Panel on Cyber Crime and Cyber Security

I yesterday in the morning was at the IGF on a panel on Dimensions of cyber-security and cyber-crime. You can find the complete transcript from the panel here. But you can also read my initial statement below.

PATRIK FÄLTSTRÖM:

Yes, thank you very much, Bertrand.

So as you heard before in the two previous presentations there are a large number of organizations involved, and a pretty complicated network of organizations. But it’s even more complicated than that, because in the first presentation, we actually saw something that looked like a diagram. You had a national CERT and everything is fine, and if you just fill out the names of the organizations, the boxes, you just follow that scheme and you are done.

It is not that easy, unfortunately.

And there are a couple of reasons for that. And one of the reasons is, of course, that the world has changed quite a lot.

If we look at the service voice, you just lift the receiver of a telephone and you make the phone call, if you look 30 years back, in each country more or less you had an incumbent. And that incumbent was responsible for the functionality of that service. And they kept track of who was calling who, they sent out the bills. If things didn’t work, you called them. If it was the case the police needed the information, they knew how to talk to.

But today, it is even more complicated. We introduced competition, we introduced now portability so it might be hard to even know who the phone number belongs to. It’s even the case that you have more and more virtual telephone companies or voice over IP providers that act over national boundaries. So the question is, then, which – if that organization that is covering multiple countries, like many ISPs do, if they want to talk to a CERT, should they pick one of the national CERTs or the one where the crime is or their favored ones? It depends, I think is the correct answer here.

It is also the case that when we are acting against some incident, as we heard, it’s pretty important that we do some prevention methods. People install various different kinds of anti-virus software in the computers. You have firewalls. You put in mashers to trace where traffic is passing, to detect what is happening. You install security systems on the doors.

So that’s a prevention thing. But even though you have created this barrier that is going to protect you, of course something might happen.

And during an incident, then you would like to act. Like we saw the diagram with the arrows across the world. So you need to be able to know, should I talk to the law enforcement? Who can help with these hard decisions?

But then after everything is resolved, unfortunately, it might be the case that some disaster happened as well, but regardless, you would like to collect some statistics, collect data, draw conclusions of what’s happening so you have a feedback loop afterwards, after the action where you collect information what actually happened.

And that feedback and the statistics is, in turn, of course, supposed to help to increase the prevention methods that you are implementing.

So in reality, you have a circle of action, feedback, reaction, and prevention, which goes around and around and around.

So the important thing is to think about the security, not only as Marc said to do it beforehand, but also to update your prevention mechanism according to what happened, according to recent incidents. Both in your organization but also in other organizations. And how can you get to know what you should do? Well, you talk to the organizations that are the good ones, you’ve got statistic and feedback, which might be different organizations than being the one that held during the attack, which are different organizations than the one that helped with the prevention.

So we have multiple organizations depending on where in this cycle you are at the moment that you want to talk, to but you also have different organizations depending upon what kind of problem it is.

Because I just gave an example with a voice application, but on the Internet, of course, we can run many different applications and services on top of an Internet access.

So it ends up being pretty complicated to know who you are going to talk to, just simply like I’ve got a DDOS attack against me. Who am I supposed to talk? Who knows where that flow is coming from?

That can be really difficult to know.

Even if you know the IP address for some weird reason where the attack is coming from, who knows where that IP address is? That’s a complicated question that I work quite a lot with the police in Sweden to try to figure out what is the best way of sorting that, to resolve the issue of finding where an IP address is. Because the ISP may not know where geographically the end of the IP address is.

It’s the one owning the fiber of the copper pair that knows where the IP address is or even the cell phone provider that can do triangulation of the radio.

So even for one sort of simple thing like an IP address, and about the data that you asked me, Bertrand, it is pretty – there are multiple providers involved in collecting information, even within the same geographical area. And then on top of that we have the multiple dimensions across the world that you just heard about.

So this is extremely complicated.

But it’s not only that. It’s also the case, of course, that if you are an enterprise or if it is the case that you have a network, and all of us have at home, if we connect computers or networks to the Internet, what we connect ends up being a part of the Internet. And this is also a change in the thinking of the world compared to in the old days when we connected a phone to the phone network. In Sweden, at least, it was the case that we could even only buy phones from the incumbent. They approved the phones. It was their phone jack. They had complete control over the whole system.

Today, when I connect something to the Internet, my things ends up being part of the Internet.

So personally, I am a little bit irritated on all the pictures in gross which is here is my computer, here is my network, and over there is the Internet. The Internet includes my stuff.

And because my stuff ends up being a part of the Internet, I am also responsible for that piece of the Internet.

So we have a shared responsibility. And because of that, it is even more important that we talk with each other.

So who should you talk to? Well, the thing is you should talk to the one you trust, and you should talk to the ones that actually help you.

Which means that this is to a certain degree competition and market economy regarding services.

There are multiple CERTs out in the world, and, yes, we at Cisco has one. Many of the manufacturers have CERTs, just like countries, just like organizations that you saw before, and each one of those give different kind of service. Some of them are better during the actual action during an incident, some are better regarding the statistics collection, and you talk to the one that gives you help.

You give information to someone if it is the case that you trust them that they are only going to use the information, what they are telling you what they are going to use it for, and specifically you are giving information to them if you get more data and information back than what you give them. Basically, it helps you to talk with them.

If you have a country and you have three or four Internet service providers in the country, I claim that a CERT will not be created in that country as long as the ISPs can talk to each other. It must be easier for each one of the ISPs to talk to the CERT than to talk to all the other ISPs.

So to a certain degree the CERT is really a coordination center that makes it easier for organizations to, first of all, exchange this information and create this feedback loop. But also, all of this trust normally starts by having individuals trust each other. That needs to grow into having organizations trust each other. And when organizations trust each other and when you start to pass data back and forth – I am trying to grow into, to move into your question here, Bertrand – then you need to create a legal framework. You need to set up NDAs between the organizations, you need to have a formal structure. But that is built according to a bottom-up process.

Trying to tell someone that you as an organization, you must give your information about all the security incidents and everything that has happened to this other organization, being told that is a little bit uncomfortable.

It’s much better if you start with the bottom-up process, start to understand that you should give out the information, that it helps.

So all of these organizations work together in an ecosystem where you have multiple processes going on and multiple CERTs, and certainly they are overlapping, but all of them are solving a problem. If they don’t solve a problem, they will go away because people will not share information with them.

So now when the information is shared, it could be both tracking, for example, phone calls and IP addresses, which is as part of the prevention methods. It could also be during an incident or after an incident happened that you collect statistics.

Is it dangerous to exchange information? Well, I think what Bertrand and I talked about yesterday is that the answer is, for that as well, it depends. It depends very much on who is asking, what query is allowed to the data, and when you ask, do you get – what information do you get out? Just because of the authentication authorization to the database, it might be the case that different parties querying get, even though they issue the same query, get different data back.

So, for example, an IP address by itself might not be dangerous at all. But the IP address and a usage pattern or traffic flow or the connection to a customer, that might be privacy information, and most certainly is under some legislations.

So the collection of data by itself doesn’t have to be dangerous.

But it is the usage and how it’s queried and what it can be used for which is the problem.

And that’s why after a while of this informal network of individuals, you need NDAs and the formal structures. But once again, built in a bottom-up process. There are multiple of these, and specifically I see different organizations, depending on at what part of this feedback circle we are working.

Thank you.