Panel – Cybersafety and Resilience at the Internet Infrastructure Layer
Brief session description:
Thursday, July 25, 2019 – Many US core internet infrastructure assets – the Domain Name System, content distribution networks, fiberoptic networks, mobile networks, telecommunications satellites, energy networks – are high-value targets for cyber attacks from myriad antagonists. The level of vulnerability is constantly changing and the recoverability of assets is even less transparent. This panel was asked to explore the current threat environment and ongoing efforts to address attacks and create resilience, and to define the efforts to harden and smarten the Internet infrastructure via standards in industry collaboration and norms for reporting.
Moderator – Melinda Clem, vice president, strategy, Afilias, and co-chair, IGF-USA
Chris Betz, chief security officer, Century Link
Danny McPherson, executive vice president and chief security officer, Verisign
Ram Mohan, chief operating officer, Afilias
Allan Friedman, director of cybersecurity initiatives, NTIA
Details of the session:
The cyber safety and resiliency panel at IGF-USA featured discussion among security experts regarding current online threats and the efforts that can be taken to mitigate those risks.
Afilias Chief Operating Officer Ram Mohan kicked off the discussion by raising his concerns regarding the increasing capability of both state and non-state actors to launch malicious online attacks.
“If we don’t get to the point where we agree on norms or we have some mechanism to agree on norms,” Mohan said, “my fear is that every turn of technology is going to be leveraged for offensive capabilities. And those of us who are on the defensive side are going to be stuck with the previous turn of technology.”
CenturyLink Chief Security Officer Chris Betz added to Mohan’s point by emphasizing the rising incentive of malicious actors to launch attacks and the increasing sophistication of the tools used to do so.
“The desire for more data, the desire to access that data, and the desire to disrupt the use of that data continues to grow,” Betz said.
Mohan pointed out that malicious actors can now use a network of small devices to mount attacks instead of relying on a single piece of sophisticated hacking software.
“It’s an army of ants that brings on an elephant,” Mohan said.
Danny McPherson, executive vice president and chief security officer of Verisign, touched on the recent Sea Turtle cyber espionage campaign made public in April 2019. The hacker group utilized DNS hijacking to target 40 different organizations and compromise country-code top-level domains – the suffixes such as .co.uk or .ru that end a foreign web address—putting all the traffic of every domain in multiple countries at risk.
As far as efforts that can be taken to prevent attacks like this in the future, the panelists discussed a variety of strategies from the consumer level to the governmental level.
McPherson said organizations and governments that operate critical infrastructure ought to have a basic set of controls in place to ensure safety. McPherson pointed to multifactor authentication as an example.
Building on that point, Mohan discussed a simple step that can be taken by consumers to help ensure their data is protected. Using two-way authentication to log into a bank account as an example, Mohan explained that users should simply make up the answers to security questions that ask the names of things such as high school mascots and childhood street addresses to prevent hackers from discovering the real answers and using them to steal information.
“We are all leaving a long digital trail and there are ever more dots being connected,” Mohan said.
Additionally, McPherson emphasized the need for consumers to understand where their data is stored for apps such as Password Manager and iCloud, stating consumers should “understand what enables what you care about and where it lives.”
NTIA Director of Cybersecurity Initiatives Allan Friedman spoke about cybersecurity best practices at the governmental and organizational level, saying companies and governments must investigate cyberattacks more thoroughly to prevent them from happening again in the future.
“If we want greater transparency and to understand our threats in real time we need a better postmortem following serious cybersecurity incidents,” Friedman said.
Friedman stressed the importance of acquiring more cybersecurity talent within the U.S. government to improve national security and help prevent further attacks.
When asked about the effectiveness of hacking back as a way to combat cyber threats, the panelists agreed this is not a viable option. Betz said the disruption of malicious activity is far more useful than hacking back.
“Hacking back is far too risky and not something we would consider,” Betz said.
Betz emphasized the importance of integrating security into other online realms to make online tasks, such as logging into a bank account or social media, a more seamless experience.
“It’s really easy to make security complex,” Betz said. “It’s much harder to make it a seamless part of what people do every day.”
– By Zach Skillings
The multimedia reporting team for Imagining the Internet at IGF-USA 2019 included the following Elon University School of Communications students, staff and faculty:
Janna Anderson, Maeve Ashbrook, Elisabeth Bachmann, Bryan Baker, Paloma Camacho, Samantha Casamento, Colin Donohue, Abby Gibbs, Jack Haley, Hannah Massen, Grace Morris, Jack Norcross, Maria Ramirez, Brian Rea, Alexandra Roat, Baylor Rodman, Zach Skillings, Ted Thomas, Victoria Traxler, Julia Walter, Courtney Weiner, Mackenzie Wilkes and Cameron Wolfslayer