Cybersecurity and Internet Governance

1. 1
Kenny Huang, Ph.D. 黃勝雄博士
Executive Council, APNIC
Author, RFC3743 IETF
Keynote. SITCON 18 Mar 2017
huangksh@gmail.com
Cybersecurty and Internet Governance
網路安全與網路治理
亞太網路資訊中心董事

2. 2
The Internet and Internet Governance(IG)
Cybersecurity
Cybersecurity vs. IG

3. 3
The Internet

4. 4
The Internet

5. 5
The Internet
#1 BlindTrust : we trust parties we don’t event knowexist

6. 6
The Internet
#2 No Ownership: The big companies, not users, own the data.

7. Internet Governance
7Source : ICANN

8. Internet Governance Definition
8
IG Definition @ WSIS Tunis 2005 :
The development and applicationby governments, the
privatesector and civil society, in their respectiveroles, of
shared principles,norms, rules, decision-making
procedures, and programmes that shape the evolution
and use of the Internet.

9. Internet Governance Layers
9
Telecom infrastructure
(cable, wireless, ...)
Protocols, standards and services
(DNS, TCP/IP, SSL...)
Content and applications
(HTML, FTP, XML)
Source:Diplo

10. 10
Internet 1969 Internet 1970
Internet 1977 Internet 1981
ARPANET 1969 -1981

11. IG Concepts in ARPANET – Technology Track
11
1969 1983
ü System
requirements
ü Standardization
ü Entity for
managing
technical
standards
RFC 01 RFC 03
IETF
Working
Group
Steve
Crocker
RFC 883
RFC 882
ü Domain name
concept
ü Tree hierarchy
ü DNS operation
1984
RFC 1035
RFC 1034
ü DNS delegation
ü ccTLD, gTLD
ü Single Root
1987 1994
ISC:
Paul
Vixie
BIND
UC Berkeley
Jon Postel acted as RFC Editor 1969-1998

12. 12

13. 13

14. IG Concepts in ARPANET – Registry Track
14
1969
HOSTS.TXT
hostname IPaddress
hostname IPaddress
hostname IPaddress
hostname IPaddress
hostname IPaddress
hostname IPaddress
SRI maintained HOSTS.TXT
SRI (StanfordResearch Institute)
Jon Postel managed
Assigned Number List
Copy to other sites
1981
ü Names
ü Numbers
ü Critical Internet
Resources
ü Registry
operation
ü Uniqueness of
name – Single
Internet

15. IG Concepts for Architecture and Authority
15
1969 1987 1988 1998
RFC 1035
RFC 1034
18 Sep1998
established
16 Oct1998
passed away
Root Zone
Operator
ü Execute IANA
functions
ü Root zone
governance
ü TLD legal issue
The IANA functions manage
protocol parameters, Internet
number resources and domain
names. ICANN performs these
functions on behalf of the
global Internet community.

16. Root System Model
16
Source : ICANN

17. 17
Source : ICANNRoot DNS Anycast Root Source :RIPE
IETF48 Root Server Operators’ statement (1998 Dec)
ü Operatereliably, for thecommon good ofthe
Internet
ü RecognizeIANA as the sourceofthe root data
ü Invest sufficiently to ensureresponsible
operation
ü Facilitate thetransition, when neededandwith
proper notice
ü Recognizethe other root server operators
ü Multistakeholder
ü Recognize IANA
ü Single Internet
ü Internet as public
good

18. IG Concepts for Number Community
18
1992 20011993 1997 2005
ü Multistakeholder
Model
ü Self regulation
ü Member voting
right
ü IP address
allocation
ü Policy
development
process
1999
ü ASO ICANN Board
selection
ü Global address
policy
ü Accountability
ü Transparency
üGovernance
üFinance
üPolicy

19. Critical Information Infrastructure (CII)
19
Internet
Numbering
Architecture
Internet
Naming
Architecture
ü Critical
Information
Infrastructure
Protection

20. 20
source : http://www.savetheinternet.eu
Net Neutrality
The principle that Internet service
providers should enable access to all
content and applications regardless of
the source, and without favoring or
blocking particular products or
websites.

21. 21
ISP blocking and tiering cases
2004 : ISP Madison River blocking Vanage’s VoIP services
2006 : ISP AOL blocked access to www.dearaol.com
2007 : ISP Comcast blocked BitTorrent
2008 : ISP Tele2 blocked access to thepirateboy.com
2009 : IPRED law to monitor all Swedish web traffic
2010 : Italian ISPs block access to Pirate Boy
資料來源 : Telesperience
ISP Traffic Engineering Technique
Traffic discrimination is
necessary as a routine
part of network
management

22. 22
Degree of Enforcement
完全中⽴ (Full Neutrality)
強調網路必須完全中⽴，無任何差別待遇，封
包使⽤FCFS 模式傳輸。主要⽀持者包含學者
Susan P. Crawford (Cardozo Law School; 曾任 FCC
主席)。
資料類別特許的差別待遇 (Allow
discrimination based on type of data)
此主張認為網路資料有不同服務需求，例如封
包延遲Latency、或不連續Jitter情況。ISP可以針
對應⽤服務屬性來調整差別待遇。主要⽀持者
包含學者Tim Wu (Columbia University Law
School)
⾮阻斷或⾮節流下之個別訊務排序
Individual prioritization with throttling or blocking
ISP認為在沒有阻斷(block)或不造成阻塞情況下，
ISP可以依不同服務或客⼾需求進⾏訊務排序。
主要⽀持者包含 Comcast, AT&T
不直接強制 (No direct enforcement)
許多國家並沒有網路中⽴相關法律，但可以參
考其他法律來管制，例如反競爭法，美國FCC
在無網路中⽴法之前也是參考市場合理實務提
出管制命令。
ISP 市場競爭度
美國Comcast / Netflix案件中法院裁定 Comcast 違反
網路中⽴主因: ⼤多數網路使⽤者在寬頻(25Mbps)
服務只有單⼀寬頻服務供應商可選擇。在此情境下，
ISP差別待遇⾜以影響市場競爭，寬頻 ISP 負有更⼤
責任維持服務的中⽴性，避免影響網路使⽤者的權
益。
ü Improve
connectivity
ü neutral Internet
exchange and
peering

23. CERT (Computer Emergency Response Team)
üCERT was first used in 1988 by
CERT CoordinationCenter at CMU.
CERT and CSIRT (computer security
incident response team) are used
interchangeably.
üFIRST (Forum of Incident Response and
Security Team) is the global
associationof CSIRTs
üAPCERT Established 2003. Annual
events include (1)AGM (2)APCERT
Drill
23

24. 24
ü Allocationand assignment of three sets of uniqueidentifiers of the Internet:
domain names, IP addresses, and protocol parameters
ü Operation and evolutionof the DNSroot name server system
ü Policy development reasonably and appropriately related to these technical
functions
ü Multistakeholder
ü Accountability
ü Transparency
üGovernance
üFinance
üPolicy

25. UN IG Initiatives – Political Track
25
2003 20062005 2010
ü Multistakeholder
ü Multilateral
ü Inclusion
ü Sustainability
2015
Technical Topics
üCritical Internet resources
üCapacity building
üSecurity
üAccess
üInternationalization

26. IANA Stewardship Transition
26
US Gov.
NTIA
Perform IANA
Functions
ICANN
APNIC
contracted 5 RIRs
(APNIC)
Perform IANA
Functions
ICANN
APNIC
contracted
Before 1 Oct 2016 After 1 Oct 2016
Audit & Review Audit & Review

27. 27
The Internet and Internet Governance(IG)
Cybersecurity
Cybersecurity vs. IG

28. Confidentiality Integrity Availability
prevents
unauthorized use or
disclosure of
information
safeguards the
accuracy and
completeness of
information
authorized users
have reliable and
timely access to
information
Goals of Information Security
28

29. 29
ISO27001
ISO 27001 – a global recognized standard that provides a
best practice framework for addressing the entire range of
cyber risks
ü People, processes, technology
ü Systematic approach for establishing, implementing,
operating, monitoring, reviewing, maintaining, and
improving an organization‘s information security to
achieve business objectives
Key elements of implementing ISO227001
ü Determine the scope of the ISMS
ü Consider the context of the organization and interested parties
ü Appoint a senior individual responsible for information security
ü Conduct a risk assessment – identify risks, threats, and vulnerabilities
ü Appoint risk owners for each of the identified risks
ü Implement appropriate policies and procedures
ü Conduct staff training
ü Conduct an internal audit
ü Implement continual improvement of the ISMS

30. Layered Defence
30
1. information security policy
2. awaerness and tranining
3. backups and continuity
4. physical security
5. authentication
6. access controls
7. monitoring
8. firewalls and filtering
9. encryption
10. anti-malware
11. threat intelligence
12. audit and review
13 cyber insurance

31. 31

32. DDoS 2005
N x Gbps
Source : thousands of devices
DDoS 2017
N x Tbps
Source: millions of devices
0
200
400
600
800
1000
1200
1400 Gbps
32

33. DDoS As A Service
33
Source:tripwire,May 26 2016
400,000 Bots for Rent
Source : bleepingcomputer,Nov 24 2016

34. Operation of a DDoS attack
34
attacker computers
real users
target serversInternet
SERVICE OFFLINE
out of resources

35. Protection: Technology vs. Insurance
35
FIRST PARTY COVERAGE
üdamage to digital assets
übusiness interruption
ücyber extortion
üprivacy breach expenses
THIRD PARTY COVERAGE
ü privacy liability
ü network security liability
ü internet media liability
ü regulatory liability
ü contractual liability
Cyber Liability Insurance is inexepensive effective coverage. Coverage
limits starting at $100,000 with annual premiums starting as low as $250
1. Key companies include: AIG, Marsh, Allianz
2. False sense of security
3. Growth of market and risk will increase
insurance premium
1. Greater protection from threats
2. Insurance driving implementation
of technology solutions to comply
with policy requirement

36. Cyber War Case - Afghanistan
• Two-way cyber war measures
• Cyber offensive capability
• Cyber dependence :
• Degree to which a nationrelies upon cyber-controlled
systems
• Cyber defensivecapability
• “We have the most bandwidth running though our society
and are moredependent on that bandwidth. We arethe most
vulnerable.“– former Admiral McConnell.
• Afghanistan 2001
• US had conducted a cyber war plan, but no targets for
cyber warriors,that gives Afghanistan an advantage.
• If Afghanistan had any offensive cyber capability,the
cyber war would have shifted in different way
36

37. Cyber War Case - China
• Offense vs. defense
• US has the most sophisticatedoffensive capability,but it can’t
make up its weaknesses in defensiveposition. Cyber defense
trainings areoffensivefocus.
• China cyber warriors aretaskedwithboth offense and defense in
cyberspace.
• China advantagesin cyber war
• Ownership: Internet in China is like an intranet of a company.
Government is the only serviceprovider
• Censorship
• Great Firewall of China provides security advantages
• The technology that Chinese use to screen emails/message provide the
infrastructure to stop malware
• Install software on all computers to keep children from gaining access to
pornography – Give China control over every desktop in the country.
• Critical infrastructure:For electric power system,US relies on
automationcontrolledsystem,but China requirea largedegree of
manual control.
37

38. Cyber War Strength
38
US
Cyber Offense: 8
Cyber Dependence : 2
Cyber Defense: 1
Total : 11
Russia
Cyber Offense: 7
Cyber Dependence : 5
Cyber Defense: 4
Total : 16
China
Cyber Offense: 5
Cyber Dependence : 4
Cyber Defense: 6
Total : 15
Iran
Cyber Offense: 4
Cyber Dependence : 5
Cyber Defense: 3
Total : 12
North Korea
Cyber Offense: 2
Cyber Dependence : 9
Cyber Defense: 7
Total : 18
Source:Richard Clarke,2010

39. DDoS vs. Cyberwar
39
Cyberwar initiated country Counterpart country
Internet DMZ
1. DDoS can only attack DMZ zone. DMZ was built for that purpose.
2. DDoS attacks are compelling. The targets can be easily identified. It gives
enemy an advantage of increasing defensive capability, or relaxing cyber
dependence.

40. Cryptography
40
encrypt decrypt
encrypt decrypt
Hello Hello$7@#
ciphertext
Symmetric Cryptography
Hello Helloa@xf
ciphertext
Asymmetric Cryptography
Public key exchange
A
A
B
B

41. Browser SSL Connection
41
1. Server sends a copy ofits asymmetric public key
2. Browser creates a symmetric session key and encrypt it with the server’s public key
3. Server decrypts the asymmetric public with its private key to get the symmetric session
key
4. Server and Browser now encrypt and decrypt alltransmitted data with the symmetric
session key. This allowa secure channel because only the Browser and the Server knowthe
symmetric session key.
Symmetric key 128/256 bit (fast); PKI key 1024/2048 bit (slow)
Most secure communication systems (SSL; SSH; VPN..) use symmetric key encryption
1
2
3
4

42. Certificate Issuing Process
42
Return to User
CSR
certificate signing request

43. 43
CA1
CA2 CA3
CA4
Alice
Bob
Certificate pointing from issuer to
Root CA directly trusted by relying parties
Sub-CA
Hierarchical PKI Architecture
Mesh PKI Architecture
CA1
CA2 CA3
CA1 CA2
CA2 CA1
CA1 CA3
CA3 CA1
CA1 CA3
CA3 CA1
Alice
Bob Charlie
Certificate pointing from issuer to
Trusted CA point for Alice
CA
Cross Certificate
Doug
Finance
Bob
HR Dept
Charlie
Account
Bridge PKI Architecture
Bridge
CA
Alice
Public Key Infrastructure
Architecture

44. 44
Certificate Authority vs. IG Authority
It can be done by deploying DNSSEC and DANE and
give up CA's and X.509certificate hierarchies.
CA can issue a cert for any domain name and
instead use DNSSEC and DANE

45. OECD
CIIP (Critical InformationInfrastructure Protection)
45
üInformation components supporting the critical
infrastructure
üInformation infrastructure supporting essential
components of government business
üInformation infrastructure essential to the
national economy
US
Systems and assets, whether physical or virtual to
the US that the incapacity of destruction of such
systems and assets would have a debilitating
impact on security, national economic security,
national public health or safety, or any
combination of those matters.
CIIP
Directive (EU) 2016/1148 ANNEX II :
IXP、Root DNS、TLD Registry
EU

46. ETSI Lawful Intercept Model
46
administration
function
IRI mediation
function
content
mediation
function
IRI : intercept
related Information
CC : content
of communication
INI
internal network interface
IIF
internal interception function
HI3
content of communication
Network
Internal
Functions
HI2
Intercept related information
HI1
administrative information
NWO/AP/SvP Domain
LEMF
Law Enforcement Monitoring Facility
network operator / access provider / service provider
HI: handover interface
(ETSI)

47. Backend Operator
Potential Registry-LEA Implementation
47
TLD Registry
Data Escrow Agent
(ICANN approved)
Contractual
Compliance
Finance System
EBERO
Law
Enforcement
Agency
Jurisdictional
Considerations
invoice
Data Escrow Alerts
gTLD Failover Design
(Kenny Huang, 2015)

48. Internet Routing Security - Detour
48
A path that originates in one
country, cross international
boundaries and returns back
to origin country

49. BGP Routing
49
AS 4134
China Telecom
AS 7018
AT&T
AS 3356
Level 3
AS 2828
X0 Comm.
AS 6167
Verizon
AS 22394
Verizon
Customer Provider
Peer Peer
legend
3356, 6167, 22394
66.174.161.0/24
6167, 22394
66.174.161.0/24
22394
66.174.161.0/24

50. China Telecom hijacks Verizon Wireless
50
AS 4134
China Telecom
AS 7018
AT&T
AS 3356
Level 3
AS 2828
X0 Comm.
AS 6167
Verizon
AS 22394
Verizon
4134, 22724, 22724
66.174.161.0/24
3356, 6167, 22394
66.174.161.0/24
AS 22724
China Telecom
Apr, 2010
Prefix Hijacks
China Telecom announced 50,000 prefixes (15% routes)

51. Pakistan Telecom hijacks YouTube
51
AS 18174
Allied Bank
AS 58467
Lahore Stock
AS 18173
Age Khan
AS 3491
PCCW
AS 3327
Linux Telecom
AS 25462
RETN Ltd
AS 36561
YouTube
17557
208.65.153.0/24
3491, 17557
208.65.153.0/24
36451
208.65.153.0/22
AS 17557
Pakistan Telecom
Feb 2008
Subprefix Hijacks

52. Moratel Leaks a Route to PCCW
52
AS 23947
Moratel
AS 3491
PCCW
AS 4436
nLayer
AS 15169
Google
3491, 23947, 15169
8.8.8.0/24
15169
8.8.8.0/24
23947, 15169
8.8.8.0/24

53. 53
The Internet and Internet Governance(IG)
Cybersecurity
Cybersecurity vs. IG

54. Why Bother Internet Governance
54
Jurisdiction
Law
Organization
Rules
International
Law / Treaty
Internet
Governance
Multistakeholder
Standard
Technology
Architecture
Policy
Procedure
Best Practices
Cooperation
Coordination
IG
Regime

55. Code is Law
55

56. Cybersecurity Attributes Recap
56
Confidentiality
pPhishing
pPacket sniffing
pPasswordattack
Integrity
pMITM (Man-in-
The-Middle)
pIP spoofing
Availability
pDDoS
pSYN flooding

57. DNSKEY root
DS .taipei
DNSKEY .taipei
DS 101.taipei
DNSKEY 101.taipei
root
TLD : .taipei
SLD: .101.taipei
ISP
recursive resolver
1 user makes request for
a .taipei domain
2 ISP resolver verifies the
root’s DS key
3 root points the ISP to the
.taipei TLD and gives the
ISP the .taipei DS key
4 ISP verifies .taipei’s DS key
5 .taipei points the ISP to the
101.taipei SLD and give the
ISP the 101.taipei DS key.
6 ISP verifies 101.taipei’s SLD
DS key
7 Requested SLD information
is retrieved and sent back to
ISP
8 ISP sends SLD information
back to user
9 User access trusted
101.taipei domain
1
8
2
3
4
5
6
7
User
stub resolver
9
Secure Name Space - DNSSEC
57

58. ICANN DNSSEC vs. Cybersecurity
58
ConfidentialityX
IntegrityX
Availability
Stakeholders
1.ICANN, gTLD&
ccTLD operators
2.Root operators
3.IETF
Phishing Man-in-The-Middle

59. Secure Internet Routing - RPKI
59
APNIC
8.0.0/8
Level 3
8.8.8.8/24
Google
66.174.0.0/16
Verizon Wireless
66.174.0.0/24
AS22394
66.174.0.0/16
AS6167
8.0.0.0/9
AS3356
ROA
8.8.8.0/24
AS15169
cert
legend
PRKI : Resource PublicKey Infrastructure

60. RIR’s RPKI vs. Cybersecurity
60
Confidentiality
IntegrityX
Availability
Stakeholders
1.RiRs (e.g. APNIC)
2.ISPs
3.IETF
4.LEA (Law Enforcement
Agent)
IP spoofing Route hijacking

61. Secure Communication : Technology
61
RFC 7457
Summarizing Known Attacks on TransportLayer Security (TLS)and
Datagram (DTLS)
RFC 2409 The Internet Key Exchange (IKE)
RFC 3526
More Modular Exponential(MODP) Diffie-Hellman groups for Internet Key
Exchange (IKE)
RFC 7258 PervasiveMonitoring Is an Attack
RFC 7525
Recommendations for SecureUseofTransport Layer Security (TLS)and
Datagram Transport Layer Security (DTLS)
RFC 4307
CryptographicAlgorithm for Usein the Internet Key ExchangeVersion 2
(IKEv2)
Remove support for DH1024
Proposed DH1024
Proposed DH 2048

62. IETF Technologies vs. Cybersecurity
62
ConfidentialityX
IntegrityX
Availability
Stakeholders
1.IETF
2.Developers
3.LEA (Law Enforcement
Agent)
Strong cryptography Enforced Internet encryption

63. Secure Internet Root
63
a b c ….. k l m
…..Site1 Siten
…..Host1 Hostn
Sites
(uniquelocation
and BGP route)
Root letters
(uniqueIP
anycast address)
Servers
(internal
load balancing)
User
Recursive resolver
Horizontal distribution
Multiple letters
Multiple operators
Vertical distribution
Multiple sites
Multiple servers

64. Impact of The Attack
64
1. The Root DNS handles the situation well
2. Resilience of the Root DNS is not an accident, but the
consequence of fault tolerant design and good
engineering
3. True diversity is the key to avoid collateral damage

65. Root vs. Cybersecurity
65
Confidentiality
Integrity
AvailabilityX
Stakeholders
1.Root operators
2.IETF
Divergent model Robust and resilient Infrastructure

66. Cybersecurity Future Evolution
66
Prevention, 80%
Monitoring, 15%
Response, 5%
Prevention, 33%
Monitoring, 33%
Response, 33%
NOW FUTURE
Source : RSA Conference 2016 Singapore

67. source: Into the Gray Zone: Active Defense by the Private Sector against Cyber Threats
Cybersecurity Phased Strategy
Defense 防禦 Diverge 分歧 Attack攻擊
67

68. Potential Cooperation for Cybersecurity and
Internet Governance
68
Case : Crypto–Ransomware
Source : EUROPOL

69. 69
Check Whois database,
Found In Romania
Traceroute, ends up in
Netherlands
1
2
It’s not useful
French Cyber Investigator
Source : EUROPOL

70. 70
MLAT* from French to Romania
1 month later, Romania LE goes
to the indicated company
3
4
MLAT: Mutual Legal Assistance Treaty
Source : EUROPOL

71. 71
Scenario 1 : Romania company cooperate
Found server is in Germany
Second MLAT from French to Germany
5
6
Scenario 2 : Romania company
uncooperative, victim of ID theft
5
Source : EUROPOL

72. 72
1 month later, Germany LE goes to
seize the server
7
To late !!
Decryption keys have been moved
to another server ..
8
Source : EUROPOL

73. LEA and RIRs Cooperation
73
Question?
ü How can we ensure that IP addresses
are announced in the country where
they are actually registered?
ü Can the RIR database reflect the
location of an ISP handling an IP
address?
Internet Policy Proposal
ü Require registration of all IP sub-allocation to downstream ISPs to
entire chain of sub-allocations are accurately reflected in WHOIS
ü NOT disclose end-user information but instead focus on
downstream ISP providing connectivity to the end-user
Source : EUROPOL

74. Cybersecurity and IG Landscape
74
Cybersecurity

75. Users
Public
Safety
Regulators
Operators Vendors
Software
CERTs
Cybersecurity and IG ECO System
75

76. 76