IABopen IETF-118

When: Tuesday, November 7, 2023, Session III, 15:30 - 16:30

Where: Congress Hall 2 & Meetecho

Chairs: Mirja Kühlewind, Dhruv Dhody

Topics

Welcome and Status Update - Mirja/Dhruv (5 mins)

Slides: Internet Architecture Board Open Meeting

Document Updates

Program Updates

Liaison Updates

Workshops

Liason Update: ISO/TC46 - Peter Koch (10 mins)

Slides: ISO TC/46 2023 Liaison Report

Outreach: IAB Outreach coordinator and activities - Dhruv/Mirja (5 mins)

Slides: IAB Outreach Coordinator and Related Activities

Invited Talk: Nation States and Organised Crime: Two sides of the same coin? - Lesley Kipling (30 mins)

Slides: Nation States v Organised Crime: Two sides of the same
coin?

Mirja Kühlewind: I do have one question. So there was at least one
comment in the chat that the main difference between nation state actors
and criminals is they have different goals. Criminals usually go for
money. Nation States have different motives. But I guess it's also
different, in like resources or scale or whatever. Can you comment on
that?

Lesley Kipling: That, in the past, would have been absolutely correct.
That's still something that we're seeing today. These guys do want to
make money an they want to make money quickly. So that's not going to go
away. But what I am seeing is that merging between the Nation States and
the cyber criminals, because again, if you've got a sanctioned entity,
one of the ways that you can make money for your government is to
basically weaponize that, and then use that from a monetary perspective
as well. So, those cyber mercenaries, those private offensive security
organizations, which we really want to focus on trying to stop them from
abusing, for example, Microsoft technologies, that's not just Microsoft,
but the big tech firms are behind this 100%, because again, as we see
the ability to overlap from each other, I think we're going to see more
and more of the Nation States capability flowing down to organized crime
and, to be fair, organized crime are doing a pretty good job of being
able to bring themselves up to date in terms of their capability, and as
they're being pulled into cyber mercenary.

Wes Hardaker: Thank you for the presentation. I've done 20 years of
similar work trying to track TTPs and trends in those and detecting
merging things. You should know that you are speaking to a room full of
people that is trying to encrypt everything under the sun, which I'm one
of them, right? So, I'm curious at what you see as your own
difficulties. You had a good source of lists of types of things that you
try and get addresses from and domains from, and all these types of
things. That must be an increasingly difficult challenge. I know there's
agencies in the United States that have a program called Going Dark,
trying to deal with how do you do that. And actually, the document that
was mentioned earlier, how do we balance this tussle between the need
for privacy versus the need for defensive related technologies.

Lesley Kipling: From my perspective, there's a lot to say about
encryption. Certainly, one of the talks I went to recently, they were
saying you need to use encryption to combat ransomware. It just doesn't.
They encrypt it as much as you want, they come along and encrypt it as
well. I'm giving my brain some time to work, actually. Might wait a long
time.

Wes Hardaker: I can offer you a data point that will help your thinking.
One of the studies I did was looking at what malicious actors are using
in terms of protocols, and what I found was the rest of the world is
going to HTTPS. It's too much of a pain to set up malware repositories,
because you have to create the certificate. 90% of the traffic I was
studying actually went over HTTP.

Lesley Kipling: Right. So isn't that, again, bypassing the controls
because people find it really difficult to go for it? I mean, to your
point, we spent a lot of time and effort trying to convince people that
HTTPS was the right thing to do, put a little lock in one corner, and,
you know, don't go to this, and in fact, plenty of times we block people
from going to those because we believed them to be malicious domains.
And that's thought -- you know, I think we've done a good job of
training people to say yes, right? So even though you get these prompts
that say don't do this, or are you sure you really want to do this, you
go, yes, I really want to do that. But I think the encryption, from the
point of view back to ransomware again, is what it does do is stop you
having to notify the ICO, because now you've got a data breach. If that
is encrypted already, that's a good thing. To your point, we start
thinking about quantum and what that's going to do from an encryption
perspective, but also the ability to offload those cycles in many ways,
because one of the things that we don't talk about that much is thinking
about the sustainability of AI, for example. So if you've got these
massive GPU discs that you require to be able to run this stuff, back to
encryption again, is how much time and effort do you want to put into
the encryption. I've had people ask me, can you confirm or guarantee
that this encryption key is going to be safe for ten years? I can't even
guarantee it's going to be safe for two months, because what's the best
way to down the encryption, is basically steal the key, right? So the
fact that they went after the certificates themselves to be able to
create their own key, that was one of the ways that they bypassed it. So
I think there's many ways for them to be able to wiggle around, as
opposed to going directly after the hard part of that equation.

Florence D: Thanks for a really interesting presentation. I was
wondering if you had any thoughts on what the IETF could be doing or
what the IETF maybe should know about to sort of support you in, you
know, improving the cyber security of the Internet?

Lesley Kipling: That is a great question. So, I'm here at short notice
because my colleague was sick. But I think that we probably do have
representation from a Microsoft perspective. If we don't, I'm surprised.
There are, right? But I do think that it's worthwhile maybe thinking
about taking the information really from the other side of that equation
and basically building in what we see. Maybe briefings like this is a
good idea, to say this is what we're saying the tech is doing. You know,
is that something that you guys can come up with a technical solution to
the problem. But the interesting thing that Wes mentioned as well was
that privacy rings, isolation for networks and things like that. I think
that's certainly something we want to see organizations doing more of,
is thinking about how they use control zones inside the networks. But
that's a grand question, and I'm absolutely happy to have that
conversation with you.

Nicola Rustignoli: Hi. Thank you for the talk. So, as mitigation
techniques, you mention, for example, securing identity, securing end
points, do not trust the network, zero trust, and so on. And I think
what many people here do is networks. So in line with the previous
question, then what can be done on network protocols to help fighting
this?

Lesley Kipling: I want to reiterate that we don't think that the network
isn't a problem. Most security people come from a networking background.
I think that there was a lot of focus on the network, but the problem
that if the identity or anything, people going after Microsoft Word, for
example, or living off the land techniques. There's plenty of ways for
them to be able to do that that don't require them to do the deep level
sort of attacker. Because again, people say to me, "teach me how to
hack." So, how many books would you like to go and read, and
understanding the network protocols. I personally remember back in the
day when I was being taught IP, they had this little video where they
made it out like it was a bit like a postal system. So you got these
little packets that were being shipped everywhere. I'm sure everybody in
the room has seen that. But again, it's how you start to learn how to do
this. You have to learn how the network works completely, right? But I
think from our viewpoint, these guys are very much going after the
weaker targets, which is that softer layer 8 stuff, and then obviously
dev from a SaaSOps application. Which doesn't mean the network is a
problem. So what I'd like to see is thinking about -- you know, we're
talking about microsegmentation these days, which I think maybe with the
power of the Cloud we've got that capability. But again, it was one of
the things I've seen talked about in the industry for many years, and
nobody could ever do it because it was just too hard to do. But maybe
micro-segmentation is the way forward now. How about that?

Nicola Rustignoli: Well, my work is focusing on security. So that's a
bit of a different area, securing data and transit. In terms of where it
goes. And I think there's quite some debate about trust enhance
networking. So whether you should have a part of the network that's a
bit more trusted than others.

Lesley Kipling: I think that's half of the problem. Back in the day, we
came of the view of the it was internal, we had all the firewalls. There
was a perception of control, that that's gone a long time ago with the
ability now to have all of these communications through extranet, shall
we say. We don't even like VPNs particularly because attackers go after
those as well.

Andrew Campling: Thanks for the presentation. I was going to ask
something along similar lines to Wes, in terms of are we screwing up
cybersecurity by removing all the indicators of compromise. So I'll ask
it in a slightly different way, which is are people confusing privacy
and cyber security, which you mentioned when people are encrypting
stuff, they become proof with ransomware. So is that confusing your
area? And confusing the people you're trying to help, do you think?

Lesley Kipling: I think as often as I possibly can, but it doesn't work
out very well sometimes. So, yes, and thank you for the translation. You
know, there was always that encryption, data in transit should be
encrypted and at rest, and then sometimes you would have to pass
gateways and you would have to descript it and reincrypt it, that sort
of thing. You're going to have security without privacy, but you can't
have privacy without security, right? So you've got to have that
foundational capability there before you start thinking about privacy.
Of course, one of the things that I wish that we -- I mean, GDPI did a
great job from a privacy perspective, right? Really set some very high
boundaries in terms of what the requirements were, and very explicit
about what the requirements were for privacy. We don't have it in
cybersecurity. I think we have something like 148 regulations coming
down the line over the next year. So in a way, it would be really good
-- albeit as tough as it was for us to be able to meet those -- meet
that bar from a GDPR perspective, we kind of need something from a
cybersecurity perspective. But in a way, if we think about data as being
the new substrate for all of this stuff, one of the things we talk about
a lot is mesh and fabric. If the security is built into the platform, at
some point, you know, we get privacy and security

Phillip Hallam-Baker: What is being done on securing data at rest? By
which I mean encrypting Word and PowerPoint documents under an open
infrastructure.Most breaches are of data at rest and most of the data
breached is in Office document formats. Password encryption isn’t
usable, the password gets sent in the email with the file attachment.
It's even worse when you look at the CRM systems. Can we get together
and get something new on data at rest?

Lesley Kipling: I think it's overdue. I would agree with you. I think,
as I said, those security controls from a data perspective, certainly
something that we're focused on right now to try and fix.

Brian Trammell: There was a really interesting point you made that we
tend to think of ourselves as being in a layered box, right? Like down
below this layer, not our problem. Up above that layer, not our problem.
Which I think is causing us a problem in dealing with security threats,
exactly as you said, because the other side doesn't put themselves in
this box, right? They are incentivized to not think about the boxes at
all. Indeed, it is at those box layers that there's like interesting
stuff to be done. So, that's mainly a comment to the IETF reflecting on
your talk. I did want to ask one very quick question. There was
something you said that really resonated with me about the minimum
viable business, or the minimum size of an organization that can
meaningfully participate in the Internet and be secure. Do you see a way
to keep that from continuing to go up over time?

Lesley Kipling: If we don't, we're going to lose, right? I think it's in
our best interest to think about how we put these controls in place,
what we're doing to the disrupters from that perspective. But again,
back to the data security perspective, thinking about those controls
right in the beginning. You know, in some cases, we've been remiss in
terms of not switching on logging or not by default getting rid of
passwords, not by default thinking about administrators, because there
was a cost associated with it for the customer. In my view, that was
their decision to take. It wasn't ours to do that. And I think, again,
today, we're very much coming from a different perspective on that.
Interestingly enough, you know, thinking about the problems that we had
with Puerto Rico getting isolated during the hurricane and what Russia
has been doing over the top of undersea cables, we're now looking at
space to do the same sort of transmission of data, and in fact, I'm told
that we can transmit the same amount of data undersea cables as we can
over space. I don't know how much it will cost. Don't ask me. Don't talk
to me about licensing because I don't know that. But it gives us the
ability to think about how we put the security and the protocols right
from the get-go. It's new tech. In fairness, how many people say to me
do we just need to burn the Internet down and start from scratch. Right
back at you. Do we?

Brian Trammell: No. Thank you very much for the talk.

Mirja Kühlewind: That is a very interesting question, to finish the
discussion here.

Tommy Jensen: I just want to quickly answer one of the questions that
was posed, which is kind of quintessential here, which is what do we do
with security once we hide everything on the wire, right? And we don't
have to do discussion. Happy to take it offline. I just wanted to point
out we do have Microsoft engineers here as well, and the answer here is,
we need to come to grips with the fact that all back doors are front
doors, and all third parties are third parties. You either need to
become a networking peer, or you need to think about the root scenario
you're trying to solve and whether breaking into network security is the
right way to do it. Become the peer, or think about the larger set of
the problem, because end-to-end encryption really is better across the
board. We talk about it from a human rights perspective, we talk about
it from a security perspective, we talk about it from every perspective.
That does mean, and I say that knowing that the end point then has to do
more work. Get it. But I just want to be super clear about that, because
we do have an opinion.

Open Mic