The Internet engineering community debated the steps it can take to harden the Internet against pervasive surveillance from well-funded governments and other adversaries in a packed technical plenary session held during IETF 88 in Vancouver.
The discussion was prompted by recent revelations that the US National Security Agency (NSA) was involved in a wide-scale global Internet and telephone surveillance program in conjunction with other governments and commercial vendors. The Internet Architecture Board (IAB) focused its discussion on what can be done in terms of protocol design and development to protect the Internet and its users from pervasive monitoring attacks.
“We’d like to focus on who needs to be doing work in the technical community both here in the IETF and elsewhere,” said IAB member Alissa Cooper, distinguished engineer at Cisco. “We in the IAB need to be thinking about longer-term architecture issues, opportunities for stronger security, and potential barriers to stronger security.”
Cybersecurity expert Bruce Schneier, chief technology officer of Co3 Systems, set the stage for the discussion by explaining the scope of Internet traffic monitoring being conducted by the NSA and other government agencies.
“The NSA has turned the Internet into a giant surveillance platform,” Schneier said. “This is robust. It is robust politically, it is robust legally, and it is robust technically.’’
Schneier pointed out that it isn’t only the NSA that is involved in extensive Internet traffic monitoring.
“This is what any well-funded nation state or adversary would do,” he said. “The US has a privileged position on the Internet that allows it to do more, and it has an enormous budget. But we know other countries do the same thing.”
Schneier said the choice facing network engineers is whether they will continue to support an Internet that is vulnerable to all attackers, or whether they will make the Internet secure for all users.
“We have made surveillance too cheap, and we need to make it more expensive,” he said. The goal is to make eavesdropping expensive to force NSA to abandon wholesale collection in favor of targeted collection.
Schneier gave the IETF community three recommendations for hardening the Internet: (1) deploy encryption ubiquitously on the Internet backbone, (2) encourage dispersal of Internet traffic targets rather than centralization in the hands of a few companies, and (3) develop user-friendly application-layer encryption.
“We need more open standards and open source tools because these are harder to convert to attacks,” he said. “We need better integrated anonymity tools and real assurance… Long term, we need to get everyone to understand that a secure Internet is in everyone’s best interest.”
Brian Carpenter, a former IETF chair and now a computer science professor at the University of Auckland, gave a historical talk focused on how the Internet engineering community has handled similar cybersecurity issues in the past.
Carpenter acknowledged that the IETF didn’t take security seriously before 1998. “There was a general tendency to ignore security issues, including confidentiality and privacy, until the late 1990s. That’s a fact,” he told the audience.
However, he pointed out that the Internet engineering community has twice confronted security-related public policy issues similar to the recent NSA revelations.
“Surveillance is not a new phenomenon,” Carpenter said. “Don’t have the impression that this is just the NSA or just the US government.”
The first of these IETF debates, held in 1996, dealt with a movement by many governments to restrict the use and sale of strong cryptography, which is a foundational technology for e-commerce. The result of this debate was RFC 1984, signed by both the IAB and the Internet Engineering Steering Group (IESG), which encouraged policies that allow ready access to strong cryptographic technology for all Internet users.
In 1999, the IETF had a similar debate about Internet wiretapping. The result of that debate was RFC 2804, also signed by both the IAB and the IESG, which stated that the IETF would not consider wiretapping as a requirement for creating or maintaining IETF standards.
Carpenter said the underlying principal of these two previous IETF debates is that “IETF technology should be able to make the Internet secure, including the ability to provide privacy, but it should be neutral with respect to varying cultural views of legality and privacy.”
The final speaker at the technical plenary was Stephen Farrell, an IETF security area director and a research fellow in the School of Computer Science and Statistics at Trinity College Dublin. Farrell urged IETF participants to view the NSA activities as an attack and try to mitigate it.
“Forget the motives. Forget the political stuff. Look at the actions of the NSA and its partners – whether coerced or not—as a multifaceted form of attack,” Farrell said. “It’s not unique. The NSA and its partners are doing it, but others are doing the same though perhaps on a smaller scale.”
Farrell said the IETF should focus on driving up the cost of pervasive monitoring through such actions as encouraging the use of encryption.
“What would be the impact if we turned on Transport Layer Security (TLS) more ubiquitously?” he asked. He also suggested TCPcrypt and IPSec as ripe for additional deployments. “What about Secure/Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP)? We need to do the same for Session Initiation Protocol (SIP). We need end-to-end security for e-mail, instant messaging and Voice over Internet Protocol (VOIP).”
Farrell said it will be harder to secure real-time Web communications and sensors deployed in Internet of Things applications. Another hard problem is how to prevent the extraction of metadata through Internet traffic analysis.
“We need to take steps, do them openly, and start now,” Farrell said. “It’s not just about us taking action through the IETF. We also need to go back to our companies and try to get them to take action. Lots of companies are looking at their source code. Operators are looking at their networks.”
Farrell concluded that the NSA revelations don’t represent a new attack on the Internet, but an attack at a larger scale.
“The right response for us is, as usual, to develop technical mitigations not to solve the problem but to make it harder to do widely pervasive monitoring,” he said. “The goal is to make it significantly more expensive for a bad actor.”
The technical plenary speakers generated vigorous debate about what the IETF should do to improve Internet security and privacy during the open mic session. More than two dozen attendees asked follow-up questions or made suggestions to IAB members about how best to harden the Internet.
“My little box here is running IPsec, TLS and Domain Name System Security Extensions (DNSSEC),” said Russ Mundy, an engineer with security firm Parsons, pointing to his laptop. “I urge everybody in this room to have some amount of this security capability themselves on their own machines. Turn it on, and start using it right now… Work within your own organizations to deploy it, and push your providers to give it to you.”
Google engineer Erik Kline suggested the IETF community consider the economics of deploying cybersecurity solutions. “SSL certificates are still not the default,’’ he said. “Most of the vendors charge more for SSL. There are economic incentives stacked against people who want to do security.’’
Michael Abramson of Advanced Systems Management Group worried aloud about the usability of Internet security protocols such as DNSSEC. “How do we expose failure modes to users, and how do they interact with all this cryptography?” he asked. “I don’t know if there are any usability experts active in the IETF, but I think we need some.”
Terry Davis, who develops aviation networks, pointed out that within a decade aircraft will be communicating to ground control via the Internet, heightening the need for security. “We first spoke about Internet hardening back in 1998 for [industrial control and aviation] networks. We really don’t provide any good guidance to build these type of networks,” he said. “I encourage the IESG to form a working group on critical networking infrastructure.’’
At the end of the discussion, IAB Chair Russ Housley tried to gauge interest in taking action on pervasive monitoring by asking attendees to hum in response to particular questions. The audience overwhelmingly responded in favor to questions about the IETF’s willingness to respond to pervasive surveillance attacks, whether or not the IETF should consider the threat of pervasive surveillance attacks when approving standards track specifications; and whether or not the IETF should include encryption where practical.
At the IETF administrative plenary later the same day, IETF Chair Jari Arkko called pervasive monitoring a very important topic with high impact on all Internet users.
“From my perspective, it’s not that sensible to react to specific incidents [rather than] take them as a sign that our Internet is not as secure as it should be,” Arkko said. “There’s so much interest by regular Internet users, politicians, vendors, service providers and even some governments. It is an opportunity for us to actually make a change—perhaps a unique opportunity—so let’s use this moment to make a fundamental improvement to Internet security.”
In sum, there appeared to be a consensus among IETF participants and leaders in Vancouver to improve the technical standards of the Internet in order to improve the privacy and security of the Internet and thereby make large-scale surveillance efforts more difficult.