Cybersecurity and Cyberwar (6 page)

The operations of the Internet require independent actors to follow basic rules that guarantee interoperability, known as standards. This standards-based approach goes back to the beginning of the Internet, when the engineers building the initial systems published Requests For Comments (RFCs) to seek feedback on proposed standards. Over time, this group of network engineers and researchers grew into an international, voluntary standards organization called the Internet Engineering Task Force (IETF). The IETF develops new Internet standards and protocols and modifies existing ones for better performance. Everything developed by the IETF falls under specific working groups that concentrate on areas like routing, applications, and infrastructure. These groups are open forums that work mostly through mailing lists, and anyone is welcome to participate. Many of the individuals in them are from large technology firms, but no one actor or small party can steamroll the process, which relies on consensus.

Openness, and even a sense of whimsy, is critical to the culture of the IETF. In some working group meetings, the members decide on an issue by humming for or against a proposal. The proposal with the loudest hum advantage wins. While it sounds a bit silly, it is seen as a way of maintaining the original Internet creators' ethic of fostering consensus and reaching decisions relatively quickly. The volume of the humming also helps maintain a level of anonymity, unless you abuse the system: That is, you can hum or not without opening your mouth, but it's hard to hum louder to dominate a vote without being too obvious about it, which would cause backlash.

Despite the sense of fun that can drive working groups members, security is a principle concern in the system. In addition to working groups focused on particular security issues, every proposed standard must have an explicit “Security Considerations” section. Additionally, a security directorate reviews all proposed standards passed from the working groups to the Steering Group.

While the IETF has no official board or formal leadership, the Internet Engineering Steering Group (IESG) offers oversight and guidance for both the standards process and the standards themselves. In turn, the Internet Architecture Board (IAB), which evolved from the technical advisory board of the original ARPANET management in the early 1970s, offers further oversight of the IESG.

Both of these organizations fall under the auspices of the Internet Society, or ISOC, an international group formed in 1992 that oversees most of the technical standards process. The ISOC came about when Internet governance moved beyond just matters of technical coordination. As the web went global and companies began to depend on Internet business, more and more participants had a financial or political stake in
the system's evolution
in one direction or another. Organizations began to disagree on process, and the
US government's central involvement
worried many. The ISOC was established as an independent, international organization to offer a formal, legal means to safeguard the independent and open standards processes. ISOC's power derives from its membership; it's open to any individual and, for a fee, any organization. These members then elect trustees who, in turn, appoint leadership to the IAB, which oversees the governance process for the IESG and the working groups' process they guide.

Imagine this alphabet soup all as a mix of informal, semiformal, and formal groups all nested together. This structure promotes a high degree of independence while still allowing for accountability to the Internet community. While there are political and financially motivated disagreements, when it comes to standards development, the process has thus far fostered globally shared interest in maintaining a functioning Internet.

This ethic of shared interest, however, becomes more difficult in dealing with property rights and other scarce resources on the Internet. The Internet may be seemingly infinite in size, but it still has zero-sum games. Identifiers such as IP addresses and domains have to be unique—the Internet wouldn't work if multiple parties attempted to use the same IP address or wanted to resolve a domain name to a competing address. One of the earliest oversight roles was apportioning these numbers and names. What emerged was the Internet Assigned Numbers Authority, a collaborative effort of the US government and the early researchers who had developed
the original technology. Yet as the Internet grew, control of this process grew more important. Assigning names and numbers meant control over who could access the Internet and how. Jon Postel's “coup” illustrated the need for a more transparent and accessible governance structure.

The growing pressure for a commercial Internet, and the emerging realization that Americans could not expect to control the network forever, meant that this new structure could not be run by the US government. In 1998, after a survey period that sought input from the public and key Internet leaders and organizations, responsibility shifted to an independent corporation with a governance structure that “reflects the geographical and functional
diversity of the Internet
.” The Internet Corporation for Assigned Names and Numbers, or ICANN, was born.

While chartered in California as a nonprofit, ICANN set in motion a structured way to distribute IP addresses that more appropriately reflected the Internet's global nature. Regional authorities in North America, Europe, and Asia, followed later by Latin America and finally Africa in 2004, took over this task and
continue to perform this role today
.

Not everything with ICANN is easy. Domains define identity on the Internet, which brings strong commercial and political interests into conflict. Decisions about who gets what Internet identity inherently create winners and losers; adding new top-level domains such as .tech enables new business models but requires more expense for trademark protection to fend off “squatters.” Trademarks themselves can pose risks. For example, a process was needed to decide which of the many businesses with “Apple” in their name would get apple.com. At the same time, that process could not be corrupted to deny free speech opportunities, such as
sucks.com
. This process has even touched on hot issues of national identity. When nations achieve independence or dissolve into civil war, who controls their country's top-level domain? In Western Sahara, both sides of a forty-year-old conflict claim the rights to the top-level domain .eh.

The process and governance of ICANN have drawn even more controversy. Policy scholars use the term “multi-stakeholder process” to describe its organic, open, yet non-representative approach.
Decisions are supposed to be made by consensus, while a host of advisory committees help represent key constituencies in the Internet's smooth operations, such as Internet service providers and the intellectual property community. National interests from around the world are represented through a Governmental Advisory Committee. Yet this multi-stakeholder model strikes some as disposed to favor the powerful. Governments and large commercial interests can afford to pay staff to participate in these forums, while nonprofit civil society groups may lack the resources to sit at the table at all. Many argue that special interests are too heavily
represented among the decision-makers
. Others want it to be more like traditional international organizations, which tend to follow the United Nations model of “one state, one vote.”

And despite efforts to globalize Internet governance, many still see ICANN as captive to US interests. The control of assigning names and numbers still ostensibly belongs to the US Department of Commerce, which it delegates to ICANN by renewable contract. That is, the United States retains overall control, while the management function is held by an industry-led organization. Both have a vested interest in maintaining the status quo.

The challenge, of course, is that no other institution or process could easily replace ICANN. While it is easy to criticize ICANN, there is no practical model for an alternative organization that must represent and balance such a broad range of interests from around the world and across all sides of complex policy issues.

The key takeaway of these governance issues for cybersecurity is not just the important role that trust and open-mindedness have played in the Internet's growth (aspects that are challenged by growing security concerns) but that the Internet has always been recognized as a space that defies traditional governance models. In 1992, Internet pioneer David Clark of MIT set out his bold dictum for the community:

We reject: kings, presidents and voting.

We believe in:
rough consensus and running code
.

This quote has been widely circulated. Less well known is what Clark wrote on his very next slide: “What are we bad at? Growing our process to match our size.”

Carnegie Mellon University professor Alessandor Acquisti has a fun but scary party trick: show him a picture of your face that is online and he will then guess your Social Security number.

Understanding how Acquisti does this is useful even for non-Americans (who lack these supposedly secret Social Security numbers) because it illustrates the story of identity and authentication and how it can go awry. Acquisti first uses image-matching technology to find your face on a social networking website. If your birthdate and birth city are listed online, as they are for most people, then he can use the patterns that link time and location to the first five of the nine numbers in your Social Security number. Then it is just a numbers guessing game for the remaining digits. If you come from a small state like Delaware, the Social Security number can be determined in less than 10 tries.

In theory, no one should care, since Social Security numbers were never meant to be secret. Before 1972, Social Security cards even said “not for identification” on them. But as we began to use computers to track people, it became critical for computers to differentiate individuals. Using someone's name alone wasn't enough: there are too many John Smiths in the world. Across every database, each record needed to be accessed with some identifier unique to that person. And since every American had a unique Social Security number, it was convenient to use that.

So far, so good. The number was just a means to look someone up in a computer. But this number also became the way for two systems to know they were talking about the same person. Soon the Social Security number began to be used to track bank accounts, tax details, and all other sorts of personal information. Along the way, organizations assumed that, since Social Security numbers weren't published, they weren't public, and if they weren't public, they must be secret. Wrong.

In the computer world, “identification” is the act of mapping an entity to some information about that entity. This can be as mundane as a fantasy football website accepting the association between a person and the name the person claims, or as critical as matching a medical record to an unconscious patient.

It is important to separate identification from “authentication,” which is the proof of the identification. This proof has traditionally
been defined as “something you know, something you have, or something you are.” What you “know” is the basic password model. It is a secret that is known, presumably only by the right person. Something you “have” refers to a physical component with limited access, so that only the right person might have it. With bank ATMs, it is a card, while more recently the mobile phone has become a de facto authenticator for receiving text messages containing a one-time code. By entering this one-time code, people taking action on the Web show that they have control of the verified mobile phone that is receiving the messages. Finally, you can prove who you “are” through something recognizable. Since this often refers to one's person, we call this a “biometric.” Biometrics can be as simple as another human recognizing your face or as sophisticated as a sensor that recognizes your eye's retina.

There are weaknesses with these proofs. Passwords can be guessed or broken and require a cognitive load (you have to memorize them). If they are reused across different contexts, then breaking one system allows an attacker into others. Things that you “have” can be stolen or forged. And even biometrics can be compromised. For instance, access readers that require supposedly unique fingerprints have been fooled by forged fingerprints pressed into Gummy Bear candy, or, much more gruesomely, pressing down an amputated finger onto the machine (Russian mobsters ironically don't seem to like
cute, bear-shaped candy
).

There are various mechanisms to bolster these measures. One is to
contact trusted friends
to confirm that individuals are who they say they are. The idea is drawn from the old line “It's all about who you know,” since a mutually trusted friend can verify that the individual in question conforms to the claimed identity. Other systems factor in the cost of fooling the controls. Anyone can create a website claiming a specific identity, but it requires time and effort to maintain an active and lengthy presence on an associated social media platform like Twitter or Facebook. Here again, these can be hacked or faked, but at a much greater cost to the attacker to pull off.

After authentication is authorization. Now that a system knows who you are, what can you do? In classic computer security, authorization was about giving access to network files, but in our increasingly connected world, gaining authorization can open the doors to practically everything. Authorization is the part that links these
technical issues to policy, business, political and moral questions. Is the individual authorized to buy something, like an account on an online gambling site? And even if so, is the individual old enough to participate? Or, at a slightly larger world stage, just because someone has access to a military's classified networks, should the person be authorized to read and copy every file in them (a practice that would haunt the US military in the Bradley Manning and Edward Snowden leaks)?