Cybersecurity and Internet Governance
5 likes2,177 views
1. The document discusses the history and concepts of internet governance from the early ARPANET days to the present. It covers topics such as technical standards, naming architecture, numbering resources, multistakeholder model, and the IANA transition. 2. Cybersecurity concepts are also summarized, including the goals of information security around confidentiality, integrity and availability. Frameworks for cybersecurity management and defense like ISO 27001 are outlined. 3. Issues related to internet governance and cybersecurity are still evolving through initiatives at the UN and other multilateral organizations to address topics like critical internet resources, capacity building, and access.
Cybersecurity and Internet Governance
- 1. 1 Kenny Huang, Ph.D. 黃勝雄博士 Executive Council, APNIC Author, RFC3743 IETF Keynote. SITCON 18 Mar 2017 huangksh@gmail.com Cybersecurty and Internet Governance 網路安全與網路治理 亞太網路資訊中心董事
- 2. 2 The Internet and Internet Governance(IG) Cybersecurity Cybersecurity vs. IG
- 5. 5 The Internet #1 BlindTrust : we trust parties we don’t event knowexist
- 6. 6 The Internet #2 No Ownership: The big companies, not users, own the data.
- 8. Internet Governance Definition 8 IG Definition @ WSIS Tunis 2005 : The development and applicationby governments, the privatesector and civil society, in their respectiveroles, of shared principles,norms, rules, decision-making procedures, and programmes that shape the evolution and use of the Internet.
- 9. Internet Governance Layers 9 Telecom infrastructure (cable, wireless, ...) Protocols, standards and services (DNS, TCP/IP, SSL...) Content and applications (HTML, FTP, XML) Source:Diplo
- 11. IG Concepts in ARPANET – Technology Track 11 1969 1983 ü System requirements ü Standardization ü Entity for managing technical standards RFC 01 RFC 03 IETF Working Group Steve Crocker RFC 883 RFC 882 ü Domain name concept ü Tree hierarchy ü DNS operation 1984 RFC 1035 RFC 1034 ü DNS delegation ü ccTLD, gTLD ü Single Root 1987 1994 ISC: Paul Vixie BIND UC Berkeley Jon Postel acted as RFC Editor 1969-1998
- 12. 12
- 13. 13
- 14. IG Concepts in ARPANET – Registry Track 14 1969 HOSTS.TXT hostname IPaddress hostname IPaddress hostname IPaddress hostname IPaddress hostname IPaddress hostname IPaddress SRI maintained HOSTS.TXT SRI (StanfordResearch Institute) Jon Postel managed Assigned Number List Copy to other sites 1981 ü Names ü Numbers ü Critical Internet Resources ü Registry operation ü Uniqueness of name – Single Internet
- 15. IG Concepts for Architecture and Authority 15 1969 1987 1988 1998 RFC 1035 RFC 1034 18 Sep1998 established 16 Oct1998 passed away Root Zone Operator ü Execute IANA functions ü Root zone governance ü TLD legal issue The IANA functions manage protocol parameters, Internet number resources and domain names. ICANN performs these functions on behalf of the global Internet community.
- 16. Root System Model 16 Source : ICANN
- 17. 17 Source : ICANNRoot DNS Anycast Root Source :RIPE IETF48 Root Server Operators’ statement (1998 Dec) ü Operatereliably, for thecommon good ofthe Internet ü RecognizeIANA as the sourceofthe root data ü Invest sufficiently to ensureresponsible operation ü Facilitate thetransition, when neededandwith proper notice ü Recognizethe other root server operators ü Multistakeholder ü Recognize IANA ü Single Internet ü Internet as public good
- 18. IG Concepts for Number Community 18 1992 20011993 1997 2005 ü Multistakeholder Model ü Self regulation ü Member voting right ü IP address allocation ü Policy development process 1999 ü ASO ICANN Board selection ü Global address policy ü Accountability ü Transparency üGovernance üFinance üPolicy
- 19. Critical Information Infrastructure (CII) 19 Internet Numbering Architecture Internet Naming Architecture ü Critical Information Infrastructure Protection
- 22. 22 Degree of Enforcement 完全中⽴ (Full Neutrality) 強調網路必須完全中⽴,無任何差別待遇,封 包使⽤FCFS 模式傳輸。主要⽀持者包含學者 Susan P. Crawford (Cardozo Law School; 曾任 FCC 主席)。 資料類別特許的差別待遇 (Allow discrimination based on type of data) 此主張認為網路資料有不同服務需求,例如封 包延遲Latency、或不連續Jitter情況。ISP可以針 對應⽤服務屬性來調整差別待遇。主要⽀持者 包含學者Tim Wu (Columbia University Law School) ⾮阻斷或⾮節流下之個別訊務排序 Individual prioritization with throttling or blocking ISP認為在沒有阻斷(block)或不造成阻塞情況下, ISP可以依不同服務或客⼾需求進⾏訊務排序。 主要⽀持者包含 Comcast, AT&T 不直接強制 (No direct enforcement) 許多國家並沒有網路中⽴相關法律,但可以參 考其他法律來管制,例如反競爭法,美國FCC 在無網路中⽴法之前也是參考市場合理實務提 出管制命令。 ISP 市場競爭度 美國Comcast / Netflix案件中法院裁定 Comcast 違反 網路中⽴主因: ⼤多數網路使⽤者在寬頻(25Mbps) 服務只有單⼀寬頻服務供應商可選擇。在此情境下, ISP差別待遇⾜以影響市場競爭,寬頻 ISP 負有更⼤ 責任維持服務的中⽴性,避免影響網路使⽤者的權 益。 ü Improve connectivity ü neutral Internet exchange and peering
- 23. CERT (Computer Emergency Response Team) üCERT was first used in 1988 by CERT CoordinationCenter at CMU. CERT and CSIRT (computer security incident response team) are used interchangeably. üFIRST (Forum of Incident Response and Security Team) is the global associationof CSIRTs üAPCERT Established 2003. Annual events include (1)AGM (2)APCERT Drill 23
- 24. 24 ü Allocationand assignment of three sets of uniqueidentifiers of the Internet: domain names, IP addresses, and protocol parameters ü Operation and evolutionof the DNSroot name server system ü Policy development reasonably and appropriately related to these technical functions ü Multistakeholder ü Accountability ü Transparency üGovernance üFinance üPolicy
- 25. UN IG Initiatives – Political Track 25 2003 20062005 2010 ü Multistakeholder ü Multilateral ü Inclusion ü Sustainability 2015 Technical Topics üCritical Internet resources üCapacity building üSecurity üAccess üInternationalization
- 26. IANA Stewardship Transition 26 US Gov. NTIA Perform IANA Functions ICANN APNIC contracted 5 RIRs (APNIC) Perform IANA Functions ICANN APNIC contracted Before 1 Oct 2016 After 1 Oct 2016 Audit & Review Audit & Review
- 27. 27 The Internet and Internet Governance(IG) Cybersecurity Cybersecurity vs. IG
- 28. Confidentiality Integrity Availability prevents unauthorized use or disclosure of information safeguards the accuracy and completeness of information authorized users have reliable and timely access to information Goals of Information Security 28
- 29. 29 ISO27001 ISO 27001 – a global recognized standard that provides a best practice framework for addressing the entire range of cyber risks ü People, processes, technology ü Systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization‘s information security to achieve business objectives Key elements of implementing ISO227001 ü Determine the scope of the ISMS ü Consider the context of the organization and interested parties ü Appoint a senior individual responsible for information security ü Conduct a risk assessment – identify risks, threats, and vulnerabilities ü Appoint risk owners for each of the identified risks ü Implement appropriate policies and procedures ü Conduct staff training ü Conduct an internal audit ü Implement continual improvement of the ISMS
- 31. 31
- 33. DDoS As A Service 33 Source:tripwire,May 26 2016 400,000 Bots for Rent Source : bleepingcomputer,Nov 24 2016
- 34. Operation of a DDoS attack 34 attacker computers real users target serversInternet SERVICE OFFLINE out of resources
- 35. Protection: Technology vs. Insurance 35 FIRST PARTY COVERAGE üdamage to digital assets übusiness interruption ücyber extortion üprivacy breach expenses THIRD PARTY COVERAGE ü privacy liability ü network security liability ü internet media liability ü regulatory liability ü contractual liability Cyber Liability Insurance is inexepensive effective coverage. Coverage limits starting at $100,000 with annual premiums starting as low as $250 1. Key companies include: AIG, Marsh, Allianz 2. False sense of security 3. Growth of market and risk will increase insurance premium 1. Greater protection from threats 2. Insurance driving implementation of technology solutions to comply with policy requirement
- 36. Cyber War Case - Afghanistan • Two-way cyber war measures • Cyber offensive capability • Cyber dependence : • Degree to which a nationrelies upon cyber-controlled systems • Cyber defensivecapability • “We have the most bandwidth running though our society and are moredependent on that bandwidth. We arethe most vulnerable.“– former Admiral McConnell. • Afghanistan 2001 • US had conducted a cyber war plan, but no targets for cyber warriors,that gives Afghanistan an advantage. • If Afghanistan had any offensive cyber capability,the cyber war would have shifted in different way 36
- 37. Cyber War Case - China • Offense vs. defense • US has the most sophisticatedoffensive capability,but it can’t make up its weaknesses in defensiveposition. Cyber defense trainings areoffensivefocus. • China cyber warriors aretaskedwithboth offense and defense in cyberspace. • China advantagesin cyber war • Ownership: Internet in China is like an intranet of a company. Government is the only serviceprovider • Censorship • Great Firewall of China provides security advantages • The technology that Chinese use to screen emails/message provide the infrastructure to stop malware • Install software on all computers to keep children from gaining access to pornography – Give China control over every desktop in the country. • Critical infrastructure:For electric power system,US relies on automationcontrolledsystem,but China requirea largedegree of manual control. 37
- 38. Cyber War Strength 38 US Cyber Offense: 8 Cyber Dependence : 2 Cyber Defense: 1 Total : 11 Russia Cyber Offense: 7 Cyber Dependence : 5 Cyber Defense: 4 Total : 16 China Cyber Offense: 5 Cyber Dependence : 4 Cyber Defense: 6 Total : 15 Iran Cyber Offense: 4 Cyber Dependence : 5 Cyber Defense: 3 Total : 12 North Korea Cyber Offense: 2 Cyber Dependence : 9 Cyber Defense: 7 Total : 18 Source:Richard Clarke,2010
- 39. DDoS vs. Cyberwar 39 Cyberwar initiated country Counterpart country Internet DMZ 1. DDoS can only attack DMZ zone. DMZ was built for that purpose. 2. DDoS attacks are compelling. The targets can be easily identified. It gives enemy an advantage of increasing defensive capability, or relaxing cyber dependence.
- 40. Cryptography 40 encrypt decrypt encrypt decrypt Hello Hello$7@# ciphertext Symmetric Cryptography Hello Helloa@xf ciphertext Asymmetric Cryptography Public key exchange A A B B
- 41. Browser SSL Connection 41 1. Server sends a copy ofits asymmetric public key 2. Browser creates a symmetric session key and encrypt it with the server’s public key 3. Server decrypts the asymmetric public with its private key to get the symmetric session key 4. Server and Browser now encrypt and decrypt alltransmitted data with the symmetric session key. This allowa secure channel because only the Browser and the Server knowthe symmetric session key. Symmetric key 128/256 bit (fast); PKI key 1024/2048 bit (slow) Most secure communication systems (SSL; SSH; VPN..) use symmetric key encryption 1 2 3 4
- 43. 43 CA1 CA2 CA3 CA4 Alice Bob Certificate pointing from issuer to Root CA directly trusted by relying parties Sub-CA Hierarchical PKI Architecture Mesh PKI Architecture CA1 CA2 CA3 CA1 CA2 CA2 CA1 CA1 CA3 CA3 CA1 CA1 CA3 CA3 CA1 Alice Bob Charlie Certificate pointing from issuer to Trusted CA point for Alice CA Cross Certificate Doug Finance Bob HR Dept Charlie Account Bridge PKI Architecture Bridge CA Alice Public Key Infrastructure Architecture
- 44. 44 Certificate Authority vs. IG Authority It can be done by deploying DNSSEC and DANE and give up CA's and X.509certificate hierarchies. CA can issue a cert for any domain name and instead use DNSSEC and DANE
- 45. OECD CIIP (Critical InformationInfrastructure Protection) 45 üInformation components supporting the critical infrastructure üInformation infrastructure supporting essential components of government business üInformation infrastructure essential to the national economy US Systems and assets, whether physical or virtual to the US that the incapacity of destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. CIIP Directive (EU) 2016/1148 ANNEX II : IXP、Root DNS、TLD Registry EU
- 46. ETSI Lawful Intercept Model 46 administration function IRI mediation function content mediation function IRI : intercept related Information CC : content of communication INI internal network interface IIF internal interception function HI3 content of communication Network Internal Functions HI2 Intercept related information HI1 administrative information NWO/AP/SvP Domain LEMF Law Enforcement Monitoring Facility network operator / access provider / service provider HI: handover interface (ETSI)
- 47. Backend Operator Potential Registry-LEA Implementation 47 TLD Registry Data Escrow Agent (ICANN approved) Contractual Compliance Finance System EBERO Law Enforcement Agency Jurisdictional Considerations invoice Data Escrow Alerts gTLD Failover Design (Kenny Huang, 2015)
- 48. Internet Routing Security - Detour 48 A path that originates in one country, cross international boundaries and returns back to origin country
- 49. BGP Routing 49 AS 4134 China Telecom AS 7018 AT&T AS 3356 Level 3 AS 2828 X0 Comm. AS 6167 Verizon AS 22394 Verizon Customer Provider Peer Peer legend 3356, 6167, 22394 66.174.161.0/24 6167, 22394 66.174.161.0/24 22394 66.174.161.0/24
- 50. China Telecom hijacks Verizon Wireless 50 AS 4134 China Telecom AS 7018 AT&T AS 3356 Level 3 AS 2828 X0 Comm. AS 6167 Verizon AS 22394 Verizon 4134, 22724, 22724 66.174.161.0/24 3356, 6167, 22394 66.174.161.0/24 AS 22724 China Telecom Apr, 2010 Prefix Hijacks China Telecom announced 50,000 prefixes (15% routes)
- 51. Pakistan Telecom hijacks YouTube 51 AS 18174 Allied Bank AS 58467 Lahore Stock AS 18173 Age Khan AS 3491 PCCW AS 3327 Linux Telecom AS 25462 RETN Ltd AS 36561 YouTube 17557 208.65.153.0/24 3491, 17557 208.65.153.0/24 36451 208.65.153.0/22 AS 17557 Pakistan Telecom Feb 2008 Subprefix Hijacks
- 52. Moratel Leaks a Route to PCCW 52 AS 23947 Moratel AS 3491 PCCW AS 4436 nLayer AS 15169 Google 3491, 23947, 15169 8.8.8.0/24 15169 8.8.8.0/24 23947, 15169 8.8.8.0/24
- 53. 53 The Internet and Internet Governance(IG) Cybersecurity Cybersecurity vs. IG
- 54. Why Bother Internet Governance 54 Jurisdiction Law Organization Rules International Law / Treaty Internet Governance Multistakeholder Standard Technology Architecture Policy Procedure Best Practices Cooperation Coordination IG Regime
- 55. Code is Law 55
- 56. Cybersecurity Attributes Recap 56 Confidentiality pPhishing pPacket sniffing pPasswordattack Integrity pMITM (Man-in- The-Middle) pIP spoofing Availability pDDoS pSYN flooding
- 58. ICANN DNSSEC vs. Cybersecurity 58 ConfidentialityX IntegrityX Availability Stakeholders 1.ICANN, gTLD& ccTLD operators 2.Root operators 3.IETF Phishing Man-in-The-Middle
- 59. Secure Internet Routing - RPKI 59 APNIC 8.0.0/8 Level 3 8.8.8.8/24 Google 66.174.0.0/16 Verizon Wireless 66.174.0.0/24 AS22394 66.174.0.0/16 AS6167 8.0.0.0/9 AS3356 ROA 8.8.8.0/24 AS15169 cert legend PRKI : Resource PublicKey Infrastructure
- 60. RIR’s RPKI vs. Cybersecurity 60 Confidentiality IntegrityX Availability Stakeholders 1.RiRs (e.g. APNIC) 2.ISPs 3.IETF 4.LEA (Law Enforcement Agent) IP spoofing Route hijacking
- 61. Secure Communication : Technology 61 RFC 7457 Summarizing Known Attacks on TransportLayer Security (TLS)and Datagram (DTLS) RFC 2409 The Internet Key Exchange (IKE) RFC 3526 More Modular Exponential(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) RFC 7258 PervasiveMonitoring Is an Attack RFC 7525 Recommendations for SecureUseofTransport Layer Security (TLS)and Datagram Transport Layer Security (DTLS) RFC 4307 CryptographicAlgorithm for Usein the Internet Key ExchangeVersion 2 (IKEv2) Remove support for DH1024 Proposed DH1024 Proposed DH 2048
- 62. IETF Technologies vs. Cybersecurity 62 ConfidentialityX IntegrityX Availability Stakeholders 1.IETF 2.Developers 3.LEA (Law Enforcement Agent) Strong cryptography Enforced Internet encryption
- 63. Secure Internet Root 63 a b c ….. k l m …..Site1 Siten …..Host1 Hostn Sites (uniquelocation and BGP route) Root letters (uniqueIP anycast address) Servers (internal load balancing) User Recursive resolver Horizontal distribution Multiple letters Multiple operators Vertical distribution Multiple sites Multiple servers
- 64. Impact of The Attack 64 1. The Root DNS handles the situation well 2. Resilience of the Root DNS is not an accident, but the consequence of fault tolerant design and good engineering 3. True diversity is the key to avoid collateral damage
- 65. Root vs. Cybersecurity 65 Confidentiality Integrity AvailabilityX Stakeholders 1.Root operators 2.IETF Divergent model Robust and resilient Infrastructure
- 66. Cybersecurity Future Evolution 66 Prevention, 80% Monitoring, 15% Response, 5% Prevention, 33% Monitoring, 33% Response, 33% NOW FUTURE Source : RSA Conference 2016 Singapore
- 67. source: Into the Gray Zone: Active Defense by the Private Sector against Cyber Threats Cybersecurity Phased Strategy Defense 防禦 Diverge 分歧 Attack攻擊 67
- 68. Potential Cooperation for Cybersecurity and Internet Governance 68 Case : Crypto–Ransomware Source : EUROPOL
- 69. 69 Check Whois database, Found In Romania Traceroute, ends up in Netherlands 1 2 It’s not useful French Cyber Investigator Source : EUROPOL
- 70. 70 MLAT* from French to Romania 1 month later, Romania LE goes to the indicated company 3 4 MLAT: Mutual Legal Assistance Treaty Source : EUROPOL
- 71. 71 Scenario 1 : Romania company cooperate Found server is in Germany Second MLAT from French to Germany 5 6 Scenario 2 : Romania company uncooperative, victim of ID theft 5 Source : EUROPOL
- 72. 72 1 month later, Germany LE goes to seize the server 7 To late !! Decryption keys have been moved to another server .. 8 Source : EUROPOL
- 73. LEA and RIRs Cooperation 73 Question? ü How can we ensure that IP addresses are announced in the country where they are actually registered? ü Can the RIR database reflect the location of an ISP handling an IP address? Internet Policy Proposal ü Require registration of all IP sub-allocation to downstream ISPs to entire chain of sub-allocations are accurately reflected in WHOIS ü NOT disclose end-user information but instead focus on downstream ISP providing connectivity to the end-user Source : EUROPOL
- 74. Cybersecurity and IG Landscape 74 Cybersecurity
- 75. Users Public Safety Regulators Operators Vendors Software CERTs Cybersecurity and IG ECO System 75
- 76. 76