This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.
>> CHRIS BOYER: Good morning everyone.
Hello. Welcome to session 143 on emerging cybersecurity threats.
My name is Chris Boyer from AT&T. I'm an assistant Vice President for Global Public Policy there, and I specialize in security issues. I'm standing in for Jeff Breugemann, who could not make it today.
The purpose of this workshop is to focus on emerging cybersecurity threats. In particular, around issues such as mobile and cloud security and the implications of that on Internet Governance. And the discussion is really supposed to encompass a technical overview of some of the threats and also discuss practice strategies and solutions for addressing emerging cybersecurity issues.
I'm going to be kicking this over to Robert Guerra from citizen lab to be the moderator of the panel. And I guess Robert will go and make introductions of our panelists. So thank you for coming this morning.
>> ROBERT GUERRA: So good morning everyone, and thank you for coming to the session of the morning. It's the first session of the day, so I'm delighted that the room is full.
My interest in terms of how to organise the session for today is it's really meant as a conversation, not only between the panelists that are here for them to share their expertise and their specific insight, but also to dialog with you in the audience, which I'm assuming that some of you are incredibly interested in the topic, maybe have technical expertise, and have a conversation to see if there are some common elements of coordination, collaboration. Or if there are some gaps, and possibly some suggestions that can then be contributed back into the main session.
What I'm going to ask the panelists to do, I'm going to start with a couple of questions that I'm going to ask, maybe two or three questions. And I'll ask each of them to answer in order, take one round, if they have comments for each other, and then open up that very same question to the audience if they choose to -- or they wish to comment on a question or maybe pose a question to the panel.
When I ask a question for the first time to the panelists, I'll ask them to just briefly say their name, their organizational affiliation, and the country that they're from. And I won't ask them to get too much into their bio. That is online. We have 90 minutes, which can go very quickly.
So just talking about myself, as mentioned, I'm Robert Guerra from the Citizen Lab. It is a research -- a multidisciplinary research group at the School of Global Affairs at the University of Toronto. And we have been talking about this -- these issues for a long time.
So what I'm maybe going to start with you, Patrick, and then we will just go around this way, and in no particular order I guess. And just from the conversation that we had a bit earlier, I'll maybe ask the panel first to talk about maybe some recent incidents that may have come up, and briefly describe the incident, to talk about how there was some sort of coordination or identification of the problem, coordination around it. And then maybe any challenges going forward.
So if you can do that in three to five minutes, so go ahead, please.
>> PATRICK JONES: Thanks, Robert. Patrick Jones from ICANN security team, based in the United States. And as Robert mentioned, just in the last couple days there has been an example of a cybersecurity threat with a hacking on the ccTLD for Qatar. So the dot QA's registry operations.
This follows a similar pattern to what has happened in the last few weeks with Malaysia. Costa Rica had the same type of hacking. And it's a continuation of a pattern that is going on, particularly targeted at the country code community, though I'll probably be not speaking out of line to think that that type of activity is happening against others that are operating networks and an infrastructure in the domain name space.
That's really an example of two -- one of the two main types of threats from an ICANN perspective that we see. Threats against the operations of the Domain Name System, registries, registrars, the infrastructure providers. The other example, and I hope we get time to talk about it, are the threats that are leveraging the domain Name System for some criminal purpose, for malicious content, malware, phishing. Those are, in short, two examples of threats that we're seeing, threats against operations of the Domain Name System and threats leveraging the system.
>> ROBERT GUERRA: Since you still have five minutes, so that's the threat. So the issue is, for example, for the Qatar attack, can you just talk a little bit about that, in terms of how did the community recognize that was happening? And talk about something about the coordination and maybe challenges kind of going forward. Or is the issue never going to come back again?
>> PATRICK JONES: So this is one where there seemed to be pretty quick coordination between the security incident response teams that observed the attack happening, reached out very quickly to either the QCERT or to the QA registry operators. The registry operators were in contact with us and I'm sure with others either asking for contacts to connect them with parties that they didn't have contact information for. So we were able to put them in contact with other operators who could help. And that was appreciated.
And we see that a lot, where in an attack either a registry or registrar may need to reach out to someone not in their country that operates another part of the infrastructure, and they would contact ICANN or come to you first or some other CERT team, and that team will connect them with someone else who can help. And that's a really good example of the types of list-based communications that are happening and collaboration at that level of the community.
>> ROBERT GUERRA: Okay. Thank you.
>> BEVIL WOODING: Packet clearinghouse. I'm responsible for Caribbean outreach with Packet Clearinghouse. And we work -- or my work primarily involves assisting Caribbean Governments in dealing with Internet infrastructure on cybersecurity issues.
The threats that we see in the region revolve around financial services organisations generally and Government online services. The interesting thing about these attacks are that they pretty much mirror what you would see in any other part of the world. The difference being the capacity to respond. And so over the past few years, there has been an interest in the formation of CERTs in the region but also interest in building technical capacity. The region does not have a very strong history of sharing information concerning attacks, and so most of what is discovered is normally unofficial. And so up to this point there has been limited official coordination of responses to cybersecurity incidents. This is changing with the greater attention being put on it, and also because of the greater financial impact these attacks are having on already fragile economies.
So if I were to indicate where things are at right now, it is a movement toward strengthening the region's technical community, and greater cooperation between the region and other parts of the world where cybersecurity capacity is already well developed.
>> ROBERT GUERRA: So I'll ask you a question, just as I did with Patrick.
Was there -- so you're saying that there have been a variety of financial services under attack and it's gotten better.
For those folks that may not be as familiar, is there a specific case that stands out in terms of being kind of a largest attack that impacted the region, or are they all of the same intensity?
>> BEVIL WOODING: The financial services sector, as you know, is one of the -- there is offshore banking in the region. There are a number of significant insurance and commercial bank interests in the region. But in the case of this, there is one involving the Government of Grenada where a threat was issued. And the Government to the Caribbean Telecommunications Union wanted us to issue something into the Packet Clearinghouse.
The thing that stands out about it was the lack of understanding, even within the Government, as to how to respond to the threat which came from outside, of course. There were no laws to apply. There was no clear understanding of who to seek redress from and protection from. And we had to walk through with the Government, we had to walk through a sequence of steps to identify where that came from and what was the best way to respond to it.
That proved to be a pattern or model that we have since used to help other Governments in the region understand why they need to pay particular attention to the issue. And the Caribbean has a very high, for example, mobile penetration. Most countries have greater than 100 percent mobile penetrations. These devices connect to offices, they connect to services that are vulnerable to attack, and there is very little by way of protection of the access that they have to cooperate with databases and services.
So these kinds of issues create linkages that allow us to highlight the importance of protecting systems and collaborating in the face of attacks, and look at coordinated approaches to developing capacity.
>> ROBERT GUERRA: Thank you so much.
Go ahead, Cristine.
>> CRISTINE HOEPERS: Hi. Good morning. My name is Cristine Hoepers. I'm from CERTBR Brazil. That is one of the national teams in Brazil. We are maintained from Nic.BR from the Internet steering Committee. Our work in Brazil is to coordinate and facilitate the work of audit teams. We have more than 30 teams established in Brazil. Some from Government, some from private sectors, several from the financial area. And I think from our perspective, we are a national team, not focused on Government metrics. We are focused on the whole Internet and what can make the Internet as a whole in Brazil safer and more secure.
So from our perspective, the biggest challenges are really the threats to end-users, and to end-users' mobile devices and everything. And especially in Brazil, we still have a lot of things to do for digital inclusion. Our Internet has been growing rapidly in the past 3 to 4 years, and the Government gave a lot of incentives for people to have access to cheap devices like tablets and smartphones. So I think this will be a challenge for the next few years.
But, really, I think the major challenge is that of course organisations and attackers, they go to what is easy to attack. And it's easier to attack devices that are in the hands of people that don't have technical knowledge and don't know how to secure their devices. So I think this is one of the challenges that a lot of national teams are discussing right now on how, really, to improve that security. And meanwhile, what most of the people are doing is how to really try to do some countermeasures or to mitigate some of the effects.
And one of the examples that we have in Brazil is the work we do together with the financial sector. We have a Working Group and I think it would be similar to what people call an ICAC in the United States. But it was a group that was created in 2004 when we started to see a lot of financial fraud targeted to end-users, and related to phishing, and some other attacks, and malware. And really in that Working Group we have everyone focusing on what they could do better.
We from CERTBR we focused on getting contacts in other countries to getting ISPs to respond and to have a smaller window of vulnerability for the end-users.
So it's really to get shutdown things and to really get as less victims as possible.
In the financial sector it's investigating what is fitting their defenses and how to do investigation. So we separated and compartmentalized and tried to get the best of all of this. One of the ways would be to know how to improve that cooperation. Of course there are a lot of things that we cannot share, that they don't share, and we try our best to build bridges between different communities that cannot so openly share information. And I think that is also one of the challenges for the CERT community on how to maintain the trust that we built during the years and how to go forward helping communities and establishing bridges between communities that not necessarily able to share that much information.
>> ROBERT GUERRA: Great. Thank you.
>> YURIE ITO: Good morning. My name is Yurie Ito. I'm from JPCERT. I'm Director of Global coordination. Just as Cristine, we are the national CERT in Japan.
So our panelist mentioned about the threats. So I'd like to touch upon a little bit what that type of threat is impacting to the International collaboration for technical community and especially CERTs.
Collaboration. So we start seeing a lot of targeted attacks, globally, and also increasing number of clearly national security motivated attacks, such as strike net, and DDOS against Government networks and banking systems. Just as the panelists mentioned.
The other aspect that we see is the Governments are now start discussing about these types of things with the cyber warfare, cyberconflict dialog. And around the world, Governments are starting to make accusations, taking sides on who is conducting attacks and who is creating risks. And managing cyberspace and cybersecurity is seen as a very -- is seen as a competition. So this competitive approach has actually started to create substantial challenges to the technical community and CERT community in pursuit of International collaboration. The involvement of the national security organisations can potentially break down in trust, in CERT and technical communities if we were seen as an instrument of state focused competition.
And as a result, it can become very hard to share information, and then collaborate, and remediate the threats such as, you know, botnet or politically motivated hot gang, for example. So the result may be a significant rise in cybersecurity risk level because of the lack of transparency and the collaboration at the technical and, you know, CERT level, operational level.
So I think the involvement of the private sector is ever becoming ever, evermore important than ever, because they are the parties, players, who can do the instant response in realtime and the information gathering in a very agile manner. But the national security competition made it difficult for those organisations to collaborate globally.
So probably my suggestion could be, you know, we should really clearly separate the national security activities and the security operations for the technical cyberecosystem, Internet ecosystem, which consists of the Internet infrastructure, to be very -- you know, making that infrastructure safer, cleaner, and secure, is very different work. And we should be pretty clearly separating that. And the mixing of that agendas is, I see, big challenges, risks, to breaking into that International collaboration.
>> ROBERT GUERRA: Great. Thank you. I'm going to do one more question to you all, and maybe if there are any questions or comments, and then open it up to everyone.
One thing, there is a common set of issues or concerns that I heard from everyone. So I'll, you know, what I know, with the country, you have major sporting events, one that is in the future. And Cristine you have two of them.
So the question I'll ask everyone is, you all talked about -- maybe you're a little bit different, Yurie, but more in terms of responding to an attack or an incident that took place. What do you see as being in the next six months either because of a vulnerability, what is an emerging event or incident that you see that the community is already starting to organise around, to try to reduce the impact?
>> PATRICK JONES: This is Patrick Jones. You mentioned the upcoming world cup in Brazil. Before that is the winter Olympic Games in Russia. And so that's an event that certainly attracts some attention in the potential for cyber attacks.
>> ROBERT GUERRA: So what would be ICANN's role to prepare for that?
>> PATRICK JONES: From a preparation standpoint, there isn't much of a role for ICANN other than to continue what we have always done, which is maintaining open channels of communication through the global operators. So in the case of Brazil, we have quite a bit of regular communication with the teams there. The same with the RU folks in Russia. And that communication collaboration is going to continue.
Another thing that you're going to continue to see is the -- there is interest in technical training and engagement from now all through these events. So one of the things that ICANN does is try to set up DNSSEC training, a basic training for engagement with law enforcement and with policymakers on basic DNS awareness. So trying to raise the level of education of how the Domain Name System is set up, what are the interactions and who are some of the key players that policymakers and law enforcement should be aware of if they do see attacks, if they need to reach out to either of their local ccTLDs or if they need to reach more globally to a registry, registrar, that are outside of the jurisdiction. So making sure that there are open channels of communication.
>> ROBERT GUERRA: So in terms of the Caribbean region, is there something that you see that might be happening over the next six months to a year that the community is preparing against or -- so I'm just curious. Something that you can speak about that you're preparing towards.
>> BEVIL WOODING: No, nothing specifically. I think where things are at simple requires the strengthening of Internet infrastructure, which is happening, the strengthening of the technical community, which is also happening. So you have the proliferation of exchange points, the communication of root servers, and the centralization of that monitoring capability.
Cristine spoke about the formation of more local and movement toward greater cooperation at the regional level. We are also seeing the development of the technical community in that you have the Caribbean network operators, you have work being done by the Caribbean telecommunications union to bring together Government ministers and sensitize them to the need for policy to match pace with the increasing threat. And those are current and ongoing activities.
And around that, you have greater participation for like these, and the Caribbean is taking an increasing role in, number one, being present, to adjusting policy and perspectives as it relates to participation and global formation. I think these steps go well for the region in terms of its capacity to protect its network resource and also in terms of its capacity to contribute toward the global security.
>> ROBERT GUERRA: Okay. Cristine?
>> CRISTINE HOEPERS: Well, as you mentioned the World CUp and the Olympics. And we just had a bit of a taste of what that would be. I think it was a beta test phase for our local regions was the Confederation cup that happened this year.
One of the things, I think we are in a moment, that we saw the biggest problem was denial of service. And it was not necessarily denial of service against the Confederation Cup, but it was against service of any site that would be in the BR. So it doesn't matter what you were doing, it was just a small city. The countryside, they would just try to take the site off the air. We saw a lot of people claiming hacktivism. But a lot of things that we see, they are just botnets being used, and then someone on Twitter saying okay. Let's do it. And what we would see is really not people doing that.
So from our perspective, we are in a very interesting time. Because the past events, talking to people from Canada for the Winter Olympic Games or Germany, the World Cup, or even Africa, they didn't have this whole momentum of hacktivism going on. But denial of service was big. And we saw this is going on now.
And talking about cooperation, I think just adding to what Yurie said, we in Brazil are also very worried about having all of this thing about national security, intelligence community and CERTs, and some countries mixing it up. And I think happily in Brazil, things are getting very separated. CERTBR is tied to a not-for-profit. And we think about critical Internet infrastructure for the country. There is a Government CERT that is taking care of Government networks, and we just had created two years ago, in Brazil, the Cyber Defense Centre that is taking a toll more on International security. For the major events for the World Cup, we are working in concert, we are having monthly meetings because we are in different cities. So we actually made some arrangements to separate work and to try to help every team to do something different for us, to achieve a goal.
The cooperation among ourselves is really working well, and I think some of the challenges are really like some players in the private sector. There is not -- it's not very clear for them what is cooperation, what is paying or charging for services, and what would be something in the middle among like helping teams during a major event, and not mixing that up with services they provide as a service provider.
So I think that is a little bit mixed, but we are doing a lot. We are cooperating and sharing resources and actually sharing and breaking up the work among the three major teams that we have in Brazil.
And I think it's that actually enhances a lot of our cooperation. But we still compartmentalize a lot of information that only the Cyber Defense Centre needs to know. We don't actually just jump into each other's area of work. So I think that is something that is working pretty well in Brazil right now.
>> ROBERT GUERRA: Thank you so much. Yurie?
>> YURIE ITO: So we haven't had the Olympics yet, but I'm sure we will have a significant preparation and try to make it ready. We have to raise the readiness level for that big event.
But I can probably share we experience -- not through this, you know, event, this type of big event, but we experience some large DDOS against, you know, Government and critical service providers with political motivation over the, you know, sensitive -- you know, political sensitive issues sometimes trigger a large DDOS attack against a country.
And then that time, it is always very useful to have a trust point of contact to the others. I can share some of the collaborative agreements between Japan and Korea and China, which we experience a lot of hacking activities between three countries, triggered by the political sensitive event.
And that time we will make sure the CERT point of contact, the technical point of contact is going to be always connected, even through the difficult political times. We are always there and providing a very stable communication path. So that really contributes as a part of the confidence building measures for a political policy layers. They even, you know, have a difficult time to communicate each other, the technical communities are always connected.
And also, when a technical community cannot handle the problem anymore, we make sure that we have an escalation path within each country, so that the policy layer can work when we need them to start collaborating in the diplomat level or the policy level. So that type of collaboration arrangement is a very useful response to attackers.
>> ROBERT GUERRA: Great. So before I go to the floor, I'll ask Ron Bedert to respond to some of the comments. And one thing that we haven't heard so much is maybe the research community or the kind of NGO aspect, a taste of this. So if you can make a couple comments and then I'll open it to the floor.
>> RON: Thank you, Robert and everyone, for the interesting comments. I have a couple of reactions. The first is, as Robert mentioned, Citizen Lab is a research organisation. We are independent of private companies and Governments. We try to remain impartial. And one of our major focuses is precisely on information controls around major events. This is a new area of activity for us. We put together a concept note that is meant to be a framework for our research moving forward, and I'd be certainly willing to share that with some of the people on this panel and others in the room, because we would greatly benefit by your insights and information and data that you might be able to share with us around events coming forward.
We also just released this morning a post that is meant to be a framing post of information controls during the IGF here in Bali. And so we broke it down into a number of forthcoming posts. We are looking at this event, Internet Governance Forum, it's unlikely that there will be major attacks or disruptions during this time of event. You never know, and so we are using it as a litmus case.
One of the things we do in terms of looking at events and information issues and disruptions around events and how we define controls, it's not just DDOS. It sounds like most of you are concerned primarily with DDOS. For example, we are concerned also with surveillance and content filtering. So during major events like the Olympics, like the World Cup, you often have a ratcheting up.
In terms of Sochi, we have had a lot of things that we have done with the Russian Government and things published in the Guardian, looking at Sochi surveillance by design, which we feel probably would be exported to other areas, like the World Cups and Olympics, and so on. But you have around events probably a greater chance of targeted malware attacks, targeting specific individuals.
So I'm wondering if the panelists are interested in or have optics into attacks other than DDOS. Or if you're interested in things like content filtering around events. Because, again, during events you might have either a loosening of Internet filtering. Or as I think is a requirement of the IGF, in the hosting agreement, the country has to provide unfiltered access. So the connection we're getting from this room right now is different than what the average Indonesian gets through Indonesian telecom, with the filtering requirements put in place.
The second set of questions I have is slightly different. I'm really interested in what Yurie said about national security interests, interventions becoming a major challenge for the type of cooperation that goes on around CERTs and other actors, when it comes to remediating cybercrime and other issues. I'm wondering if you could elaborate a bit, you and others on the panel, what specific challenges that presents and how we might go about insulating, if that is even desirable, the type of informal networks of collaboration and cooperation that go on from those national security interests. Is it even possible? If so, how do we go about doing that?
>> ROBERT GUERRA: A great set of questions. Maybe I'll start with you and go towards this way. So...
>> YURIE ITO: So I think I mentioned a little bit in my, you know, remarks. But I think the separation of the national security, you know, activities on the cyberspace and a work to making technically the Internet ecosystem cleaner and safer, for more focusing on the reduction type of activity should be separated.
And, you know, there should be some collaboration, but to pursue the International collaboration I think it actually helps that the community is separated.
I also think that sort of the -- maybe, you know, I can share how we overcome these challenges at the APCERT. I'm Chairing the Asia Pacific regional community in the Asia Pacific, and that's called APCERT. And those -- we actually changed that challenge to an opportunity. And how we did it is first of all we provided -- we will turn our mission from the security to regional risk reduction. So first of all we have very common goals that we can share among all the members for beneficial, mutual beneficial benefit for all the parties using -- in cyberspace in Asia Pacific in long-term, which is making the Internet, making the cyberspace cleaner. Which is meaning not content wise but the ecosystems in terms of infrastructure, making them healthier and cleaner. Removing botnets. Cleaning up malware and removing botnets. Those are the very first steps that we can, you know, collaborate quickly. And that's beneficial for all. And having that type of common goal is to make it really easy to start working and develop trust where there is little trust. So providing a point of contact is part of the confidence building measure, changing that challenge to an opportunity. Changing that mindset from the security to regional risk reduction. Finding the common goals, that's probably the successful, you know, factor that we made our community work very closely together now.
>> ROBERT GUERRA: Thank you. Cristine?
>> CRISTINE HOEPERS: Well, just piling on what Yurie said, and then moving to your remarks on the World Cup and some content wise, but one of the things that there has been a lot of discussion in several CERT forums is really how the change in some of the CERTs affiliation is being affected, some of the trust of the information that we're sharing. We had a few countries where the national teams were moved inside the intelligence community. So the first reaction is really, okay, we're not sharing information that openly anymore, because we don't know where that information is going and what it's being used for.
So I think this is one very tangible example of how separating national security from technical challenges and from really taking the Internet to a safer place is a difference.
In talking about like the World Cup and the Confederation Cup and other cups, targeted malattacks, it's basically our daily thing that we are doing, we deal with that. Normally we have had some of those attacks during the Confederation Cup, we will probably have more of those attacks, and actually dealing with them was easier than dealing with DDOS. I think this is why I put DDOS as one of the examples. Because actually, it was easy. In five minutes we shut down the Web server that was hosting the malware and then we gave that information to one of the teams that was doing the malware analysis, and that is based more into end-user awareness and especially high level users and managers and other people. So I think that all depends on the countries.
And talking about content filters, that is not on our radar, because in Brazil, all the Internet is in the private sector. That is not going to change for the World Cup. It's not going to be an Internet provided by Government, not administered by the Government. We will have a bidding, and the telecommunication company that wins will do the security. So none of the CERTs will be doing onsite security. We would be doing response. And not the defense centre or the Government CERT would not even have access to what is there.
So basically it's the policy of the telecommunication company that is going to have this. In Brazil, there is no content filtering working now and there is no plans of having that in the future. And not even for the World Cup. That is a challenge, because probably if you have one infected machine that would be propagating, you have problems with malware. But then we go to the whole thing that I said in the beginning, that's really how to deal with end-users, how do we deal with end-user devices, how to stop malware being so easy to deploy and easy to install.
CERTs can work into the remediation part. The software industry should be working on having more resilient software. And then we can open a new can of worms on how to open the software industry. But I think we are doing what we can to help systems be detected and rapidly when they are infected and how to remediate, to disinfect, and to do something. And for sure for the World Cup that would be a challenge. Because everyone would be with a device. And then we will have a connectivity problem. You have a stadium with 90,000 people inside and everyone wants to put up an Instagram or put something on Facebook. So that is one of the challenges that the people with connectivity is having.
And on the other side, there is really no infrastructure to do that and to make that work. So that's another challenge not from the security perspective, but for the networking perspective.
>> ROBERT GUERRA: Thank you.
>> BEVIL WOODING: I just wanted to make a comment on taking up on the surveillance issue, because of course it's getting a lot of attention, particularly from organisations and Governments that are curious to find out if they are being surveyed.
And I agree it's one of the cyber threats that is being faced in the region. The question, though, that is yet to be answered is how can we know if we're being surveiled? And if so, to what extent and in which areas?
The interesting follow-up from that question being asked repeatedly over the last few months has been a far greater attention and interest by Government in the underpinnings of the Internet infrastructure in the region, which is a good thing. It has brought much greater interest on investment and what does it take to protect our national infrastructure and what does it take to ensure that there is not unauthorized surveillance on the networks. I just wanted to mention that as a significant beneficial fallout from the current surveillance issue.
>> ROBERT GUERRA: Thank you. Patrick and then we will open it up to the floor.
>> PATRICK JONES: So if you're trying to hold up a success of the multisystem and the IGF as an example of the technical community coming together with different communities, the coordination and the collaboration that is done on -- in response to cyber threats and regular attacks is one that is -- it's a good story for this community to be bringing to Governments and bringing to policymakers. It's the strong point of this multi-stakeholder transnational process is that it brings together diverse groups that can share information and address challenges collectively better than groups can do on their own. And that's one of the things that, you know, we have seen at ICANN. We have been trying to talk quite a bit about thinking of security in a different context.
Looking at it from a perspective of how can we use this multi-stakeholder process to foster a healthy stable, sustainable, resilient Internet ecosystem. And this collaboration and the risk reduction example that Yurie mentioned, it just highlights how this model can bring together groups to do just that.
>> ROBERT GUERRA: Great. Thank you. So just a moment before I open it up to the floor, what I'm going to do is I'll take a couple of questions and comments at a time. And then have the panel react.
As you're formulating a question, I'd ask that you do one thing before you get to your question, is in your point of view, what is an emerging threat that is of interest to you? And then after you stated that, you know, please post your -- you know, ask your question or your comment.
So are there any folks that wish to -- so we have one, two, do I have a third somewhere? Three, four. Well, just -- I just want to go around the room. So we had one. We had two. And then we had three. And then we will get another three. And then I'll go back. So please, sir. So I'd ask your name, organisation, country, what you see as an emerging threat and then a question or comment for the panel. Thank you.
>> Hello there. My name is Jonas from Finland. So yes, an NGO.
I have a more individual approach here. A lot of the cybersecurity talks are about very large issues, such as denial of services or stopping or cracking financial services or governmental services. But a very emergent issue has been, for example, this year, several hackers have shown that medical apparel, for example, pacemakers or insulin pumps or other medical equipment, are in the threat of being hacked or cracked or broken. And this is something that could now, or in the future, actually take individual lives at risk. So are you aware of people or Governments or your organisation actually preparing for any sort of attacks like this, instead of the very common and classic and usuall DDOS and so on?
>> ROBERT GUERRA: So hold that, and we will go to number two, please. Again, identify yourself. What you see as an emerging issue and a comment or question to the panel.
>> AUDIENCE: Sovester Vino from the Secure and French, but it's a U.S. Company.
I guess it's an ongoing threat more than an emerging threat. We see more and more issues happening because of the lack of follow-up from concerned organisations and companies, like domain names that are not renewed or that are -- that have been secured through arbitration but not activated, or certificates that are active but link to a bad domain name.
So my question, someone before mentioned, I think it's Patrick, mentioned the importance of education. I'd like to ask the panel, very closer to home, the most basic issue of the user not taking the appropriate action when it's available. Do you do something about that? Do you see that as a pattern in your country? Before, attacking DDOS and botnetS more often than not, the issue is a very single IT person with a computer and not taking the right action.
>> AUDIENCE: I'm Gitri from the Southeast Press and Alliance, but from Malaysia.
I'm curious about the thing that Patrick mentioned. The attack in Malaysia. Can you share the Government response to that attack?
But I think while it's true that there are so many other levels of attack, but I think within Southeast Asia, the DDOS is one of the big ones, particularly with the media. Those that are independent media, smaller outlets, are the ones that actually have rather good critical views. And we see that happening sort of on a regular basis. Always timed with key events, elections or conflicts. So I think that is an area that we have to have a lot of attention on how to actually work with the media. But I'm just curious about the Malaysian case.
>> ROBERT GUERRA: Before we get to the panel, I wanted reference. I think it was -- I don't know if it was the New York Times or the Washington Post over the last few days, this whole issue of -- I think it was a TV episode of a TV series called "Homeland" where the Vice President gets killed because someone turns off his pacemaker. And then Dick Cheney, the former Vice President, said he had the wireless functionality in his pacemaker turned off, because he felt it was possible. So it's something that is real. So it's an interesting question.
And then I'll ask the rest to talk about kind of the issues of the user and the problems with follow-up. And I guess getting to your point, something that may have happened, and I'll make sure that the people answer your question, but I'd be interested also in hearing from the panel in terms of collaboration that may be taking place between the different technical communities or maybe the companies to help less resourced actors, like NGOs, who do not have a sophisticated and robust DDOS mediation strategy or technical capacity.
So I'd be interested to hear I'm not sure whoever from the panel. Patrick, maybe you want to go first and then the others, maybe we will get another two who want to comment. So please, go ahead.
>> PATRICK JONES: Sure. I don't have a specific comment in mind.
And the network can be exploited in a way that it enables that attack. Maybe go around the table.
>> ROBERT GUERRA: Anyone else, please?
>> CRISTINE HOEPERS: Actually, I have a comment on the personal thing. The major problem is what I mentioned as the resilience and actually the maturity of the software industry. Because if you think, everything -- even a pacemaker -- that is software. And the software was developed not considering the environment where it would be running. It's really just considering what would be the desired outcome. How it would function in assuming that anyone connecting to that device would be with benign intentions.
So this is one problem when we talk about security software and the lifecycle development, this is a need. No University in the world is actually teaching that. Most of the universities, they are still in the old lifecycle model.
When you have something, you have like less discipline. And last year they talked about security or software development. But unless we have a big change in how we teach new developers and how industry pays attention to security, and that really goes to economies and having people to demand more secure software and demand more secure devices. And even if you have something old, it's WiFi, but it's only connected. Okay. But someone is next to him, probably no one thought about having a secure device or having a log-in or whatever. Because they assume that -- who would be crazy to make a pacemaker stop working? So it's really kind of a mindset of the whole industry.
And in talking about this and just mentioning, when we were talking about security, she mentioned a bit about certificates, i think that is, you know, a time bomb that is there, the whole PKIMS whole infrastructure. Because it's really based on trust. And when you have such a big number of certificate authorities that are trusted by the browsers and all the devices, we have seen, and I think it's just a disaster waiting to happen. Because we already had major problems with DigiNotar, which was a major case. But then we have other certificate authorities that were hacked. We have malwares today that actually use stolen certificates.
So it's really -- we have been putting a lot of trust in an infrastructure that is basically broken right now. So we have to think about that in the future.
So it's one of the emerging threats. I think it's one of the later threats that is there. No one wants to look at it because it's too difficult. There are some proposals about using DNSSEC together with SSL to make it more strong, to make everyone to be able to have two ways of certifying that a certificate is okay. It's a little bit technical to tell you, but it's also a problem for the future.
And one of the things that I think will tie -- I'm going to talk more I think in the last panel on Thursday, but when we are talking about DDOS attacks here, we are talking about effects. But if we need to think about why they are happening and they're being so effective, it's because it is way too easy to make a really big denial of service attack these days. It's easy because we have too many vulnerable devices being affected by malware and too many poorly constructed networks to be able to not amplify attacks. So really every network, ISP and every company have to configure their systems so they are not abused and to try to get the devices more secure. It's not easy. Everyone has to teach their grandmother, mother or whatever, or aunt, or even the children to -- you know, you have to do this and you have to install a patch.
I just want to use it. I don't want to be with all of this hassle. So I think this is really a challenge for the future.
>> ROBERT GUERRA: So maybe I'll take another -- did you want to --
>> CHRIS BOYER: I want to make a comment on the medical devices. And really what folks are talking about there is what is called the Internet of Things or M2M type services. So medical devices are one example, but other things are connected cars or connected power in your house, the refrigerator and other things. Just to offer an industry perspective on that. There is a lot of work being done in the industry to try to develop standards to try to secure that. Some of the vulnerabilities you are seeing are the nature of new services rolling out and some things just happen in a new environment like that.
But speaking for industry, I think that there is a lot of activity to try to ensure that that market can grow. And I think security becomes kind of -- really becomes a stake in the ground. People are not going to adopt those services if they don't show some level of security.
So a lot of companies are working their groups, one M2M just started last year. My company is a member of that. But there are 130 companies focusing on M2M standards, not only on security but across the board. When I think about that, there are multiple aspects. You have security at the device layer. How do you secure the device layer? The transport layer between the device and the network? Then you have the Cloud, how do you secure the application that resides in the Cloud? So there are people working on Cloud standards. So there is a lot of activity on in the industry to come up with standards on security and other aspects of M2M.
>> ROBERT GUERRA: Great. Thanks. And before that, I just wanted to check, before we do that, this session is also being live streamed, so I'm just curious, are there any comments from the virtual participants? Is anyone able to tell me? Please.
>> CHRIS BOYER: So I was looking at the Web stream but I didn't see anybody.
>> ROBERT GUERRA: 3 to 5. So we have got one, two, and then three. So please. Sorry.
Do you want to make a comment now? Please?
>> YURIE ITO: You're mentioning industry efforts on the control system and medical devices and device level. I agree. I see that from the CERT perspective. We start handling the vulnerabilities on the healthcare and medical devices as well. We are working with the vendors in industry.
We talked a bit about the individual and IT systems, you know, sort of the minimum, one on one cyberhygiene, improving the level of the, you know, cyberhygiene. I think that's important. And you know to really encourage that, I think the important thing is we start, you know, we start working with the people's mindsets changing from, you know, you are updating your operation system not just because it's protecting you, but -- not to be a part of the preventing yourself to be a part of the attacking infrastructure. So in a health scare model, you're washing your hands not to get Flu, but at the same time you know you are washing hands not to spread the Flu to the others.
So that is the same sort of mindset. You know what we're doing is not only your security, but the others. You know, we are all connected. So that type of mindset probably is important.
And the last point to Ron, how to look at multi-stakeholder collaboration. One of the things that we don't have, that we're missing at the cybersecurity in pursuing the goals, is that we don't have a strong data source to, you know, robust enough and cross comparable to develop the statistics to measure the cybersecurity risk globally and nationally. And I think that's, you know, very important and central for these metrics and the risk measurement. These are essential for the policymakers to evaluate the potential security approaches, and also for the technical community. You know, it's useful to prioritize the challenges, and there is a very limited resource that the community has.
So I think these are something that we need to look and can learn from other International collaborations, such as like public healthcare domains, how they are using the layers of metrics to drive the policy and drive the International collaboration? I think we can learn a lot.
>> ROBERT GUERRA: Great. Thank you so very much. So there was 1, 3, and where is 2? So please, go ahead.
>> Thank you very much. I'm Dennis Broeders from the Netherlands. I work for scientific accounts for Government policy and also work in Rotterdam Erasmus University. I have a question for Yurie Ito but also for other people on the panel to invite them to respond. I really like the point that you made about separating your agenda for what you call safeguarding the technical ecosystem and on the other hand the issue of national security.
And I have two questions about that. One, what do you think is the trend? What do you see? Because usually when people talk about national security, things tend to expand and things tend to get sucked into what is called national security. So what do you see is the trend?
And the other thing that is interesting is that this interacts with trust. So whose trust and what do you see happening there? And also, yes, could you give us an indication where do you see trust waning or changing?
And maybe one small note on a bigger note. People know I'm from the Netherlands. When I speak to people in the cybersecurity community in the Netherlands, they are now talking about certificates as a vital infrastructure. So they are changing sort of the perspective, with the thing in the background. Who knew, and who thought this would be a vital infrastructure, but apparently it is. That's just a comment.
>> ROBERT GUERRA: Let's hold on to answer. So number two, please?
>> I'm Dr. John Selby from Australia. I'm in the academic community. My emerging threat, it relates to the change in the motivation by security researchers, which has emerged. Historically they would report it to the developer of the software, but we have seen the rise of brokers who are now offering significant amount of money funded by national security agencies, other times by criminal organisations, to those security researchers in return for handing over the exploit and on selling it rather than reporting it. So I'm interested in how you're dealing with the emergence of these brokers, and whether you see if their activities have impact upon your organisations.
>> ROBERT GUERRA: That's a great question. Thank you.
>> Alex Carninas, Civil Society. I'm from the Association for Progress in Communications as well as academic and from the University of Giessen Germany. I'm asking this question with the citizen hat, the all income stakeholder group. I like how Yurie Ito fleshed out the dynamics between national security and what happens, as was pointed out by the previous gentleman. So thank you for pointing out the dynamics of safeguarding the Internet and national security.
I'm concerned about when cybersecurity issues become securitized and move up in importance, become national securities. I'm concerned whether Civil Society is there. I'm concerned about the militarization of cyberspace. Recently the Japanese Government declared cyberspace a military domain. And there has been also a development, well I read this in some reports, of a defensive malware, which sounds like an oxymoron to me.
I'm just wondering what you think that does to the relationship between safeguarding the infrastructure of the Internet and national security and trust, whether this is going to be good or bad.
>> ROBERT GUERRA: So we had the three questions. I'll let you maybe start, because a lot of them were focused to you. And then if the other panelists wish to comment or respond, please let me know after Yurie is done.
>> YURIE ITO: Thank you. I think the trend is yes, a lot of national CERTs -- I mean the cybersecurity is becoming a major issue in national security issues. So that is -- so naturally the national CERTs were supplanted, the Government. So that's -- there are certainly trends there.
The trust between the CERT and the technical community was that you share the information, you know, vulnerability, threat characteristics, you know, attack characteristics, and then, you know, trusting that is going to be used for securing the infrastructure. And the coordination is really to make the network working globally.
But now if you are seeing, you know, what you are sharing is going to use for a military perspective or a security focused, national security focused activities, then it is making CERT to collaborate that information easily. So that is the breaking trust part that we have worried about.
Nationalization is a hard part. I think that really signifies the cyberspace. But we can't really stop it. At the moment, it's out there. It's starting, so from the CERT community what we can do is at least provide a trusted stable point of contact for instant response or even a crisis response point of contact, to actually, you know, contribute to -- for the risk reduction to the region.
>> ROBERT GUERRA: Any other of the panelists? Anyone else? Do you want to comment? Cristine and --
>> CRISTINE HOEPERS: You mentioned the DigiNotar case since the beginning. Every year we go to the later, to the former CSC conference. And this year we invited Art Yohan to present. He was a keynote about the DigiNotar case. One of the people in the Netherlands did not think about the certificate as being critical. People don't know how it works, and people don't realise that they are putting all the eggs in one basket. So what is happening, as I said, the whole digital certificate area, it's just a disaster waiting to happen. It's because nobody understands how easy it is these days to have or to steal a certificate or to issue a digital certificate or a certificate of authority, and how that would impact all the eGovernment services, all the commercial services and everything else.
And I think the Netherlands was a big case, because the whole society really uses the Internet and uses the information.
So this is one of the points, the Convention needs to move forward not to really rely on only one technology for security. I think this is the major problem. A lot of people from the technical community, myself, I gave a lot of speeches to people. I said we just need to use digital certificates and they will be secured, and they said no. In Brazil, we were using this because they put into the legislature that they have to use digital certificates as the only trust. And we said that is stupid. Thank god that law didn't pass. And we have a lot of problems with all the technologies.
And another issue, not only with the national security, it's just that most people don't really understand how things work on the Internet. They come up with like bad ideas for legislation, bad ideas for whatever you can imagine, because they relate to the day-to-day world and it's not exactly the same. There is no easy metaphor for our world today and how things would apply to the Internet. And we have been dealing a lot with the Brazilian Congress and Brazilian legislation and everything. And basically, that is probably happening on all countries. Because suddenly the governments and the society, they realise that the Internet is too critical. And we are depending on the Internet for eCommerce and Government services, and nobody paid attention to security. So there is a lot of over reaction to that.
And that is the point that can be a little bit dangerous. Because then the first idea that comes up, it's just taken as the best idea that would be.
So I think for anyone that wants to learn more, like the reports from DigiNotar are open. And I think that is one of the things with the DigiNotar case. It's open. It's a case that anyone can study. It's not like the other cases that are secret, that people are just putting under the rug, just not to talk about it. Because the problem is too big for us to talk about it.
And just as a comment for the cyberwar. A thing that came up, and I really see as we are seeing the criminal -- the organised crime going for the Internet. Everybody is using the Internet. So of course it's -- if Internet is so important, it just goes to be a war area or something to be used for war, like you have any other thing with space, the sea, the land, and whatever.
And so I think this is very new, and it's just like -- you also have like this ripple effect. That one country said it's doing something, and other countries say okay, we have to do it. We can't be the ones that are not doing it.
So I'm still waiting. I hope it doesn't go to that length. But I think something that we probably have to deal with in the future with that, and we are seeing a lot of gossip about like the zero day market, that actually we have Governments buying zero days to create as a weapon cache. So things are just coming up, and it's really one of the challenges that is going back. If we have software that is that vulnerable, you have zero days coming up. And now you have a financial incentive for people to do that. People are selling. And you have the market going on. And it's a very interesting thing to observe in the next few years. And I would urge everyone here that has contact, who have contact with people who are dealing with these decisions, to provide background and sound information and some advice, you know, what are the dangers of going one way or the other, and really what is possible or not.
So... that's it.
>> PATRICK JONES: Yes. I wanted to go back to the Malaysia question. We didn't have time to get to it earlier.
I do know that the attack against the MY.Nic, the operators of the ccTLD, they were quick to talk to the brand owners who were defaced. So Google, Yahoo. It's the same group that tends to be targeted in many of these hackings. So those groups were in quite close collaboration with My.Nic and weren't able to have the websites reversed back into the previous condition very quickly. It would be good to know what level of coordination the operators have with the Government. But I don't know. That's -- that's for the ccTLD. So I don't know if that gives you a place to go look, but -- I just wanted to come back and answer that.
On the DigiNotar example, this is a good example of the certificate authority forum. The groups that are sort of a convening function for the certificate authority issues are starting to wake up to their role in the ecosystem. We have had representatives from the CA browser forum come to ICANN meetings recently. They have become a lot more active in policy development, or at least providing input.
So we are seeing strong, from the technical standpoint of where I sit, collaboration and engagement with those folks is increasing, and that's good.
I'll leave it.
>> ROBERT GUERRA: So, Ron, you wanted to comment?
>> RON: Just a comment actually. And it comes from -- my background, I'm an International relations professor. And I'm struck just listening to the observations that are being made here about some of the trends. That we're seeing a dynamic that would be predictable to international relations theorists like myself, known as the security dilemma logic. So as cyberspace is becoming securitized, it's becoming more and more critical to everything that we do. Obviously it's become a national security issue.
But what we are seeing, perhaps an unintended consequence of that is exactly what is being described here. Trust is being eroded in this what I would call an Episystemic community that used to operate in a fluid manner without much formal accountability between engineers, law enforcement, sometimes even national security.
Well, now national security issues are more important, that trust is breaking down. Trust is breaking is the way you described that. I think it's very potent. And of course it is. Because CERTs are being drawn into national security interests and dynamics, and this is eroding that community. And it's also being compounded by an arms race in cyberspace as Governments stand up, as Alex just described about Japan, it's happening all over the place. And that's feeding into and being buttressed by this market for zero day attacks and products and services that provide the very things that we are trying to protect against. Which if you look at them, it's the commercialization of cybercrime trade. It's now being packaged in brochures and sold to Governments. The very things that you are trying to work against, your own Governments are purchasing and using against your networks that you're trying to protect. So we have an arms race dynamically, Internationally.
In many ways we have to look at the situation in the '50s, and when people predicted that there would be dozens of Governments that would have nuclear weapons. But that didn't pan out and the reason it didn't pan out is because of the efforts of the broad arms control regime. People don't like to talk about arms control in cyberspace. Usually it's dismissed because information code can't be controlled in the same manner that traditional weapons can be. But I think we need to revisit that argument and look at arms control regimes in terms of controlling behavior. In some cases, controlling companies. We can regulate some of the zero day market much more effectively than is being done now.
And I think that really needs to be explored, unless we are going to see this whole thing lead into a greater whole of bulkization.
If you have seen the post that we put up about the controls in Indonesia, we found FinSpy, one of the products that we are talking about here in Indonesia.
>> ROBERT GUERRA: So with questions from the audience and with a little over five minutes left, I think what I'll do is I'll have maybe a set of questions for the panel to answer as a way to wrap up.
And it will segue well in terms of what you just mentioned, Ron. So it's two questions. But it's a question plus.
So my two questions are: What do you see the role of either regulations or frameworks to help the issues of emerging cybersecurity threats. That's number one.
Second, if you could make two recommendations to stakeholders at IGF -- i wouldn't say recommendations to the IGF, because the IGF is not supposed to produce recommendations. So it's recommendations to the stakeholders. And you can pick whether it's one or all of them.
So what do you envision, Regulation frameworks, would that be helpful? And two recommendations that you maybe have mentioned already or that you would like to make to the community that is here and the larger IGF.
I will start with you, Patrick.
>> PATRICK JONES: Sure. So I don't have observations on Regulation frameworks, because I don't think it's helpful to try to regulate to a particular technology, when the rapid pace of change may make those Regulations, you know, moot.
So what I'd rather do is give some feedback to stakeholders at the IGF. So earlier I said if you're looking for a model, an example of how the multi-stakeholder model works effectively, the types of collaboration that is being done to address cybersecurity threats, it's a really good example to explain to your Government or to regulators, policymakers, that if you want to see how the multi-stakeholder model can work, see how the groups are getting together to address the cybersecurity challenges and threats of the day.
>> ROBERT GUERRA: Thank you. Please.
>> BEVIL WOODING: On the matter of the Regulation, I would be more inclined to look at general best practices being promoted within country and within regions, as opposed to out and out Regulation.
As relates to the recommendations, I think a model can only help. And the more the issues are ventilated, the better chance of an opportunity to understand the complex issues that are at play as relates to cybersecurity threats.
>> CRISTINE HOEPERS: Well, from all the attempts of Regulation and control that I've seen, all of them were completely unaware of how the Internet works. And that really it would be impossible to do it. So I think it really goes to implement best practices. And the best practices are out there. And most of them are easy to adopt, but they don't necessarily have a very quick impact on the organisation adopting it.
And I think this is what is making these best practices not widely adopted. So it's really to move to a point that everyone is doing their own part.
And if I would make some recommendations to the stakeholders, I think the first one is there is no single organisation, single team, single CERT that would be able to make any improvement alone. What we really need is to have teams, policymakers, and all the sectors in every country in this society aware of the problems and aware of their own roles to make that better and to make the situation better. And to improve cooperation where possible and as much as possible, being that small groups cooperating in a sector and then having someone to be -- like someone to bridge those sectors. And there were a lot of those small examples.
So... it would be good to look at those examples, talk to some people that are doing it -- making a difference. And spread that word that we need to have all sectors involved and then talking to each other and create a model that will work. I think there is no model created yet.
The CERT community is doing a lot of work, but that is only one piece of the puzzle. We need more people involved and more cooperation.
>> YURIE ITO: I agree with a lot of what Cristine said. So very simply, my recommendation to the stakeholder is treat the cybersecurity as a part of improving the global environment. Not -- moving away from the security mindset to a more global environment improvement type of mindset. Then we can work together. Really.
>> ROBERT GUERRA: With that, there is -- I'll yield a minute back to all of you. I'd like to thank first of all the panelists for a very engaging session this morning. All of you for some probing questions. For those of you in the audience for coming and picking this session as the first one. Thank you all.
And I hope to continue the conversation. Please feel free to speak with others, the hashtag is IGF2013, and if you're on Twitter. If not, I hope you have a very productive conference.
(End of session, 10:30)
This text is being provided in a rough draft format. Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.