Isn't the cybersecurity debate highly confusing at times? There is a lot of talk about the security of all sorts of cyber assets, discussion about cyberwarfare and cyberdefense, and in all these discussions the Internet seems to be central. Often mentioned in a not so positive context.
In recent conversations I've made the analogy between "Cybersecurity" and "The Economy". We all want to fix the economy but making progress is not an easy task. As soon as you are beyond that statement you notice that there is a lot of nuance. Issues like trust, influence, actors, and affectivity all come to play when you want to fix the Economy. The cybersecurity discourse has similar features.
It is important to dissect the cybersecurity debate into palatable pieces, recognize that all these pieces interact, and be careful about what we talk about. Cybersecurity is often about security in a networked world. For example, an attack on a company where lots of data is stolen is in essence a company security issue that is exacerbated because the company is on the Internet. Without dismissing the importance of that discussion, I would like to take a very specific perspective. Let's talk about the security of the Internet as a system.
How do we enable people to trust in the security of their communication and connections across the Internet while ensuring the Internet remains open and accessible? How do we keep confidence at such a level that businesses are happy to offer their products and services on-line, that journalists will feel confident that they can do their work in the more dangerous places on the planet, and that a kid from Bangladesh can invent a new application that can make the current favorite tools and services irrelevant?
Given that the Internet is a global network of networks without any centralized control, there is no magic answer. There are no single solutions that can be prescribed by governments or just implemented by network operators.
Central to this notion is that when you are on the network you are also part of the network. The reality is that comprehensive Internet security only comes through the efforts of many different people collaborating together to take action to help ensure the security, resilience and stability of the global Internet.
- Fostering confidence and protecting opportunities: The objective of security is to foster confidence in the Internet and to ensure the continued success of the Internet as a driver for economic and social innovation.
- Collective Responsibility: Internet participants share a responsibility towards the system as a whole.
- Fundamental Properties and Values: Security solutions should be compatible with fundamental human rights and preserve the fundamental properties of the Internet - the Internet Invariants.
- Evolution and Consensus: Effective security relies on agile evolutionary steps based on the expertise of a broad set of stakeholders.
- Think Globally, act Locally: It is through voluntary bottom-up self-organization that the most impactful solutions are likely to reached.
The Collaborative Security paper provides further details regarding each of these elements, but, here I want to quickly explore a few examples to show where this approach is already in action.
Open Internet Standards
The development of Internet standards within the Internet Engineering Task Force (IETF) is a prime example of solutions that scale globally and are available for people to act locally. Deployment of these standards is also a collective responsibility – creating the standards is only the first part of the equation, we must also make sure those standards can and will be implemented. Specifically since the deployment of open standards is voluntary, and not mandated.
Keeping Internet Routing Secure
An initiative launched last year, the Mutually Agreed Norms for Routing Security (MANRS), is a voluntary, bottom-up agreement between network operators to collaborate together to improve the security of the Internet's routing system. Already, some of the largest global networks have signed on as participants, and more networks are signing on every week. This is a key example of the kind of collaboration we need.
CERTs and CSIRTs
All across the world, computer emergency response teams (CERTs), also known as computer security incident response teams (CSIRTs), established by governments, businesses, educational institutions, private enterprises and others, long ago realized that while they could fight some of the threats to Internet security, their strength would grow if they collaborated together to share security information. Through organizations such as the Forum for Incident Response and Security Teams (FIRST), these teams are showing the elements of "collaborative security" in action on a daily basis.
Many more examples
I could continue listing examples: the hundreds of Network Operator Groups (NOGs) around the world; the DNS security community; academic conferences such as NDSS, bringing together security researchers. This idea of "collaborative security" is part of the "Internet way" that has been with us since the birth of the Internet decades ago.
Today, though, this amazing creation called the Internet is at the center of so many aspects of our lives. It has become a global engine of innovation, commerce and creativity. We use it every day to communicate and connect with people around the world.
For the Internet to continue to be this global engine of growth and to continue to allow communication and creativity to blossom, we need to work together collaboratively to improve the security of the Internet and ensure that users can have confidence that their communication and information across the Internet can be secure.
This week I will join several colleagues at the Global Conference on CyberSpace 2015 (GCCS2015) which is happening at The Hague and bringing together thousands of participants from governments, businesses and other organizations across the world. Here we will talk about the key themes of growth, freedom and security. During our engagements at GCCS2015 we will be using the principles of this Collaborative Security approach to frame how we think we, as a society, should be tackling these challenging issues to bring about a better and a stronger Internet.
We ask you to join us in that endeavor. The Collaborative Security approach is not just a discussion piece. It is a call for action, for Internet participants to take responsibility. Please look at your own networks and sphere of influence and ask how you can implement these principles.
Please join with us to make the Internet more collaboratively secure!
Photo credit: Olaf Kolkman on Flickr, used with his permission.