On Approaches to Internet Security, Cybersecurity, and the Path Forward Thumbnail
Improving Technical Security 16 October 2017

On Approaches to Internet Security, Cybersecurity, and the Path Forward

By Olaf KolkmanPrincipal - Internet Technology, Policy, and Advocacy

On 5 October, I had the pleasure of speaking at the New York Metro Joint Cyber Security Conference, which brings together a community of security practitioners from the New York Metro area. Two talks stood out for me. First, the keynote by Maria Vullo, Superintendent Financial Services for the state of New York, who explained her drivers for regulating cybersecurity requirements for the Financial Sector. Second, Pete Lindstrom from IDC, in a presentation on how perimeter security needs a thorough rethink, kept returning to the economics of security.

The reason I refer to these two talks is because I can appreciate them for their own, almost diametrical approaches for improving security. Pete Lindstrom making a strong economic and risk-based approach, questioning whether patching every vulnerability that comes along makes any sense from an economic risk and scale analysis. Maria Vullo, on the other hand, using capacity-based regulation to incentivise stronger security controls.

Those two points resonate strongly with what I was trying to get across: There is no magic security bullet, there is no security czar, and maintaining trust needs an active approach from all stakeholders.

Starting off with how our community thinks about the future, I zoomed in to what is seen as one of the most important cyber threats. In order to tackle this, we need to work in in a distributed matter. That is what the Internet is still about. We need creative ways for agreeing on what needs to be done; some call this norm entrepreneurship. In the presentation, I give three examples of trying to deal with the hard security problems on the Internet that were identified in the futures report.

  • Risk that online freedoms and global connectivity will take a back seat to national security
    Cyberstability is a piece of the puzzle, a traditionally interstate debate, but now seeking to be broader. The work by the Global Commission on Stability in Cyberspace is an example – an experiment in opening up the creation of cyberstability norms in a multi-stakeholder setting.
  • Need for new accountability, incentive, and liability models
    These are tricky, specifically when we talk about externalized risks. Where taking action has no immediate individual reward, and remaining passive imposes great risk to the environment. Where do incentives come from and how can we be creative in an environment where one does not want to stifle innovation? In this context, I talked about MANRS as a creative incentive developed by the network operator community.
  • The Internet of Things will create new security challenges
    We believe that innovative approaches like the OTA Internet of Things framework contribute to establish broadly carried norms around the security of these devices. The framework provides 40 measurable principles around security, privacy, and sustainability. Not only from a device but also from a data and supply chain perspective.But even then, there will always be security issues to which we may not have good answers. The recent BlueBorne vulnerability is an example. How do we deal with these sort of vulnerabilities? At this moment, I do not know of any attacks that exploit this vulnerability, but I think we all agree that these sorts of new challenges will be popping up.On the other hand, there will also be positive evolution in IoT and security, as my colleague Andrei Robachevsky wrote about recently.

Internet security is more than cybersecurity, because we focus on the security of the Internet as a whole. And if that landscape seems complex and confusing, then that is indeed the case.

There are no ready-made answers and that is the Internet Way: distributed, with good approaches winning from the worst ones, piecemeal, and informed. This is the path to good security, to learn from each other’s experiences, and get better.

All the easy problems were solved 20 years ago.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Improving Technical Security 23 October 2019

Securing the Internet: Introducing Oracle Internet Intelligence IXP Filter Check

Oracle is an Organization Member of the Internet Society. We welcome this guest post announcing a new tool that...

Improving Technical Security 4 October 2019

Network Operators in Latin America and the Caribbean Take Steps to Strengthen Routing Security

2019 has been a very good year for the Internet in Latin America and the Caribbean. In May, during...