New challenges, emerging technologies will influence this ongoing tussle over the next decade
Date: November 1, 2014
No technological magic bullet is on the horizon to solve the Internet’s security and privacy challenges during the next 10 years, according to a panel discussion sponsored by the Internet Society (ISOC) that was held in conjunction with IETF 90 in Toronto.
Moderator Andrei Robachevsky, technology programme manager at ISOC, noted that the Internet engineering community lacks a good understanding of the overall security and privacy qualities of the Internet as a whole.
“Some of the fundamental elements have known vulnerabilities. Take for instance, BGP [Border Gateway Protocol] and TLS [Transport Layer Security]. While fixes are underway, they are far from being widely deployed,” Robachevsky said. “At the same time, if you look at the Internet, so far it has proven to be very resilient. What holds the Internet together? Is it technology? Is it people? Is it money?”
Robachevsky asked four experts to identify key issues that will shape Internet security and privacy during the next decade.
Lucy Lynch, director of Trust and Identity Initiatives at ISOC, said the main challenge for improving the Internet’s security and privacy is scale.
“I think we have in the security domain and in the privacy domain some of the tools we need. Sometimes they work well together, and sometimes they conflict,” Lynch said. “What we don’t have is a systems view of how you compose those elements at scale… Getting a systems point of view with our current elements that allows us to operate at scale is the end goal 10 years from now.”
Cisco Fellow Dave Oran said the Internet increasingly reflects all the problems of the physical world, including conflicts, politics, money, and criminality.
“Our challenge looking out 10 years is can we from a technology, policy, and overall citizens-of-the-world perspective use the Internet to actually improve the world as a whole,” Oran said. “That’s a very difficult job, but our leverage is higher than it’s ever been. That’s one reason I think looking forward to what security technology and what the security environment could be will be critically important.”
Wendy Seltzer, policy counsel and Technology & Society Domain lead at the World Wide Web Consortium, said technological solutions alone can’t fix the Internet’s privacy and security problems.
“As we design technology and as we build on it, we need to think of the interfaces for social controls and legal and regulatory controls to make sure the systems we are building have the properties of protecting users,” Seltzer said. “Some of that will be designing usability into the system so that end users—whether technical or less technical—can understand the choices we are asking them to make and can do appropriate risk analysis.”
Danny McPherson, senior vice president and chief security officer for Verisign, said additional security systems, such as badge readers and travel itineraries, will help protect the network infrastructure; but these systems also create more data, which could be abused from a privacy perspective. He pointed out that once an IP address or domain name has been accused of being a security threat, there is no process for rehabilitating it.
“As there are more indicators of compromise and more intrusion sets and other things that people use to protect systems, one concern is the scorched earth notion,” McPherson explained. “Most of what is shared in security is a number space or name space and maybe some behavioral aspect of the host that appears to be malicious activity. It’s interesting that for a namespace, it’s hard to get that reputation back. We take a scorched earth approach. If I pick up a domain name or an IP address, how usable are those and how much residue is left from previous activities?”
“As we design technology and as we build on it, we need to think of the interfaces for social controls and legal and regulatory controls to make sure the systems we are building have the properties of protecting users.”
McPherson expanded on that notion by explaining his concerns about information sharing among security-related groups. Today, there is no process for removing misinformation from the data these groups share, he said.
“Closed security groups that are trying to protect against some aspect of attack or a botnet or deal with cybercrime… are very effective,” he said. “But there is not a lot of provenance of where did this data come from, how we get the information back, how we get our reputation back, or what happens if misinformation is injected into this information. In 10 years, we will have a lot of scorched earth in numbers and name spaces. It’s going to be hard to find situations where a number doesn’t break in some [intrusion detection system] or some sensor or some [intrusion prevention system] or is blacklisted somewhere.’’
Robachevsky asked the panelists to identify emerging privacy or security approaches that may prove to be revolutionary.
Oran outlined the pros and cons of an alternative architecture known as information-centric networking (ICN) that he has been working on for three years. While the Internet focuses on securing transport channels through protocols, such as TLS and IPsec, ICN doesn’t worry about channels and instead secures content with built-in encryption.
“There are a couple of benefits to this approach. It’s simpler to understand the chain of custody of the content, and it allows you to protect the content at rest in the same way as it was protected while in the communication system,” Oran explained. “These systems were designed with integrity and provenance built in.”
Oran pointed out that while the source of data in an ICN architecture is anonymous, the name of the content is public. “You’re trading off consumer anonymity for content anonymity,”’ he said. “It’s not clear if that’s the right tradeoff.”
While the ICN approach eliminates many types of attacks, it still leaves the Internet open to Distributed Denial of Service attacks. It’s unclear how Internet business models would evolve in an ICN architecture, Oran added.
“There is no magic bullet,” Oran said. “The hard problems are still hard. Trust management is an unsolved problem in the ICN world, just like in the IP world.”
Oran mentioned two other promising technologies: functional encryption and privacy-preserving query systems. Functional encryption allows a user to perform computations on encrypted data, which is useful for middle boxes that perform operations on data. However, today’s computing technology needs to be orders of magnitude faster in order to make functional encryption practical. Meanwhile, privacy-preserving query systems attempt to improve the data confidentiality of large database systems by conducting limited queries on encrypted data.
“These are just some technologies that may be important in our Internet lives some number of years out,” Oran concluded.
Seltzer added that privacy-preserving query systems depend on cooperative protocols where data collectors limit the data that is being shared and participants limit their disclosures.
“Along with these mathematical tools, we will also need the social organizing functions of distributed systems and technologies that build from control by the end user and that enable us as users to exercise some collective action to demand better security and privacy from the systems that we use,” she explained.
Lynch said the future will require Internet engineers to keep balancing between security and privacy and that this tussle will not end in the foreseeable future. She said the relationship between data collectors and users is asymmetric today, with data collectors having an enormous amount of power while individual data subjects have little power.
“People don’t pay to be part of some of these systems. So they pay with data instead of paying with cash. An economic model that shifts all of that might shift the concern for protecting the individual data subject in a way that’s privacy preserving, but it would require the data subject to be willing to put up something, either accurate and anonymized data or cash or something else,” Lynch said. “It’s more about finding balance points between security, privacy, secrecy, and the public good.”
In response to a question from the audience, Oran pointed out that the Internet engineering community is better at security and privacy than it was 10 years ago, and that more improvement can come in the next decade, too.
“It’s no longer acceptable to design, let alone deploy, a technology without understanding the security properties and consider security as part of the design,” Oran said. “I’m somewhat optimistic that we’ve gone through a phase change. It’s unlikely that somebody gets very far with a design before somebody else asks: How secure is it? What is the threat model? What are the vulnerabilities? And how does it change the attack surface?”