Home / Blogs

Why Vint Cerf is Wrong

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Wout de Natris

At the Internet Governance Forum in Baku, I made an intervention on behalf of NL IGF, reporting on the recommendations given by the participants of Workshop 87. Participants coming from positions representing most actors on and around the Internet. As one of circa ten recommendations, I concluded that more regulatory and law enforcement bodies need to become part of the IGF discussions, as they are an integral part of governing the Internet from a safety and security perspective. Mr. Cerf responded with a one-liner: "I can't help observing, if we keep the regulatories confused, maybe they will leave us alone". There seems to be a misunderstanding between us that I would like to clear up.

Workshop 87

This workshop took on one of the most difficult topics concerning Internet governance, cross border cooperation between (public and private) entities. The specific topic was incidents concerning critical (Internet) infrastructure, but could have been on cyber crime, fraud, spam, botnet mitigation, etc. The discussion would hardly have been different.

The participants came from governments, an international governmental organisation, the CERT community, private companies, an Internet resource organisation, in this specific case a ccTLD, national centres for botnet mitigation (to be) and a regulatory body. In short all but traditional law enforcement, who, NL IGF found, could not be enticed to participate in a discussion on cross border cooperation. There was an interesting discussion between the different panellists, showing, among other things, that public — private cooperation is a normal phenomenon for most participants, but not always easy to achieve, nor always institutionalised. They all shared recommendations, which will be published soon on the website of NL IGF. Let's go into specifics relevant to this blog post.

Regulatory bodies

Traditionally a regulatory body has a task to regulate a market. The Internet so far has managed to stay away from regulation. Mainly because the Internet is a market that works and does not need regulation.

This has shifted somewhat in the past four years, as the Internet has become substantially less safe to use and governments worry about safety and security of the state, its citizens and institutions. This is normal as it is one of the main tasks of the state. The discussions are mostly about how the Internet can become safer, looking at the public functions some private organisations perform, like distributing domain names and IP addresses. It is not in this context that the term 'regulatory bodies' was used by me at the IGF.

Enforcement bodies

Several regulatory bodies have been given enforcement tasks on spam, malware, online fraud, identity theft. They come from a telephony, consumer and privacy regulatory background. Some function very successfully like the U.S'. FTC, the Australian ACMA and the Dutch OPTA, in other countries enforcement tasks were given to regulatory bodies also, but they are less or unsuccessful, e.g. because they do not give enough or any priority to enforcement tasks. For known and unknown reasons. The bodies who are successful, need to be engaged in Internet governance. Especially now that initiatives are sprouting in several countries on cyber security strategies and botnet mitigation centres. An international comparative study shows that cooperation does not come natural to most national centres and regulatory bodies. (Click here for the study.)

If countries can become more aware of the possibilities they have at "regulating" around the Internet, this would make the Internet environment safer for everyone, without impeding in any way on private initiatives that have made the Internet to what it is today. Better, if public and private parties know what they can expect from each other, a lot of efficiency can be reached at saving energy and cost. Like the Cyber Crime Working Party initiative at RIPE NCC has shown and is working on, through managing expectations and standardizing information streams. And best is when through coordination a national body is able to chose which entity is best equipped to deal with an incident. Private? CERT? Regulatory? LEA? All together? This can only happen when all are equipped in the right way and connected at the national level. Preferably through a national strategy.

The participant from a regulatory body in the NL IGF panel in Baku e.g. also runs the national CERT and the national botnet mitigation program. In other words, from his perspective there is a clear need for more cooperation. Especially with countries that have not given the kind of priority his country has to security and safety tasks. Because on the one hand Finnish government and companies are threatened from abroad and there is no one at the other end to stop these threats, while at the same time he has information on threats going to these countries, with no one to mitigate them on the other side. Cyber security cooperation works both ways, if there is a level playing field.

Foreseeable results

By engaging these regulatory bodies, including traditional law enforcement, into discussions of Internet governance, several results can be achieved. Governments are made aware of the need to speed of action at the enforcement and security level and learn first hand what works, copy and help shape best practices and are made to understand that doing nothing is no longer an option. Regulatory bodies get to know counterparts at major companies, organisations and governments that they need to engage with in order to be more successful. The Internet industry gets to know their counterparts within law enforcement and builds a trusted relationship. Only by supplying information governments and law enforcement can be made to understand where true priorities lie. This way both sides can manage expectations and efficiency is reached in their mutual contacts.

Self regulation

I, for one, am convinced that the Internet and ICT industry can go a long way making the Internet a safer environment for all end users through self-regulation. Not that this is common practice at this moment, as in the past years the technical community has focussed on enabling the ease of use of the Internet and ICT products, while others have focussed on making money.

It is only if industry fails at self-regulation that regulation becomes an option. Several recent initiatives show that diverse Internet industry bodies are working on self-regulatory initiatives that can make a major difference in the future. Governments are supporting these initiatives like AbuseIX in The Netherlands, the German, Swiss and Finnish botnet centres and the EU funds 50 % of the ACDC project.

However, this is not enough. If law enforcement does not become involved or is made to understand where cyber crime meets cyber security and (is made to) prioritize accordingly, all present and future initiatives are mopping activities only, as the criminals remain in control of the tap. They need to get arrested or if this is impossible, frustrated in such a way that they employ themselves elsewhere. Only a public — private partnership can achieve this.

Communication and cooperation

Mr. Cerf's own company, Google, in the panel stated that they cooperate in a standardized as well as in an ad hoc way to mitigate security incidents. With public and private institutions. I.e., most likely including, government bodies that (also) have regulatory and enforcement tasks beyond market regulation. And this is a good thing as communication, understanding, trust and cooperation lead to a safer Internet.

If the world manages to establish these lines of communication and cooperation, crime on the Internet will be pushed back to more acceptable levels. If this does not happen, it is the Internet and the Internet industry and companies that will get hurt in the process.

Every day life is not safe, but we are all under the impression that it is and function as such. The same situation needs to be created for the Internet. This can only be achieved if government and private sector cooperate, just like in the offline world and that includes regulatory bodies. That is why Vint Cerf is wrong and with his comment runs a risk of frustrating developments that the world actually needs rapidly in order to keep the Internet as it is. A great open tool for all (well almost all if we bar criminals), to use at ease, in work and play. Something no one with a right mind wants to lose. (This last comment is not aimed at Mr. Cerf, but at the ongoing WCIT discussion.)

For the transcript of my intervention and Mr. Cerf's response click here and scroll to the near bottom.

By Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement. More blog posts from Wout de Natris can also be read here.

Related topics: Access Providers, Cybercrime, Domain Names, ICANN, Internet Governance, IP Addressing, Law, Malware, Policy & Regulation, Privacy, Security, Spam



I agree with Wout here, as always Suresh Ramasubramanian  –  Nov 21, 2012 8:32 PM PDT

And I hope (and rather know) that Vint can be rather more nuanced than that.  This was entirely the wrong approach for him to take.

I tagged him on fb with this article by the way Suresh Ramasubramanian  –  Nov 21, 2012 8:38 PM PDT

and hope there's a little more reasoned debate here than there was at baku.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

Afilias Chairman Jonathan Robinson Wins ICANN's 2016 Leadership Award at ICANN 57

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

8 Tips to Find Your Perfect .COM Domain Name

Why .com is the Venture Capital Community's Power Player

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web