However, it was clear from the beginning that the Computer Crime Law that was adopted in in 2016 infringes on the rights that every citizen is given by the constitution of the Federal Democratic Republic of Ethiopia (FDRE). In particular, the law infringes on the rights of free expression of citizens by adding provisions that have chilling effect on online expression. The law also has vague provisions that opens the opportunity for the government to accuse almost anyone who use the Internet. Last but not least, the law allows the court to shift the burden of proof to the accused, which is against the long accept judicial practice.

The Internet Society was therefore glad to hear that the government of the FDRE has decided to review the law and that the Internet Society is invited to comment on it. We have happily submitted our comments and we are looking forward to participate to the open discussions that we hope will allow to improve the law and contribute to the democratization of Ethiopia.

The future of the Internet is in the hands of all who use it. Help us at #CountMyVoice.

Editor’s note: We will link to the comments we submitted to the Ethiopian government from this post once the comments are published by the government.

Building Trust Improving Technical Security Privacy

Cybersecurity is the Top Internet Policy Concern in the Asia-Pacific Region

This month at the Asia-Pacific Regional IGF in Bangkok we will release the fourth annual Internet Society Survey Report on Internet Policy Issues in Asia-Pacific.

Findings from this year’s report show that cybersecurity, access, data protection, connectivity and privacy are the top five concerns for Internet users. These issues have more or less remained constant since 2014, however, not surprisingly this year cybersecurity has become the top issue.

Other issues that respondents expressed concern for relate to fake news, increasing digital surveillance that violates privacy rights, and more frequent instances of censorship and site-blocking that impact freedom of expression.

The survey polled more than 2,000 Internet users from across the Asia-Pacific region on their attitudes towards current Internet policy issues. This year, the survey took an in-depth look at how the region perceives and deals with personal information online, and the extent to which various entities are trusted to protect people’s personal information and privacy rights.

Generally, the results are rather discouraging. The findings indicate the current level of trust in the Internet is low. Users are concerned that their personal information is not protected online, and this in turn translates to their hesitance in using online services. A large proportion of respondents (60%) also indicated they do not have the knowledge and tools to protect their privacy online. These have important implications on the rollout and use of not only commercial, but also public and social services online.

At the same time, users want to be informed, and desire to have a certain level of control over the collection and use of their personal information. Public and private organisations that collect and share user information need to take this into account when formulating or updating privacy frameworks. This includes the development of systems and tools that make it easier for users to understand the terms of service, and empower users to manage their privacy preferences.

Interestingly, users recognise that the protection of personal information online is a shared responsibility – and not just the owner’s own responsibility. Both the public and private sectors, and especially the platforms through which users transact financially online, not only need to build robust and secure networks and systems, but also develop tools to equip users with the knowledge and skills to use these services safely online. This will improve their confidence in using online services, and their trust in the overall Internet ecosystem.

Read the full report here. Findings from past surveys are available here: 2014, 2015, 2016.

Read the Online Trust Audit, which includes checklist of best practices and resources.

Building Trust Improving Technical Security

WannaCry Ransomware Attacks: A Test of Africa’s Cybersecurity Preparedness

A number of African countries including South Africa, Nigeria, Angola, Egypt, Mozambique, Tanzania, Niger, Morocco and Tunisia have reportedly been attacked by the recent “WannaCry” ransomware malware that hit institutions around the world. Ransomware is a type of malicious software designed to block access to data or a computer system until a sum of money is paid. The ransomware attack has compromised mostly public institutions and businesses in over 150 countries. The malware, which has gone by multiple names, including WannaCry, WannaDecryptor, and WannaCrypt threatens to erode Internet trust and cripple businesses.

While, the incidents are widespread and expected to continue, they beg two questions:

Should Africa be alarmed by cyberthreats, such as this recent attack?

Does Africa have the cybersecurity preparedness and capacity to deal with these types of threats?  

Africa is home to some of the world’s fastest growing economies, with Internet playing a catalytic role to this growth. Africa’s Internet penetration rate is 27% (Internet World Statistics, March 2017) and the mobile penetration rate is 47% (GSMA). Without a doubt, Africa has experienced explosive growth in the use of technology and ICTs in recent years. African hospitals, banks, government institutions, and other organizations rely on computers and the Internet – any interruption can cause major damage to their economy and society. There is no doubt Africa should be as concerned as the rest of the world about these kinds of cyberthreats.

To answer to the second question, we need to discuss how Africa can prepare against such risks. No one person can solve these problems alone. The Internet is developed and managed thanks to the contribution of many stakeholders from around the world and the solution to cybersecurity is no different. Everybody should contribute to making the Internet safe. An individual or organization who doesn’t protect their computers endangers the whole the Internet.

The Internet Society advocates the Collaborative Security approach to tackle security issues. It offers guidance on how we can secure the Internet without comprising its fundamental values.

Africans have a role to play in making the Internet safe for them and for the rest of the world, though there are some challenges ahead. Africa lacks adequately skilled professionals, it has limited public awareness on the risks of cyber attacks, it lacks knowledge of cyber law enforcement mechanisms and lacks practical regulatory guidance from governments, etc. The Africa Union Convention on Cyber Security and Data Protection is a great tool and recognition that African policy makers acknowledge the problem of cyber security – but it is not a silver bullet. All stakeholders at the regional, national, organizational, and individual level should work together to mitigate the risk.

The Internet Society urges a multi stakeholder approach in resolving these challenges. Olaf Kolkman’s blog It’s Up To Each Of Us: Why I WannaCry For Collaboration details the Collaborative Security approach, while Niel Harper provides tactical “how to” advice in 6 Tips for Protecting Against Ransomware.

In addition, ISOC and its partners at the Geneva Internet Platform/Diplo Foundation are organizing a webinar about WannaCry on 18 May 2017 at 11:00 UTC, which is open to all. You may also be interested in this detailed collection of WannaCry information from GIP Digital Watch: WannaCry: The ransomware cyber attack explained.

Read more about Collaborative Security

Building Trust Improving Technical Security

Cybersecurity and National Elections

The European Union today faces some serious challenges including growing levels of populism and the threat of foreign intervention through cyber-attacks. Last year’s alleged Russian-led cyberattacks on US Democratic Party servers as well as Chinese government cyber espionage against other governments and companies have provided worrying precedents. Although it is hard to measure the actual impact these attacks had on the election results in the US, concerns are growing amongst European leaders that their electoral procedures are vulnerable to manipulation.

With elections rapidly approaching in three EU Member States (The Netherlands on 15 March, France on 23 April, and Germany in late September), these vulnerabilities are of immediate concern. Populist parties such as the Dutch Party of Freedom (Partij voor de Vrijheid), the French Front National, and the Alternative for Germany (Alternative für Deutschland) are already unsettling the political system, this new cyber threat presents an additional element of uncertainty and creates further risk of political instability.

The European Agency for Network and Information Security has urged politicians to take cybersecurity seriously, starting by encrypting their communications. National governments have started to respond. In February, the Dutch government decided to count all votes cast in the national election manually to avoid manipulation. French President Hollande, meanwhile, recently acknowledged that hacking was a major threat in light of the upcoming elections and organized a Defense Council on 23 February to discuss possible ways forward. Likewise, Germany is preparing for hacks throughout the election year, and put the issue forward for discussions between interior and defense ministers from a range of nations at the Munich Security Council 2017.

At this same Council, Andrus Ansip, the European Commission’s Vice-President responsible for the Digital Single Market, emphasised the global threat of cybercrime and the risks it poses for democratic processes. In his opinion, close coordination between governments, law enforcement, industry and NGOs, and a solid commitment to research and investment in cybersecurity are key to heading off this threat. Julian King, the EU’s Commissioner for Security, has likewise urged the EU and its Member States to shore up their defenses in the face of the mounting danger. It has become clear that the Commission sees cybersecurity as a political priority.

At European level, the launch of a cybersecurity public-private partnership as well as the implementation of the NIS Directive are concrete measures being taken. However, a more systematic approach is needed, which motivated the Commission’s plan to review the EU’s cybersecurity strategy this year. The early indications are that this strategy will include a focus on tackling cybercrime and working with partners around the globe.

While these are important elements of a response to the cyber threat, including in the political realm, we hope to also see a recognition of the fact that, as we have argued before, cybersecurity is a shared responsibility.

Ensuring that any cybersecurity framework starts with an understanding of the fundamental properties of the Internet and an appreciation of the complexity of the cybersecurity landscape is the critical part of an effective response – and a multistakeholder cross-border collaboration is an essential component of it. We must all work with policy makers in our region to make sure this happens.

Improving Technical Security Internet of Things (IoT)

CITO Olaf Kolkman Speaking at RSA 2017 about IoT Security with Bruce Schneier

Today at the RSA Conference 2017 in San Francisco, our Chief Internet Technology Officer Olaf Kolkman will be speaking as part of a panel on:

Internet of Insecurity: Can Industry Solve It or Is Regulation Required?

The abstract of the session is:

The rise of IoT has brought forth a new generation of devices and services representing significant innovation, yet all too many ship insecure and are not supported over their life. They have become proxies for abuse with a capacity for causing significant harm. Can we wait for industry and stakeholders to adopt trust frameworks and seal programs or do we need government to step in?

The other panelist will be reknown security researcher Bruce Schneier and the moderator is Craig Spiezle, Executive Director and President of the Online Trust Alliance.

The panel starts at 8:00am Pacific (UTC-8) in the Moscone North 130 room. Unfortunately it is not being live streamed, but you can follow our @InternetSociety account on Twitter for live updates.

As background reading related to Internet of Things (IoT) security, I suggest:

If you are there at the RSA Conference today, please do visit this session and engage in the discussion.

If you are a journalist and would like to speak with Olaf more about this topic, please contact Allesandra Desantillana who is at the RSA Conference and can assist in connecting you with Olaf.

Please also watch this blog as we plan to post more information after the event.

Improving Technical Security

Holiday DDoS Attacks: Targeting Gamers (Plus Five Things You Can Do)

Over the past few years, a new tradition has emerged, the Holiday DDoS Attack.

While distributed denial of service (DDoS) attacks happen throughout the year, some of the highest profile attacks occur during the holidays, when the most users will be impacted. Attackers may target online shopping sites to disrupt pre-holiday gift buying. Or they may attack voice over IP services, like Skype, which are used to talk to family members over the holidays. But gaming networks are most often targeted by DDoS attacks, as the end of year holidays usually bring many users online who are eager to try out their new games and systems. In December 2014 and 2015, both Sony’s PlayStation Network and Microsoft’s Xbox Live gaming networks experienced outages as a result of DDoS attacks, leaving users unable to access or play their games online.

On 23 December 2016, Steam, a digital distributions platform and multiplayer network for PC gaming, went offline for several hours. A group of hackers took credit for the outage, claiming they downed the service through a DDoS attack. Valve Corporation, the developer of Steam, did not publicly identify the cause of the outage. When the outage occurred, Steam was in its first day of its annual Winter Sale, which could have produced a large increase in legitimate traffic that could have overloaded their systems, but a DDoS attack is far more likely.

In each of these cases, thousands of average Internet users inadvertently contributed to these DDoS attacks through the participation of their unsecured and infected devices.

While DDoS attacks are annoying for the users impacted, they are incredibly expensive for the companies attacked. According to a study by Incapsula, a web security company, DDoS attacks cost companies an average of $40,000 an hour. For the Steam attack, the cost was likely much higher. The Winter Sale produces some of their largest revenues of the year. The attack’s timing just days before Christmas may have caused Valve Corporation to lose customers, who may have opted to buy their gifts from other companies when they could not access the Steam website. Some users may have lost some confidence in Steam, worrying that the attackers may have also stolen private customer data such as their billing information, and moved to a different service.

DDoS attacks work by flooding systems with seemingly legitimate traffic. The systems are overloaded, leaving legitimate users unable to access them. Since differentiating between illegitimate and legitimate traffic is difficult, DDoS attacks are hard to defend against. Defenders can attempt to block spoofed traffic, provision more bandwidth to counteract the increased traffic, or use other mitigation techniques.[1] However, if the DDoS attack is large enough, and especially if it is made up of unspoofed traffic from many sources, it can be difficult to mitigate. For this reason, DDoS attacks have become the weapon of choice for attackers looking to gain notoriety during the holiday season.

While it can be hard to mitigate a large DDoS attack, everyone can take actions to prevent them. DDoS attacks rely on networks (botnets) of infected devices (bots) to create the massive amounts of traffic necessary to overload systems. Without large numbers of bots, it is much harder for attackers to create large amounts of traffic, making attacks easier to mitigate. We can all take small actions to ensure that our devices do not double as bots. DDoS attacks can only truly be stopped if everyone does their part and protects their own devices. Until that happens, the holiday DDoS attack will remain a threat for years to come.

Five actions to protect your devices from becoming bots:

  1. Create and use strong passwords for all your devices. Do not use the default. This is especially important for smart devices, routers, and other devices with which you may not interact directly.
  2. Update your devices! Software is often patched to remove known vulnerabilities, greatly strengthening your defenses.
  3. Monitor your devices. If a device is acting strangely, investigate it. One example is bounced email messages. If email messages are not reaching their destination, your device could be infected and sending spam as a part of a botnet.[2]
  4. Run anti-virus scans and use other security tools to find and remove malicious software.
  5. Be careful to avoid infecting your devices. Avoid opening suspicious emails, attachments, or risky websites. Some anti-malware services include website security checks.


[1] Spoofed traffic is Internet traffic that is forged to look like it is from another source.
[2] For more specific tips for fighting spam, see our Anti-Spam Toolkit users page.

Improving Technical Security Internet of Things (IoT)

Princeton's "War of The Lights" – The Pitfalls of Enterprise-Level IoT Projects

The stadium lights ripped the darkness over an empty field.

They weren’t supposed to be on. The lights at Princeton University’s stadium, recently upgraded, should have followed an automated cycle, reducing the need for human oversight.

Instead, the lights went to war.

That’s how Jay Dominick, the vice president for information technology and the chief information officer for the Office of the Vice President for Information Technology at Princeton University, described to me what happened when I followed-up with him after he spoke at the Conference on Security and Privacy for the Internet of Things, held Oct. 16, 2016 at Princeton University.

The lights weren’t entirely replaced, and therein lies the problem — and the lessons for any larger enterprise-level project that brings analog projects into the age of the Internet of Things.

The lights flipped on well after midnight because, as Dominick explains, the technology behind the bulbs couldn’t communicate. It’s not something anyone could have predicted or tested for, like they might a software upgrade, before going live.

“The network guys run out there and run disparate packets and say, ‘Yep, the network works, the lights tested and work’,” he says. “And at 3 a.m. the lights go on, and they start whole process again.

“Eventually, through a rigorous process of elimination, you wind up figuring out what you think might have happened, and then it’s the argument about who’s going to fix it.

“We wound up creating a new network for the new lights,” he says. “The new lights liked to talk to each other quite a bit. They were very chatty. And when they would get to talking, the old lights couldn’t process the packets fast enough, so they failed into some obscure state, and that failure would put the old lights in a failure which turned them on.”

“It was essentially a DDOS [Distributed Denial of Service] attack,” he says — just within the same system.

The broader lesson here, he says, is that you can’t upgrade an enterprise Internet of Things system as it were an iPhone — expecting all the parts to run perfectly, out of the box.

“When the next generation comes out as an upgrade to the operating system, now we have a change management process that might not have been familiar to the operational tech world — how does the new software interact with the old software, how do the new lights interact with the old lights?

“There’s just a lot of friction where we’re seeing with these large-scale electromechanical, formerly analog systems now all automated, on a network, and suddenly there are IT people and operations technology people trying to figure out how it all works together, and sometimes it just doesn’t.”

Princeton faced a second problem with a fire alarm system that failed across campus. Today, campus fire alarms have panels that report their status via fiber optic connections to a central controller. The buildings are supposed to ping the central system frequently — if they don’t, the system assumes that building alarm is broken.

Every time communication failed, the university would have to send a person with a walkie talkie to monitor the building while the staff figured out why communication halted, Dominick says.

Dominick cites four key lesson from the light war:

1. Change management has to change. Take the fire alarm example, Dominick says. “In the analog world, if you have continuity on the table, you’re good. Things were largely electromechanical devices that either worked or didn’t work… Now, as we begin to put processors with software and communication stacks at both ends, you tend to get into typical IT problems, which is how you engage in change management. How do you do version control between different parts of the software stack that are going in at different parts, and how do you manage that change?”

2. IT leaders and operational experts need to talk. A lot. “For us, it was taking some recognition by our operational technology friends that they’ve become dependent on IT to get their work done, which unfortunately usually comes up when something goes wrong.

“Now our facility colleagues, our public safety colleagues and IT realize how totally interdependent we are. It would have been nice if that had been a self-realization without having to have been pushed to that realization [when something went wrong] but that’s how it works — you respond to stimuli in the environment.”

3. Talk to vendors. “The intersection of operational technology and information technology is full of friction. This shows up in things like lighting systems that were installed a dozen years ago or so that have a certain set of performance characteristics getting upgraded, and the IT change control not being well understood, either by the vendor or the operational technology folks,” Dominick says.

The light issue resolved, in part, thanks to “very complex discussions with the vendor.” Much of the technology involved in enterprise-level IoT projects likely started as a consumer product or consumer-based technology, Dominick says. Talking to vendors about processes, testing, upgrades and security can help head of issues, Dominick says.

4. The Internet of Things needs a roadmap. There are no guidelines or universally accepted best practices for IoT, Dominick says.

“Whether it’s IEE (Institute of Electrical and Electronics Engineers) or the NIST (National Institute of Standards and Technology), they have got to come together for the rules of the road for how the different products are going to inter-operate. End-to-end security, trust standards, operations — there are some out there working on that,” he says. [Ed. note: NIST released cybersecurity guidelines in mid-November, but it’s not wholesale IoT guidelines:]

So far, technology has quickly outpaced many enterprise agencies’ ability to ensure reliability. Enterprise leadership must serve as their own watchdogs — and ensure the lights don’t go to war.

Editor’s note: For more information, see our report “The Internet of Things (IoT): An Overview – Understanding the Issues and Challenges of a More Connected World“.

Improving Technical Security Internet of Things (IoT)

Paul Vixie: Market Pressure to Churn Out IoT Products Key Cause of Compromised Safety, Security

“Humanity has been building and programming general purpose computers for about six decades now, with spectacular results, mostly good. As we contemplate the ‘Internet of Things’ in light of our collective experience, there are some disturbing conclusions to be drawn. Can we as a species safely place our economy and culture into a global distributed network of computers, if those computers are programmed by humans using commodity programming languages and tools?”

That’s the question renowned Internet security expert Paul Vixie, co-founder and CEO of Farsight Security and an Internet Hall of Fame inductee, recently posed in his keynote address for the Security BSides gathering in Raleigh, N.C.

I talked to Vixie following the address, to get his thoughts—and his advice—on the state of Internet security.

That’s a pretty complex question you posed in Raleigh. Were you also able to provide an answer?

PV: No. That was rhetorical. What I explained is that there is economic pressure to create more software companies or products that include software…and what we have seen is that the talent pool we have is already inadequate for the task. The reason is margin and time-to-market pressure. Everything that succeeds gets competition much faster than ever before in history. The first product in a category can dine well; latecomers sometimes get the table scraps.

And not all companies know how to be software companies. If you come up with an Internet-enabled light bulb, you have to know how to test your product. You have to know how to report it if this lightbulb turns out to have critical software bugs. You have to know who your customers are so you can notify them.

So ultimately, what I showed, is that by all indications, the Internet of Things is going to take everything that looks flaky and behaves badly about Internet-enabled devices today, and multiply it by about a million times.

How can these risks be mitigated?

PV: I’m short on solutions. The thing I saw recently is that Underwriters Laboratories is going to begin doing cybersecurity certifications. It used to be that if you were going to buy a toaster for your kitchen, you would make sure it was on the UL list, to make sure it wasn’t going to start a fire in your house. So, we need to get there with Internet-enabled devices. I am glad UL is going to do that. And I am glad that the Obama White House hired Peiter Zatko, a hacker and Internet security expert also known as “Mudge,” to investigate starting a cyber security program. Regulation isn’t always the right answer, but I think that in this case, the only way we’re going to get wide-spread improvement of software quality is if being a little later to market or costing a little more doesn’t make your product uncompetitive – because your competitors have to meet the same quality standards as you do.

What other steps need to be taken?

PV: If Moore’s Law gives us more transistors, and those transistors are switching faster, year by year, we are getting more computing horsepower. What we have been doing with that computing horsepower is using it to develop glitzier products with more features. But it turns out you could also use some of that new computing horsepower for safety. We’ve been writing everything in C since the early 1980s. It’s time to stop, to think if there are alternatives we might use, that would do additional run-time safety checks. But we are not using any of that new largesse in computing horsepower to make anything safer. The reason, frankly, is there is no market pressure to do so.

That’s the transition that we have to go through or else the ‘Internet of Things’ is going to be the thing that stops the world, even sooner than climate change.

Email hacks have made headlines recently, and there have been several high-profile breaches involving email and credit card databases of large companies. But we just recently saw the first widespread reporting in quite a while about a distributed denial-of-service (DDoS) attack. Does that mean the number of DDoS attacks has declined?

PV: They are not in the news as much anymore because we have them every week. What we have is a new normal, and it’s damn depressing. The problem is that nobody cares.

It’s very hard to think accurately about the actual amount of unsafety that is in the world right now. It is stunning.

Let’s talk about my special pet peeve. The thing that makes DDoS possible is the lack of source address validation at the edge of the Internet. That means [someone else’s] computer can send my computer a request pretending to be your computer, and my computer will answer yours. The source never used to matter because the Internet was born in an academic world where everybody knew and trusted everybody else. We took the same technology and gave it to 3 billion people, and they are not all trustworthy and sometimes they hate each other and they abuse this. And Internet service providers have no incentive to spend money to fix this.

What can companies and consumers do to help thwart these different types of hacks and attacks?

PV: I think that eventually people are going to realize that everything that is digital can be surveilled while it is in motion or it can be stolen, copied or damaged while it is at rest. We will probably start with these two things, both rightly headed, but they are probably going to end badly.

There is encryption. You might invest in it. But your correspondents might not. So, you are keeping your files safe, but your text is running naked through the world.

Also, I don’t think we should have access to all of our old email on a daily basis. We should have the equivalent of having to walk to another room by typing in a password, solving a puzzle. Because that email repository is so much more dangerous that when your files were locked in a filing cabinet. I think people probably won’t stop sending email, but they can use encryption, or digital shredding, or store that e-mail in some kind of one-way repository, where we won’t have a bunch of folders sticking out of our Outlook panel. But as you know, crowds move slowly. It’s going to take another 20 years. In the meantime, it’s just open season on all of us.

What immediate steps can the average computer and smartphone user take to protect themselves and others?

PV: Never turn down a software update from your vendor. It’s something the rest of us really need you to do. Accept that update to Windows 10, even it if it looks like it is going to spy on you more. Because if you run an older version of Windows, your computer is a clear and present danger to the rest of us—and we hate that. You need to give vendors a chance to fix their products. All software has bugs, the problem is you don’t know what they are at ship-time. That’s why everyone needs to keep their stuff up to date all the time.

If you are buying a new gadget, say a thermostat that is connected to a smart phone, give some thought as to whether that company is going to be in business 10 years from now. It may not be getting software updates anymore. You really want to think about the long-term impacts instead of just buying the cheapest thing at the hardware store. It used to be that the worst thing was that the cheap hammer you bought would just break. With the massive adoption of IoT-enabled devices, you now are inviting potential security risk into your home, next to your family photos and your bank records.

If there is a camera on your laptop, do you really need it to be open all the time? Or should you put a post-it note over it?

Upgrade everything. Throw it away if the company goes out of business.

And be suspicious as heck of anything that wants to connect to your network.

For more information about the security challenges of the Internet of Things (IoT), please see our Internet Society white paper: The Internet of Things: An Overview – Understanding the Issues and Challenges of a More Connected World

Image credit: Farsight Security.

Growing the Internet Improving Technical Security Internet Governance Privacy

Cybersecurity and Access – Top Two Policy Concerns in Asia-Pacific

Findings from the recently released third annual Internet Society Survey on Policy Issues in Asia-Pacific indicate that Internet access and cybersecurity are the top two concerns for survey respondents. Cybersecurity, in particular, was seen as an area that needs most urgent attention by policymakers.

The survey polled almost 2,000 end-users from across the Asia-Pacific region on their attitudes towards current Internet policy issues.

One encouraging indication from the survey results is that connectivity looks to be improving significantly in the region – 70% stated that they had experienced better Internet speed and 55% saw a drop in the cost of their Internet subscription.

However, improved Internet access also means a greater need to maintain trust in the Internet and all that it enables. The elements of trust online are multi-faceted and these were reflected in the survey’s findings.  A large proportion of the respondents cited data protection as crucial for building confidence in the Internet.  More than half also felt that consumer protection, transparency, and the ability to communicate confidentially were more important than content, service, technology and applications.

Access and Trust issues are focus areas for the Internet Society, and the survey results reinforce the importance of both these issues. Bringing the unconnected online and ensuring the Internet remains a trusted medium for users are key for the Internet’s continued success.

Read the full Asia-Pacific Regional Internet Policy Survey 2016 report here

Improving Technical Security Internet Governance

The State of Cybersecurity in Europe – Should We Reboot?

During last week’s EuroDIG, Olaf Kolkman and Tatiana Tropina moderated two animated and interactive sessions on the state of cybersecurity in Europe. The first session looked at the current initiatives in the area of cybersecurity, while the second focused on the possible ways forward.

Cybersecurity remains a topic that is hard to define. The discussion touched upon technical, governance and rights elements, and flowed between baseline principles and different operational aspects. The lack of clear definition makes the assessment of European cybersecurity efforts difficult, but our moderators succeeded in teasing out some of the good practices, concerns and frustrations that the participants had.

The participants recognised openness and transparency as fundamental, underlying principles for cybersecurity and as building blocks for trust. The multistakeholder model and rule of law based on democratic decision-making processes are already mainstream practices in most parts of Europe, but to what extent do they really prevail in the area of cybersecurity? The recent EU regulatory and policy initiatives on cybersecurity are a result of a democratic process. Open standards and the Internet Engineering Task Force (IETF) represent a good practice as a transparent way of setting a global technical baseline for security. However, it was not so easy to find good practices reflecting these overarching principles in the world of governance. Many, especially government-led, cybersecurity platforms or partnerships are still not by default open to all, and those that are open tend to be fragmented and publicized within trusted communities.

So how can we continue to build trust between the different communities in Europe for the benefit of a more secure Internet? Users worry about identity and control of their own data, which raises questions vis-à-vis the private sector and government. The European public appears to partially expect that Internet security is a matter to be dealt with by governments. In the real world, however, Internet operators and companies are the first line of defence against cyber incidents. And users carry an important responsibility over their own behaviour and actions on the Internet. Hence, awareness raising and capacity building are key elements of a more secure Internet. The technical community can also help build bridges between different communities through training of, for example, law enforcement and other government departments.

During the sessions a couple of participants asked: should we reboot cybersecurity in Europe? Building common security strategies and solutions is a slow process, but there are clear signs of improved collaboration between the different stakeholder groups. The Internet is a decentralised network of networks, and there is no one-size-fits-all solution to cybersecurity and no single party that can provide the solution. Building trust in the Internet; shared responsibility; and solutions built by consensus are in the heart of the Internet Society’s Collaborative Security approach, and these characteristics are reflected in the European discussions. So should we reboot? This is not necessary – we are already on the right track.

Image credit: Olaf Kolkman on Flickr

Improving Technical Security Privacy

APT CSF-6 focused on essential and urgent issues for cybersecurity

Recognizing the growing importance of cybersecurity, delegates at the Asia-Pacific Telecommunity (APT) 6th Cybersecurity Forum in Bangkok, Thailand exchanged opinions on emerging security threats, best practices in cyber legislation, international collaboration, computer emergency response teams, raising online privacy awareness and approaches to combat spam. Cybersecurity is also one of the work items under the APT Strategic Plan for 2015-2017 adopted by the APT General Assembly held last year in Yangon, Myanmar.

Representatives from 20 member states and several organizations expressed the need to enhance regional collaborative efforts in combating cybercrime, enhancing cybersecurity and countering spam and other online security threats. It was recognized that in addition to policy making, building awareness among end-users should also be a priority for governments.

Presenters shared cybersecurity trends and challenges in their respective countries, and agreed on the fact that cybersecurity is not limited by borders–threats cannot be dealt with in an isolated manner, and requires mutual collaboration among countries and organizations.

The Internet Society Asia-Pacific Bureau presented on spam, highlighting new ways by which spam can be distributed through platforms like social media. According to a research report, a 355% increase in social media spam was recorded during the first half of 2013. Participants were also briefed on the ISOC’s Combating Spam Project and Collaborative Security Initiative.


Internet of Things (IoT)

Tesla’s Software Update To Enable Self-Driving Cars Both Delights And Concerns Me

In a fascinating bit of synchronicity, yesterday morning at pretty much the exact same time that I was finalizing the publication of our IoT Overview paper and publishing Karen Rose’s IoT blog post, my friend (and former CEO of a company for which I worked) Jonathan Taylor was posting a photo to a social network of receiving a software update for his car over the Internet.

Yes, you read that correctly.

His car, a Tesla, was downloading a software update across his home WiFi network.

Even better, this particular software update gave his car the ability to be a self-driving car (also often called an “autonomous vehicle”).

Jonathan, of course, had to immediately try it out on the highways around Orlando, Florida, and later posted:

This morning I got in my car, entered my destination – which was 150 minutes away – and except for two minutes the car drove itself the whole way.

He subsequently explained that the only times he had to take control were a couple of complex road interchanges. Otherwise he and a friend just sat there talking and watching during their entire trip.  The car “drove itself” largely based on the use of computer “vision” technology, GPS, etc.

I admit to being both incredibly delighted – and incredibly concerned – by this evolution of technology.

As someone working in network security for many years, to me the security issues with the whole Internet of Things (IoT) are huge.  As our IoT Overview paper covered in great detail there are all sorts of issues related to the network connectivity, software updates, communication and more.

I think of all the new story lines that can be opened up for shows like “24” where the hero attacks the villain’s car, takes control and drives it into a tree (or to a secure location where the villain is apprehended). I think of DDoS attacks against cars. I think of malware infecting the car. I think of how many ways software can go wrong.  And I find myself thinking I’d really like a vehicle without any computers whatsoever!

And yet…

When I mentioned Jonathan’s adventure to another mutual friend yesterday at the conference I was at he said “That’s brilliant! If you go out to a pub and have too much to drink you can just get in and tell the car to take you home.

To which someone else nearby quipped “Yes, I might pass out and wake up in my car, but at least it would be back home in my driveway!

Well, maybe not quite yet… it sounds like the Tesla still does need human intervention… but you could see the promise.

Another friend on a social network whose eyesight is poor at night commented about how this would be great because she could finally go out to places at night again.

Indeed I saw the promise vividly myself.  I landed at Bradley airport near Hartford, CT, at 11:30pm last night. Exhausted after several days at a conference, I didn’t think I was alert enough to drive the 1.5 hours back to my home in Keene, NH.  Instead I paid for a hotel room near the airport and drove back home this morning after about 5 hours of sleep.

What if I could have just told the car to drive me home and then slept while it was doing so?

I could have saved that hotel room and also been back to see my family that much quicker.

Now, I don’t see a Tesla in my personal future any time soon given the price tag … and I also wonder how well it would really work on our New Hampshire roads with snow and ice in the winter…   but the technology that gets developed in the Teslas and other similar vehicles will slowly make its way down into vehicles that are more affordable.

The whole idea of upgrading the capabilities of a car via a simple update across the Internet is also fascinating. (Although again the security guy inside of me notes that the vendor could downgrade your car’s capabilities, too.)

There are truly some amazing opportunities ahead of us in our increasingly connected world…

… now if only I could feel okay about all the security issues. 🙁

What do you think?  Are you ready to climb into a self-driving car? Or do you want to stay far away?

Image credit: Photo from Jonathan Taylor, Chairman and Chief Product Officer at Sighthound, and used with his permission.