Susan Crawford blog :: Main Page

This Month

Month Archive

March 2007
February 2007
January 2007
December 2006
November 2006

Year Archive

2007
2006
2005
2004
2003

Search Google

Main Page

« January 19 | January 21 »

Saturday, January 20

Notes on internet security

by Susan on Sat 20 Jan 2007 09:49 PM EST

I'm giving a talk in a few months about Internet Governance and Security. A useful way to organize this topic (with many thanks to Steve Crocker) might be to look at different categories of internet security threats and try to figure out who deals with them.

The bottom line seems to be (1) that there aren't numbers of governance structures that exist as forums for the discussion of security issues and (2) that most of the money looks backward instead of forward. (ICANN's role in internet security is very limited -- it works on the DNS and IP address coordination only. The root list changes on average once every two days, and there are hundreds of copies of it around the world, so it's not a high risk operation.)

There are infrastructure issues -- lines, switches, physical assets. These are handled pretty well by individual companies who build in redundancy. When the World Trade Center buildings collapsed, IM conversations around the world continued even though there were plenty of communications lines that were severed.

There are potential issues with hostile acts that cause packets to be deliberately addressed in ways that disrupt the routing fabric of the internet. There isn't a single natural forum for these issues, as I understand it, but network operators and ISPs around the world worry about routing. And building into each router authentication methods for all source and destination addresses would add enormous computational weight and delays. There is likely a role for ISPs to check at the point of entry into their networks whether the source address for a given packet is authentic, but I'm not sure whether that can be more than a suggested best practice. This should probably be a focus of attention -- but in what forum?

There are issues about denial of service attacks, but it's not clear how to tell a denial of service attack from traffic experienced by a popular web site. I know CERT is out there, but I don't think it agitates for changes in practices.

So -- what needs to be governed? There's a vast landscape of interactions out there. ICANN works on a small subset of these interactions, but comes in for a lot of attention because it's the only barn standing in that landscape. When it comes to the "governance" part of this topic, it seems as if there could be encouragement of forums for discussion of particular issues -- like routing -- that don't fall into any natural discussion place.

The intersection between network neutrality and internet security is interesting. I think ISPs should be able/encouraged to look for viruses, trojan horses, DDOS attacks, and routing mischief. Arguably, this kind of inspection is part of transport -- inspecting for "content" isn't.

But it is true that the distance between content and security can be defined out of existence. For example, if DOJ feels that in order to achieve true CALEA surveillance capacity it has to work with vertically integrated, constantly-inspecting broadband providers that allow only a subset of "approved services" to cross their networks, I suppose it would oppose network neutrality. That seems like a shortsighted approach to me -- as I've argued in the past, there are much better ways for law enforcement to get the information it needs.

Network neutrality advocates will need to figure out how neutrality intersects with security. My own view is that there isn't a conflict between these two values.