Home / Blogs

Why Are Internet Security Standards Badly Deployed and What to Do About It?

In 2019 under the aegis of the Internet Governance Forum, a pilot project was conducted into the causes of and solutions for the, in general, slow deployment of internet security standards. Standards that on mass deployment make the Internet and all its users safer, indiscriminately, immediately.

The report

Recently the report 'Setting the standard. For a more Secure and Trustworthy Internet. The Identification of Pressure Points in Society to Speed up Internet Standards Deployment', was published on the IGF website. Information was gathered by means of an international survey, breakout sessions at the IGF, dozens of interviews with stakeholders and desk research. It focused on two questions: 1) What are the reasons for slow deployment? and; 2) What are solutions to speed up deployment? This showed that underneath all other provided reasons lies a collective action problem. To break out of this state of inertia, 6 recommendations, 25 identified pressure points in society, and 7 action plans are presented — including identified stakeholders who have to be(come) involved to have a chance at success in speeding up deployment.

Six standards

The project took six standards as examples to start the discussion, three internet standards by the official definition, DNSSEC, RPKI and bcp38 and three not: OWASP top 10, ISO 27001 and the Safe Software Alliance principles. For ease of writing and reading, all are called internet standards within this context.

Causes

Many participants agreed on the main cause for the slow uptake: the lack of a business case. If there is no demand, in general, there's no offer. Research showed that there are underlying causes. The report shows that there is a lack of pressure on decision-makers; from the sides that matter. As far it was able to ascertain and no one pointing to another conclusion, there is no(t enough) pressure from laws/regulation, media, or consumer organisations. As one of the interviewees stated: "No one cares if you deploy and no one cares if you don't."

Additionally, the overwhelming majority of consumers are not willing to pay for security measures, while/because of not understanding the implications of insecurity. The entrepreneurs willing to deploy, face a negative business case, or operate in a niche market.

Another important conclusion is that it is not (just) technically proficient employees deciding on deployment of the standards. Yet, outreach from the technical community is often aimed at these people. Unfortunately, not reaching the level of success needed to make the Internet safer, as they do not decide on deployment. This calls for different aims and for a change of narrative. It is the owners, board members, financial officers who need convincing. That may take pressure from other stakeholders to achieve change.

Governments have not taken internet standards into law (ISO 27001 is a voluntary exception), as is the preferred situation of nearly all we've spoken to. At the same time most of the efforts of governments (agencies) but also e.g., banks concerning cybersecurity are aimed at the only stakeholder with limited power where deployment of standards is concerned: the consumer or "user" as the internet industry prefers to call its customers. In other words, there are no carrots and no sticks of any kind, making it far worse than having no business case.

Collective Action Problem

All this results in a collective action problem, where there is no demand and no incentive to change behaviour and deploy the Internet standards. Usually, it is the government that society looks towards for solutions. In many sectors, this is completely normal and accepted behaviour. Health, (air)traffic , agriculture, etc., etc.. A question in need of an answer is, what makes the Internet so different and justifies the absence of governments, while the market cannot solve the enormous security challenges facing it? Perhaps it becomes necessary to look at the problem as a (digital) health issue. What perspectives does that provide to act upon?

This report does not answer these questions. It searched for potential solutions and pressure points in society that can contribute to breaking up the collective action problem. A few examples are presented below.

Recommendations

The six recommendations are an accumulation of advice provided. Although there is a near consensus among participants that action is needed, there is no consensus on the precise way forward. The first five were tested in the breakout sessions (number 6 came out of the sessions) at the IGF and are seen as sensible.

1. 'Create a business case for the deployment of internet standards.'
2. 'To deploy internet standards successfully, they need to be incorporated by reference into law or legally binding regulations, including a designated regulator.'
3. 'To deploy internet standards successfully requires building security by design/default into products and services.'
4. 'All stakeholders should collaborate on coherent strategies for multilingual awareness-raising of internet standards and their effect on internet security.'
5. 'Internet standards and architecture must become part of education curricula.'
6. 'Standardisation processes are advised to include a consultation phase with government and industry policy makers and civil society experts.'

The paradox this report bares is that a large proportion of the participants see legislation as the only option to force the industry into deploying, yet no one wants it. As legislation is seen as the least desirable option, this comes with a moral obligation to step up on all others. No legislation can and may not equal non-deployment. Hence the pressure on those having to deploy needs to be created elsewhere. The report mentions 25 options, from parliamentarians addressing the issue to industry, to consumer organisations testing ICT services and products, from regulation to media publications.

Next steps

Where deployment of standards is concerned, a government can take on a few roles. Standards could be demanded by them through procurement. Standards could be demanded on the basis of duties to care. A question in need of an answer is what regulators can achieve on the basis of current laws, whether telecommunication, privacy, consumer, etc.. When all else fails, the government is the legislator, but even then, cooperation is of utmost importance.

Mistrust of governments is one of the reasons mentioned why the technical community remains more or less aloof from other stakeholders that could play a role in making deployment happen. It is of the greatest importance that these others understand what internet standards are, why they exist, how they are made, and what the importance of deployment is for a more secure internet. To ensure that the future measures are the right ones, interaction is key. Hence the reason this report invites IETF en ISOC to participate actively in the next phase and assist in the creation of a change of narrative and the direction of outreach, to prevent legislation where possible. Their role lies in leading the other stakeholders forward and to make plausible deniability of not having heard of Internet standards in need of deployment impossible — at the highest levels of industry and society at that. Why? The decision to deploy seldom is a technical decision but a financial one, an investment (without return). This calls for a different approach and narrative.

All this translates into seven actions that you can find in the report. To massively deploy internet standards is and will be a herculean task involving many stakeholders with different and most likely competing interests. Deep down, however, all stakeholders around the globe have the same interest: not to be hacked, not to have compromised or lost data, not to lose money, etc.. This is a starting point. And, when all is said and done, all will have to pay for security. That goes without saying.

Conclusion: a no-brainer

Ideally, this report is not the end but a beginning. To start work on deployment by enacting the recommendations and gather the stakeholders in the action groups. The IGF is a neutral platform where all involved are equal. The first and most difficult steps can be conducted here before the results are taken outside of the IGF to be implemented. All with one aim: to make deployment of security raising standards a no-brainer for all involved.

You can find my report on the IGF website:
https://www.intgovforum.org/multilingual/content/implementing-internet-standards-and-protocols-for-a-safer-internet

By Wout de Natris, Consultant internet governance

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

IGF untrusted site By Anthony Rutkowski  –  Mar 12, 2020 10:13 am PDT

It is ironic if not amusing that the IGF site digital certificate for trust, simply says it is a website at CloudFlare.  IGF can't buy a better digital certificate that actually identifies them??  So much for implementing standards for a safer internet. So much for truth in digital identity.

Thank you for your reply and I By Wout de Natris  –  Mar 13, 2020 4:28 am PDT

Thank you for your reply and I have forwarded it the IGF secretariat with a request to look into it. But on the other hand, maybe you could ask yourself whether a comment like this aids the general need for a more secure internet and safer ICT products and services?

The concern is real and significant By Anthony Rutkowski  –  Mar 13, 2020 5:44 am PDT

FBI notices are not issued frivolously.  The IGF is not setting a good example here. 

Untrusted websites are responsible for numerous security/safety problems, and the flooding of the market with these kinds of certificates - usually free, with zero vetting and flaws - is at the heart of the matter.  When X.509 certificates were developed 30 years ago by the security community and standardized in ITU-T and ISO, it was to provide for the ability of end users to understand who they were actually dealing with at a significant trust level.  Here, we only know that it is a site on a CloudFlare server with that domain name.

It is a poor example to the world - simply to save a few Euros.

--tony

I stand corrected. The IGF told me By Wout de Natris  –  Apr 01, 2020 8:36 am PDT

I stand corrected. The IGF told me that the issue is fully understood and less insecure than it seems, as the rating shows.

P.S., the IGF's website scores 95% on By Wout de Natris  –  Mar 13, 2020 4:34 am PDT

P.S., the IGF's website scores 95% on www.internet.nl.

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

Brand Protection

Sponsored byAppdetex

Whois

Sponsored byWhoisXML API

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Cybercrime

Sponsored byThreat Intelligence Platform