Security: Cyber-Security and Network Confidence
________________________________________________________________________
REAL TIME TRANSCRIPT: Security: Cyber-Security and Network Confidence
APrIGF
11:00-12:30, Tuesday 15 June 2010
Hong Kong
DISCLAIMER: Due to the inherent difficulties in capturing a live
speaker’s words, it is possible this realtime transcript may
contain errors and mistranslations. An edited version of the
realtime transcript which amends the inherent errors, will
be posted later. LLOYD MICHAUX and APrIGF accept no
liability for any event or action resulting from the
contents of this transcript.
________________________________________________________________________
>> : Now may I have Mr Mohamed Sharil Tarmizi, chief officer
of MCMC, to introduce the panel speakers for us.
Please.
>> Dato Mohamed Sharil Tarmizi: Good morning, everyone.
Very happy to be here in Hong Kong. Thank you very
much for the introduction.
Thank you to Edmon, Bianca, the guys from DotAsia.
You have made my life a lot easier by helping in
planning for this session.
We are running a bit behind time, so I was advised
by the organisers to try to catch up.
We have five, including myself, and I’ll explain
why.
We have about six presentations to share with you.
They are very brief presentations about security.
Maybe as a sort of a prelude to that, I just wanted
to say that as we have heard this morning, the internet
has become a critical infrastructure for most of us and
whether you’re a developed country or a adopting
country, the internet has become very important.
As with many other critical infrastructures, it is
also susceptible to threats.
If in the past we all looked at physical threats,
now the threats we are talking about are of a cyber
nature.
The risks that come up and the potential harm that
they can cause is huge.
I am joined by a panel of distinguished people.
I won’t read you their VCs in the interests of time, but
from the far right, we have Mr Michael Mudd who will be
talking a lot about the education side, Mr Thomas
Parenty is talking about the issues concerning cyber
security.
We have an antivirus man there by the name of
Mr Matthew Chan.
We have Christine, who is and we have ram.
I am in a challenging position, because this
morning, I represent the convergent of interests. My
day job, I’m a regulator in Malaysia. So I regulate the
broadcasting broadband internet telecoms industry.
But I have a dual role. I’m also a board member of
impact.
I have a third role later this afternoon, where I’ll
be speaking on behalf of the ITU.
So multiple heads, convergence or confluence of
inflicts, not conflicts.
Very quickly, let me just share with you, to
kick-off, what impact is doing.
We’ll go down the presentation this way. Some of
you, anyone in the room who has heard of impact?
Yeah. One.
We are doing very well.
Basically, impact stands for the International
Multilateral Partnership Against Cyber Threats.
What is it?
It’s non-profit. It looks at creating a team of
experts on cyber threats. It looks at the high level
cyber threats, not national level, but international
cooperation level.
Basically, based on a global partnership environment
and it’s supposed to be multilateral.
All of us are going to be less than five minutes to
speak, in the interests of time,.
We launched impact. Impact is now the physical home
for the global cyber security agenda of the ITU. It
happens to be in Kuala Lumpur.
What the coalition actually tries to do is to try to
bring together the industry experts, academia,
international bodies and think tanks into one place,
a virtual place, called impact, where countries of the
ITU membership can get together and essentially compare
notes, share resources and capabilities.
This is because these are some of the countries
where impact has already deployed some cyber security
services.
What it is that impact does is largely capacity
building, particularly for the developing and lesser
developed countries.
Less are some of the advisory board members of
impact, as you can tell, they are people in the industry
who have been involved in a lot of the cyber threat type
initiatives.
They have a partnership with the ITU. They are not
an agency of the ITU, let me just be very clear.
They are in their own. They have about 45 country
members right now, building up, but they have tied up
with the ITU and also Interpol to look at cyber crime,
cyber threats.
Recently, they signed up with the ITU, to be the
physical home of the global cyber security agenda of the
ITU.
I must stress this because at the same time, they
are working with the UN.
There’s a lot of hype floating around about what
impact is, what impact does and so on, so I can tell you
that they are quite independent of all of that.
I’m going to basically skip this and focus on one of
the areas that impact is working with the ITU and that
is protecting children on-line.
This has become a major agenda, I think for many
countries and many governments and impact is help
progress viding capability and capacity.
The final few slides I have is that the facilities
that impact provides is actually a global response
centre, a platform for experts to collaborate, in terms
of the cyber threats.
Training and skills development centre, where they
work with institutes and other people, counsels and the
rest.
They have also this capacity building environment
for government, where if governments want to know how
well they faired, in terms of their readiness against
cyber attacks or cyber threats, you can have
a benchmark.
Last but not least, they have a centre for policy
and international cooperation.
The partners you can see, I would invite you to go
and see impact’s website for who the partners are, but
basically it’s intended to be an all uncollusive
collaborative platform for governments particularly, but
also multi-stakeholders to get together and discuss
about cyber security and cyber threat issues.
So that’s the presentation on impact.
Let me switch back hats to becoming the moderator.
That is only one slice of cyber security that I’m
talking about.
Maybe more on the slice where governments have some
concerns, physical security, infrastructure security,
but there are other aspects, such as the on-line
protection initiative for children and my fellow
colleagues here on this panel will be bringing to you
the various aspects.
The whole idea here is that we intend to try and
provide the kaleidoscope of security issues for your
consideration as a thought piece for the Asian Pacific
Regional Internet Governance Forum to think about.
We can then, after this, perhaps, in the discussion
session, if we have a bit of time, try and look at
priorities, areas of prioritisation, because the
priorities will be different for each one.
Enough from me.
Can I now invite my colleague, Ram Mohan, to do his
presentation. Thank you.
>> Ram Mohan: Thank you very much.
I’m delighted to be here in Hong Kong. It’s one of
my favourite places in the world, with a great cultural
tradition and certainly a leader in the creation of an
Asian Pacific digital culture.
I wanted to spend a few minutes in providing my
observations on where we are when it comes to cyber
security and cyber threats and provide some thoughts.
We meet at a time of significant focus on internet
security. In my travels over the world, I have seen the
direct and sometimes indirect results of this signal
global event.
In Estonia, which boasts one of the world’s most
connected economies, the country’s democratic
institutions, commercial organisations and news media
were shut down for almost one week, due to a concerted
cyber attack.
In China, the country’s major search engine,
Baidu.com, was shut down by the simple expedient of
hacking the DNS of the core domain name baidu.com.
In other parts of Asia, it has been reported in the
newspapers that about 30 per cent of official government
websites were infected with scripts that captured
information without the knowledge of the users.
The Twitter service has been repeatedly hacked.
Both on the site itself and most recently, through their
managed DNS provider.
In countries in the Asian Pacific region and other
parts of the world, more user names and passwords were
stolen or compromised in 2009 than ever.
I’m sure none of this has been lost on all of you
gathered here in Hong Kong. After all, you realise that
when a digital system weakens in one part of the world,
security and credibility is hurt everywhere.
My own company has been forged in the useable of
increasing security threats.
We manage critical internet structure, we manage
technology for about 10 per cent of all domains on the
internet and respond to tens of billions of DNS queries
every day.
As a result, we are a constant target of cyber
attacks. Each day, we encounter takes and some days, we
encounter a combination of cyber attacks that wake some
of us up in 2 in the morning and keep up up thereafter.
We work to endure the shock to our systems, learn to
anticipate more and growth in the teeth of ever
increasing cyber storms. As we continue into this
decade of the 2010s, I think we need to be careful in
how we, as a global community, interested in the
security of the DNS, marshall our resources and how we
spend our time and money.
If you look at today’s threats, you hear a lot of
words. Bot nets, mail ware, cyber terrorism,DDOS cyber
terrorism, clouds, a lot of different words and in some
cases, it’s almost an alphabet soup.
In our changing internet, our first line of defence
must be timely, accurate data that is shared,
integrated, analysed and acted upon quickly and
effectively.
Now, this generation on the internet faces a great
test in the area of security.
Unlike earlier digital security threats, we cannot
count on an anti virus programme to bring this trouble
to a close.
Right now, in distributed networks, and hidden
message boards, there are people planning to run massive
attacks on your systems.
That is likely to be the case not just now, but 10
years from now.
In just the past few months, we have been reminded
again of the challenge we face in protecting DNS users
against an enemy that is bent on hijacking them.
While fragmented policy, fractious politics and
fragile protocols can often on security the hard work,
I think we need to be clear about what this moment
demands. The internet as we know it can be affected
quickly, rapidly and comprehensively by focused and
unwanted attention on just a few problem areas.
To respond to this, we need to come together to
build what I think is international cooperation against
cyber threats, based on the broad principles of
protecting the consumer interest, preserving security
without compromising privacy and maintaining the
democratic principles of the internet.
This responsibility is only magnified in an era
where governments are waking up to the power and
potential of the internet and technology gives a handful
of criminals the potential to do the great majority of
the world tremendous harm.
Let me be blunt.
There are no neat or easy answers for some of these
problems that I have raised in front of you. I wish
there were.
But I can tell you that the wrong answer is to
pretend that this problem will go away if you maintain
what I believe is right now an unsustainable status quo.
Internet security requires a delicate balance. On
the one hand, a democratic internet depends on
transparency.
On the other hand, some information and techniques
must be protected from public disclosure. For the sake
of security.
Some information must be shared with appropriate
authorities on an as needed basis.
In many of these cases, money, freedom and sometimes
even lives are at stake.
A decade into the new century, the internet is now
taken for granted.
Your children no longer are in awe of this
technology the way some of you were when it first came
about.
They just expect the internet to just work.
This expectation has become one of the key drivers
of the global economy.
To make the part of the internet system that we are
responsible for, not just work, butt work well, you are
now part of the human mesh that keeps this critical
internet infrastructure viable and vibrant and each one
of us who is here is a member of a team that helps keep
a big part of the internet up and running.
Somewhere today, a relief worker is registering and
using a DotAsia domain name, so that people can donate
to respond to an earthquake and help save lives a .IN
domain name to appeal to customers using the somewhere
today a computer programmer is registering a dot info
domain name to fulfil his dream.
Somewhere today a tourism organisation is
registering a .hk domain to showcase the beauty and
attractiveness of this low call region.
That .in business, that .info entrepreneur and .hk
organisation depend upon all of us to keep the
internet’s core, the foundation of the internet, running
without trouble, today, tomorrow and every day.
Everywhere I go, there is now a great expectation
that if you see technology on the internet, it will just
work.
And it will just work in a way that is more open,
more secure and more accessible than any other system
previously built.
This expectation places upon us a great
responsibility, a responsibility to strengthen our
defences, to adopt safer computer security protocols, to
build strong alliances that foster open information
exchange.
We cannot sacrifice the open internet and the values
and liberties that it entails in light of increasing
security concerns, interoperability and accessibility,
in my opinion, must remain very high priorities, while
at the same time protecting security.
As we gather here to share our thoughts on the
governance of the internet, the domain name system, and
to tomorrow’s computer systems and the internet, let us
reach for the same vision, high principles, hard work
and persistence that has brought us so far.
Let us join hands across Hong Kong, across Beijing,
across New Delhi, Dhaka, Singapore and Tokyo, as we go
about building the future of the internet as we know it.
The safety and security of tomorrow’s internet is
threatened by more than just hacking and phishing
attempts.
We need to first agree on common principles we
believe in.
Principles that we promise to adopt and techniques
that allow us to share, integrate, analyse and act on
timely and accurate data.
Speaking together on security, not getting scared
about cyber threats, cyber war or cyber terror and
agreeing on common principles will ensure that there is
a bright future ahead.
I believe together we can security this future.
Thank you.
>> Dato Mohamed Sharil Tarmizi: Thank you.
I think Christine.
I’m just going to go, in the interests of time, run
through the speakers, then we can have a more
interactive session at the end of the five
presentations.
>> Christine Runnegar: Thank you very much. It’s a pleasure
to be here in Hong Kong and I would like to thank
DotAsia and our Hong Kong chapter for inviting me here
to speak to everyone.
So thank you.
The first step of today’s talk is mastering the
technology, so let’s see if I can get the slides to
work.
I’m going to be speaking about network confidence
and the Internet Society’s trust and Identity Initiative
and here is my first test on the technology.
So let’s begin with a definition.
What is confidence?
Confidence is the belief that one can have faith in
or rely on someone or something.
It’s a self-assurance arising from an appreciation
of one’s abilities.
It’s also the telling of private matters or secrets
with mutual trust.
Such as you might have in a business partnership.
It’s also a secret or private matter told to someone
under a condition of trust.
Such as your lawyer or your doctor.
One of our strategic objectives for 2010 is to
actively promote and support the development of open
standards, technologies, applications and policies that
engender trust in networked environments, to provide
education and guidance on methods for ensuring full
participation from internet stakeholders and enabling
individual accountability.
Under our Trust and Identity Initiative, we have
three major activities. They are understanding the
trust ecosystem, which I will be speaking about,
supporting open trust enabling solutions and stakeholder
outreach and support.
So how do we achieve confidence?
Confidence results from trust developed through
positive interactions experienced over time.
If we go back to the definition of confidence, trust
is trust in oneself, trust in someone else or trust in
something.
To increase network confidence, we must build upon
the sesses of the internet model, including global
openness and accessibility.
We must support technologies that enable trust from
the network layer to the application layer.
We must encourage policies that take steps to
enable, extend, strengthen confidence with a chain of
trust.
And encourage the economics of innovation to support
value for all stakeholders.
What are the components in the trust ecosystem?
The components are technology, so things such as
protocols, applications and hardware. There is also the
regulatory component and you’ll notice that under the
regulatory component, there is enterprise. Because
enterprise does play a role, for example, through self
regulation and coregulation.
Then if we look at the third component, society,
it’s important to remember that there are not only on
line interactions, but off line interactions as well.
What is trust? Trust is reliance on the integrity,
strength, ability, et cetera of a person or thing.
What contributes to that trust? What are some of
the things?
One of these things is authentication. Who are you?
What is the identity of the user and the device?
Note there that I have used the word authentication.
It’s important to remember that there is a distinction
between authentication and identification. Take, for
example, a person who wishes to vote on an on-line
voting system. It’s important that the system
authenticate the person, but the person would want to
vote without revealing their identity, without being
identified.
Another factor which can contribute to trust is
authorisation. Are you permitted? What privileges,
what access is allowed to the user?
A third factor is encryption. Can others hear or
see what you’re doing?
Keep private that which should be kept private.
Looking at the intersections and tensions, trust
encompasses several key components.
It’s a willingness to take a risk based on shared
information.
It’s the ability to judge and accept the level of
risk in a given exchange.
It’s also the ability to share sensitive information
within an agreed context.
In on-line transactions, enabling a trusted
interaction depends on a combination of security,
privacy protection and importantly, useability.
Looking at the constituent building blocks, then,
what are the buildk blocks of trust? They are security,
accountability, value enhancing and the evolving system.
Just highlighting a couple of these items, if you
look at accountability, for example, it’s important that
the system be verifiable.
If you think about it in terms of scientific
experiment, we are all very familiar with the importance
of being able to reproduce the results of scientific
experiment and the value that that provides to the
scientific community.
Similarly, the system needs to be evolving. It
needs to have provision for feedback, flexibility. It
needs to be adaptive and evolving.
It’s a balancing act in the trust ecosystem.
A healthy solution includes all the components.
Each with varying weight according to their constituent
building blocks.
Consider two things.
Suppose you have a healthcare advice forum. That is
a place where you can go to obtain information about
diseases or injuries.
If you look at what components you would expect,
you’d would expect a fairly sort of low tech solution,
relatively low regulation and you’d have a lot of
personal and community involvement.
So what building blocks might you want for that sort
of system?
You would probably want moderate security, several
reporting and you would want something that’s highly
flexible.
By contrast, consider a healthcare records manager.
That is a place where that records and stores and
manages your personal medical records.
In that situation, you would want a hi-tech
solution, you want it to be highly regulated and you
want to have high personal involvement, assuming you
have some control over those records.
In such circumstances, for trust, you want to have
high security, you would want to have regulated
reporting system, you want to make sure that the system
is stable and so forth.
It’s also about maintaining the balance.
Maintaining the balance or maintaining the balancing
of the blocks is as much an art as it is a science.
The important thing to remember here is that there
are many possible successful configurations, not just
one.
Some blocks are going to be covariant and some are
going to be orthogonal. What do I mean by that. I mean
sometimes when you change one of the blocks it will
affect the others, whereas in other cases, there won’t
be any need for change at all.
Very importantly too, don’t forget, perceptions can
be deceiving and they can become reality.
The trust ecosystem also has a linked evolution.
Consider this example. Imagine a regulatory
environment, you have a new law and it necessitates
a change in business practices, further accountability.
This has a flow on effect to the technology
component.
To ensure compliance, we would require a change in
a security mechanism and perhaps some modification of
some functionality.
This feeds down to the society component.
The end result of the regulatory and technology
changes may lead to a shift in the overall value in the
user community affecting behaviour and also
expectations.
So the keys to building confidence, therefore, are
a strong foundation built on open technology, best
common practices and proven methodologies, all
participants cooperating as valued stakeholders,
operational transparency with integrated feedback loops
empowering coordinated responses to emerging issues from
all participants in the ecosystem, functional frameworks
that support deployments in various markets and
jurisdictions, effective expectation management.
What is expected and what is delivered must be
matched?
A mismatch in either direction can be disaster.
So let’s turn to the internet ecosystem.
Something which all of you would be very fact
familiar with.
Now I will take you to the stakeholders in the trust
enabled ecosystem.
They’re the same individuals, organisation and other
entities.
Thank you.
>> Dato Mohamed Sharil Tarmizi: Da thank you, Christine.
Remember when I started, I said that there were many
facets, one facet came from Ram. He was talking about
bot nets, compromises to websites, hacking attacks,
DDOS, then we have Christine talking about trust,
authentication, thoughts.
Now for the third one, let’s see another perspective
of when you talk about security and governance of the
internet. Please, Matthew.
>> Matthew Chan: Thank you organisers to invite me to join
the event.
Everybody knows we are the antivirus company, but
actually our vision is absolutely provide the absolutely
safe environment to the customer, to exchange data.
Everybody knows the word virus.
In the past, virus is damage the computer and the
networks, but now today, the virus is changed to botnet.
Botnet, you can think about the network, one’s master
can handle over a thousand computers to hit one of the
target customer.
So on the other hand, the botnet is stealing the
data and information like credit card information,
social security number, financial information,
et cetera.
Business and consumer, like inundated with data.
The amount of the data running through today global
network is currently being measured in petabytes.
Not only there’s a lot of data, but it’s now mobile.
I saw everybody have a notebook here, net book,
smart phone, all is mobile device are there.
All capable of receiving data and using applications
that reside in a cloud.
Data is no longer reside on just one server or
device.
So how can we ensure that such vast amounts of
information are secure?
We believe the answer is in the cloud. That is
internet cloud or we can say the public cloud.
To protect against threats coming from the cloud,
Trend Micro turn to the cloud itself to deliver the
trend microsmart protection network.
Some of the industry argue the cloud computing will
result in security consolidation, but I don’t see this
happening.
Whenever there is the computing, how can security be
possibly consolidated. Security needs to be at every
layer to be effective.
What matters most is the protection of the data.
Don’t care where the data is coming from, but they
do care how it is protected.
Most of the businesses or stakeholders thinking
about where is my data? Who is accessing my data? Is
my data being modified?
This is a new environment requires security
innovation.
Solutions will need to address the issue of
protecting the cloud infrastructure itself.
Trend Micro, our understanding, understands that
innovation has to be evolution rather than revolution.
IT firms want to leverage the cloud, but need.
They also realise that if they don’t make a secure
cloud available to their internal customer, that
customer will go around them and get access to the cloud
without them and perhaps without security that requires
to ensure the great protection.
I thinks this Trend Micro position, within 2
minutes.
>> Dato Mohamed Sharil Tarmizi: Thank you, Matthew. That’s
very kind of you.
Thomas?
>> Thomas Parenty: I would also like the thank the
conference organisers for the opportunity to talk to you
this morning and also as one of the few Hong Kong people
on the panel, to welcome the rest of you to the city and
yes, the food is very good.
What I would like to talk about is security,
information from a slightly different perspective, not
so much from the perspective of issues with respect to
the underlying infrastructure, but more from an
organisational perspective, specifically not how to
organise things, but rather from the perspective of
organisations.
I’m going to be talking about sort of trends in the
kinds of security threat, security crimes that are
existing and that I see showing up in the near future.
One of the cautions I want to say is that whenever
people talk about computer crime or computer dangers,
there’s this tendency to be somewhat alarmist.
I’m simply going to be describing what I see as
happening and what is possible, but not something that
you should necessarily lose sleep over.
Also, to put things in context, there is a story
I heard a while back, I can’t remember the origin of the
story, but if you and a friend are walking in the woods
and you happen to run into a bear, it’s not necessary
that you actually run father than the bear, just faster
than your friend.
With respect to certain internet issues, you just
want to make sure you’re a little faster.
To simplify the world, in terms of threats, one can
talk about insider threats and outsider threats.
The particular kinds of attacks up until now that
you’ve been subject to, either inside or outside depend
very much on what the target of the attack is. For
instance, if the attacker wants something that is easily
identifiable, such as a credit card number, a social
security number, that’s a relatively easy thing to do
from the outside.
Actually, newspapers are full of stories of people
from the forger Soviet union hacking into computers
halfway around the world to harvest credit numbers that
are then sold to other people who then sell them to
somebody else who then actually commit the crime.
If you look on the other side, let’s say concern
about intellectual property, trade secrets, corporate
information, that has, up until now, tended to be more
of an insider crime.
Part of the reason is that to be able to identify
what’s important versus what isn’t, requires a lot of
contextual information that somebody halfway around the
world isn’t necessarily going to know.
What I’ve noticed recently is there’s starting to be
a merging of these two sort of sources of attack, where
you have the actual attack coming from outside using
various forms of mail ware or phishing or traditional
attacks that have come from the outside that tools from
my panellist can help address.
But it’s those attacks are being guided by insider
information in order to know where is the specific
target within an organisation that I should look for.
The recent hacking attacks on Google and other
companies actually are examples of this sort of merging
of the insider and outsider.
So it’s something that for an organisational
perspective, it used to be some simple. We had outsider
attacks, we had insider attacks, but now we have this
merging of them.
So that’s one trend that I have seen that is — that
actually is in practice today.
The second thing that I would like to talk about are
threats that we can anticipate.
It’s something that historically, there has been
a division between the physical security world and the
digital or information security world.
Being in the information security world, I sort of
look down at the people who look at CCTVs and if the
guard is in the right place and things like that, though
I do recognise the importance of them.
However, with the emergence of IPV6 plus very low
cost, low computational or I should say computationally
efficient wireless technologies that distinctions
between the physical world and the digital world is
going away.
Specifically, one particular instance of technology
that I’m talking about is a wireless protocol that goes
by the name Zigby.
Think of WiFi, the WiFi alliance, but now think of
it in terms of wireless devices that are very, very
small.
Ones that you can put in very small devices like the
lock to your front door into your fire alarm, into your
refrigerator if you wanted it.
But also more significantly, into critical parts of
critical infrastructure, such as controllers for
floodgates for hydro electric dams, in controllers for
electric metres.
What we’re going to find going forward is that the
control over physical devices is now being controlled
and enabled through the internet that we have — I was
going to say that we have grown to love, I’m not sure
that is quite the characterisation, but that we have
grown to rely on.
So there will be a whole new host of security issues
that we’ll have to deal with that very, very much affect
the physical world in which we live.
Again, looking at sort of categorisation of the
kinds of threats that we’ll look at, I would say look at
the motivations of those that might be perpetrating the
attacks.
I’ll just make two sort of choices.
One of which is, if there is somebody who has
a criminal intent, then in terms of location of the
attacker and location of the attack, I think actually
they could be sort of fairly close.
Not that I would do this and not that I would
recommend this for you, but if in the future, you would
like to get into the burglary business, then looking at
compromising wireless networks that control physical
locks is actually a good way of going about it, much
easier than dealing with old lock picks, although they
do have their charm.
If on the other hand I am looking from the
perspective of somebody who is trying to engage in some
sort of extortion or terrorist attack, where the goal is
not to open a door into some physical environment into
which I want to steal something, but rather that I want
to disrupt some critical infrastructure, they can be
completely on the other side of the world.
I would say that, again, not meaning to be alarmist,
but rather to simply provide another perspective of
things that we’ll have to look forward to, is the
merging of insider and outsider threats and the merging
of physical and digital security issues.
With that, thank you very much. And, Michael.
>> Michael Mudd: Thank you very much, Thomas.
Again, thanks very much for giving us the
opportunity to be here.
I’m the industry association guy, so that’s why I’m
coming from.
I would like to address very quickly, because I know
it’s only myself separating you from lunch.
Threats, authentication and network confidence.
The concentration of criminals into transnational
gangs is not unusual. We have seen the mafia before.
We have seen triads. What we now have is about
transnational gangs who make it a business from separate
you, the internet user, from your money or from your
identity, which is then used to separate you from your
money.
So money is the underlying motive for this from the
point of view of regularly organised criminals.
I shan’t talk about cyber terrorism. That’s
completely different.
With ID theft now topping about 9 million in the
United States, this is very costly.
It takes on average nine months and about $5,000 to
fix a stolen identity.
So this is very important. This is where education
comes into play.
That is really what I think is part of the softer
issue, the nontechnical issue, which needs to be
addressed as we move towards IPV6 and the internet of
thing, as Thomas mentioned.
New technology, Zigby, et cetera, will change just
about everything and everything that we do.
Clearly, there needs to be close coordination
between industry, industry groups, regulators and law
enforcement at all levels, in particular in Asia,
I believe that the multilateral organisations such as
APEC, ASEAN which all have working groups which are
addressing various things are very important and not the
least of which is working with the banking system.
The FATF which was the legislation on terrorist
funds transfers, money laundering, has been very
successful in closing off this, also for drug smugglers
and other criminals in the real world.
I believe that this can be extended to the cyber
world, because again elicit funds do have to be moved
articled the world, although the sums are generally
a lot smaller.
Continued collaboration, working with the ISPs and
on-line security companies is also vital.
We also have to look at some of the other issues
which are coming across on cross-border and not just the
theft I have name, but also such areas as libel, the
creation of fake identities on-line, the rise in crimes
which actually have been brought forward from the
increase in social media.
We have seen and this is going to be addressed later
on, social media on line bullying, these types of things
which are very important to address.
In particular, the education of children for social
media.
When you look at the fact that the advice on face
book is that nobody under the age of 13 should register,
although of course there’s no reason that anybody can’t,
it is clear that education should start at 12.
Education should be very important with respect to
the parent as well.
I’m a parent. I educated my kids at a very early
age not to go and play in the road. This is not a good
idea.
There is danger there.
I think that today, this has to be extended into the
on-line world as well and that a lot of parents are
abrogating their responsibilities.
This brings me down to the final thing, which is
network confidence.
It’s the same as any trust reliance service. For
those of you that threw to Hong Kong, you made
a decision to fly on an airline that you trust.
There are airlines that you don’t trust and ones
that you do and I’m pleased to see that you all made it.
This is based on their experience.
When we start to look at the growth of the internet,
the fact that it came out of government programmes,
academic programmes, to where we have today, the private
sector has played a major role in the development of the
infrastructure, the regulatory frameworks that were
adopted by governments.
Indeed, the formation of the IGF itself is very
important with the support of the commercial sponsors
that we see here today.
Therefore, the system of governance, of the IGF, of
the internet, and as put forward through the IGF, we
believe is the very important, that the
multi-stakeholder basis of governance should be
maintained and that indeed, the funding which is put
forward should be also contributed by the public sector,
as well as the private sector, but considering that most
public sector funds are strained today, that the private
sector perhaps has a greater role to play.
With that, I think I better stop. Thank you.
>> Dato Mohamed Sharil Tarmizi: Thank you very much,
Michael.
So there you have it, ladies and gentlemen.
Five different people on the panel and five
different perspectives when we are talking about
security.
I think that shows the complexity of the issue, as
well as the challenge that faces all of us who are
looking at it.
I think I would like to use this opportunity just to
refresh some of the points, the highlights that each
speaker has brought out and invite you to engage the
panel in the usual manner and form.
We have approximately — I will try and stop by
12.30. We have 15 minutes to go.
Thank you to all the speakers for your cooperation
in speeding up the presentations.
I am going to stand up.
What is interesting is I started talking about
infrastructure, Ram started talking about applications,
Christine was talking about confidence in the network.
So we move from physical security to things that we
use on the net, to our reliance on the systems.
Matthew talked about where they think the threats
will be, cloud computing and how to manage viruses.
Thomas talked about something interesting. Looking
at the future possibility, thinking about security from
an inside versus outside perspective and combining it
with the ral digital and real world.
Of course, Michael was talking about the education.
So many facets, many perspectives, many layers.
It’s almost like when you go to your physical world,
when you talk about security, you enter your house, you
probably have your electronic gate. That’s one level of
security.
You move into your front door. That’s another level
of security.
Then you move into the house, there’s probably
another level of security, camera or something in the
house.
So that seems to be what’s coming.
So any questions down at the back on the right-hand
side, left-hand side? Feel free. You have an eminent
group of panel its here.
Any insights, concerns, thoughts that you might want
to pick up from this panel? Or ask in.
>> Stephen Lau: I have a specific question to the panellists
and a general one to the entire panel.
The first one is to Thomas. When we talk about
internet of thing, of the trend moving towards, even
looming, not danger, looming phenomena is internet of
people, through people talking about instead of being —
sort of invasive of kind in plants and all that.
How do you see in terms of security protection, with
this sort of trend, do you see any sort of new phenomena
and how do we protect ourselves with respect to that?
That’s my specific question.
On a general question is this. In global IGF, in
a lot of forums, we talk about global issues, obviously
we do actually using cases with respect to particular
incident or economy or even a region. This is
a regional IGF for Asian Pacific. We are talking about
regional issues.
I was wondering from the panel whether in fact are
there anything, any specific issues in Asian Pacific
relating to cyber security which are unique or which are
more sensitive which are more prominent upon which we
can understand and can focus ourselves in our future
endeavourses?
Thank you.
>> Thomas Parenty: First off, I would have to say, thank you
very much for asking an incredibly hard question.
See if I accept another panel invitation.
Basically, when I say a hard question, the solution
to this problem is incredibly hard. To put this in sort
of a more concrete example, something that people are
dealing with right now is a lot of implanted medical
devices are accessible via wireless. Pacemakers would
be one example. You have a very, very real problem of
how can doctors under the proper circumstances access
and cross this device so as to — as part of providing
medical care, while preventing sort of bad guys from
essentially remotely killing somebody by turning off
their pacemaker.
Unfortunately, there are no good solutions right
now. Actually, one proposed solution and I think this
came out of France, although I couldn’t say exactly, was
to basically tatoo on somebody’s body in an ink that
could only be seen under ultraviolet light the password
to the device, to try to balance the fact that you don’t
want to have a device that’s completely unprotected,
because then bad things can happen, but you don’t want
it to secure that when somebody is needing medical care,
that the doctors are saying, like, how do we get in
here?
It’s something, speaking as a technologist, this is
an incredibly hard problem. I’m at a loss as to what
a sort of good solution is.
Ultraviolet tatoos, well, it’s something that it
does have some appeal, but it’s not really a long-term
solution.
So I would say that for any of you people who are
looking at areas in which you could actually do work in
the information security field, that would have very,
very prominent sort of social benefit, here is a problem
for you to look at.
>> Dato Mohamed Sharil Tarmizi: Thanks, Thomas.
>> Ram Mohan: Thank you. This is to address the question
about, you know, potential unique things that are
happening here in the Asian Pacific region.
At least from my perspective, there are two things
I see and I know there are people here in the audience
who may bring their unique perspective and add their
experience here as well. There are ISP folks and folks
from cyber cafes, other areas.
One things that I see that seems pretty unique is
that in recent times, if you look at the origin of DDOS
attacks or the origin of where the botnets are coming
from, often you find the alleged source of it tends to
be from the Asia region, a lot of it, and what happens
is that in the global press, that gets converted into,
you know, this country or this region is the source of
this problem with internet security worldwide.
Asia then gets probably the biggest amount of
burden, if you will, in that area than any other part of
the world.
I think that’s somewhat significant.
I do know that there are others here in the
audiences who might have a different perspective.
>> Dato Mohamed Sharil Tarmizi: Switching hats, speaking as
a board member of IMPACT, what IMPACT does is it gets
feeds from all its private sector members, Kaspersky,
Trend Micro and all of that, in terms of the latest
botnet attack, the patterns and profiles of signatures
of viruses and all and also the attacks and the
incidents of attacks.
Statistically what we have seen, is Asia has become
a hub or confluence point where attacks emanate from.
That is going to have other consequences on us,
people who operate ISPs, services, in Asia, because we
are going to be eventually, if we don’t do something
about it, labelled as a potential security risk, it’s
going to cost us more to connect with perhaps networks
in Europe, in America and so on.
That is one area which I think really needs to be
looked at.
Maybe from a business continuity standpoint.
Anyone else on the panel?
Charles, you had a question?
>> Charles Mok: . I just have a very quick question about
what do you see as the most urgent issue in the AP
region that you see has to be dealt with in this
particular concept about security.
>> Dato Mohamed Sharil Tarmizi: The most urgent issue for
the AP region, one each.
Since the panel thinks so, we have maybe about five
more minutes. Summary question, one of the panellist
says.
Any other questions before we come to that?
>> : My name is Robert Cara, I’m with Freedom House. It’s
great that all the panellists are speaking on different
perspectives and the thing I found nice at the beginning
was the talk about multi-stakeholder approach in regards
to security and what I’m struck in some of the comments
you just made, Ram, in regards to some of the perceived
threats are coming from Asia, but also a variety of
actors in Asia are also being particularly targeted. So
what I’m interested in hearing is to what extent the
governments and business sector seems to have a place
where they can go to for sharing the information about
attacks, getting trained. I didn’t hear civil society
and there are a lot of commands from that type of group
in the region and I’m just curious what efforts are
being done, what IMPACT is doing and if not, is that
something that they could do, doing forward, working
together, because I think the threats, whoever gets
attacked first, might be an early sign of other actors
being attacked as well and then ISPs having to deal with
gigabit attacks will cause all the sites hosted there
going down as well.
So I’m just curious as to the civil society aspect
and what that could be done going forward.
>> Dato Mohamed Sharil Tarmizi: Thank you, Robert.
Sorry, you wanted to respond, Paul?
>> Paul Wilson: I wanted to make a comment.
>> Dato Mohamed Sharil Tarmizi: Who was the second in line?
Just very quickly, I think we’ll take the question.
>> : I’m Atit Sri Unkun? or advertise sir from Bangkok
Thailand, working for a Thai network.
I just wonder from the panel, I see something
contradicting, like, for example, Ram say that to
protect the security of the internet, for example, we
have to make it like protect it to be like sort of
a secret, but at the same time, Christine from Internet
Society say we are all to making trust equal system, we
have to go for open standards, open technology. Does
that contradicting to each other?
>> Ram Mohan: Let me quickly respond. I actually think that
that is the fundamental balance that has to be struck in
doing internet security. In some cases, as you find out
information about an attack, you want to keep some of
that private, so that you don’t give away everything.
But the really important thing and one of the points
I was making was that that has to be totally balanced
against internet democracy and openness and that piece
of trust. Without one, the other becomes basically an
internet dictatorship.
>> Thomas Parenty: I was going to say, to reply to that from
a slightly different perspective, more of if you are
designing a system that needs to be secure, you want to
minimise the number of things that need to be protected
in order for that security to hold true.
So, for example, in the area of encryption, you want
it to be that all of your security is based on the
strength of the — the secrecy of the key, not on the
secrecy of the algorithm, because if you’re relying on
the secrecy of the algorithm, that is a much more
difficult task because all these people know about it
and nobody can keep their mouth shut. In terms of
openness versus secrecy, in order to protect yourself,
there are some things that need to be secret. You
absolutely want to minimise what those are, minimising
those dramatically increases the level of protection you
have.
>> Dato Mohamed Sharil Tarmizi: Thank you. I’ll just very
quickly respond.
There are other organisations at the moment which
I think engage the civil society a lot closely, IMPACT
at the moment is focusing on, because of the limited
resources, is focusing on dealing with governmental
issues for the moment.
I think the last thing you want is governments going
around trying to do things themselves without any
education and that’s one of the reasons why IMPACT came
out very quickly, to try and at least help fill that
void, because in the government system, I think you
would have heard from Markus this morning, that it’s
a very complex set of layers and layers of governance.
Paul, you had a question.
>> Paul Wilson: I just wanted to make a point again about
the stakeholders who we need to address here and there’s
one group of stakeholders who are the internet operators
an engineers.
The internet is not created by policy analysts, not
created by an IP address registry, it’s not created by
security experts. It’s created by a group of foot
soldiers or coalface workers who are the engineers who
actually make the network that we all use.
The different between a network that is well run by
fully trained expert engineers and one that is not is
a difference in cost, efficiency, critically it’s
a difference in security as well.
The training and education challenge of getting to
every one of those engineers, the foot soldiers in whose
hands are the routers, the DNS servers, even are you
piece of equipment that we rely on is a really huge
challenge and I think that simply the task of training
is one that needs to be really emphasised and rolled
out. It’s one that’s been going on for many years
through on in profit and voluntary activities, such as
run by the Internet Society, such as the Apricot
conference, but it really must not be forgotten, because
we can talk about policy and analysis and all sorts of
thing, but on the ground there really is a big
challenge.
In my experience, in this region, the pace of growth
of the internet is so rapid, the dearth of trained human
resource is so severe, the mobility of professionals to
move from one job to the next, one company will train
and then lose those trained experts to others and it’s
a real challenge. It’s something that we really mustn’t
forget.
Thanks.
>> Dato Mohamed Sharil Tarmizi: Thank you, Paul.
There were a few others.
>> : I’m Sue Ng from Malaysia.
I’m just want to draw attention to the fact that who
defines cyber threats? What is the definition? Because
there are some repressive governments that use that term
to silence dissent and it’s interesting that the chair
brought up the issue of educating the government,
because I don’t know why the MCMC is going after an
on-line news site for reporting, for doing its job of
reporting something that could be sensitive to the
government of the day and the tie example as well.
Thanks.
>> Dato Mohamed Sharil Tarmizi: That is interesting.
Thank you.
And you know who is the guy? Me.
I’ll respond to that bilaterally.
That goes to show that, you know, when you talk
about security, everyone has their own take of what is
security.
I think just sort of coming back to the issue at
hand, some will look at content issues as relating to
security as well. I mean, I’m, for example, I just came
back from Geneva, the protection initiative by the ITU.
That was a whole debate by governments there was about
we need to protect children on-line.
I don’t deny the fact that the point she raised,
there were some people in government who felt that
control over information is a security issue.
But there are others who felt that that was not the
case.
I think more to the point of this AP region, perhaps
now is an opportune time to come to Charles question.
If we were to try and, you know, with all that that’s
been floating about in the last half an hour or so in
the dialogue, if we were to try and look at the priority
areas for this region, in relation to security, what
would it be?
Would it be training and education that Paul talked
about?
Would it be what Stephen talked about? Shall we be
focusing there, because this particular region also
manufactures a lot of products, applications services.
Most of the devices that come up with V6 capability
is probably going to be manufactured in this region.
Or would it be something a along the lines of
building trust and confidence in the system, because we
have a lot of people coming on line with many
governments in this region trying to push broadband
penetration up and yet not having the right people with
the right skill sets managing these networks.
So everywhere, as you keep growing these networks,
you find that vulnerabilities increase, because people
just don’t know how to handle it.
Where would that be? I just like to invite maybe
a few immediate reactions from the floor and then go to
the panellists before I sum up.
>> : My name is yap sue sing. I’m representing Asian Forum
for Human Rights and Development, based in Bangkok.
It was very interesting to listen to some of the
panellists talking about this cyber threats and cyber
attacks and how to strike a balance.
Ram talks about striking a balance between this
security and also democratic control of these tools.
But I agree to that point, but I would just like to
also add that it is also important to strike a balance
between security and fundamental human rights.
Because I think a lot of times we are seeing is is
that a lot of time governments are using the pretext of
security to undermine human rights, the rights to
privacy, the right to freedom of expression and freedom
of information to cover up corruption, scandals.
I think this is very fundamental and so in terms of
I think when we talk about internet management and
governance, this is one of the key principles that
shouldn’t be left out when we think about the management
of internet.
So it is important I think democratic control and
human rights is two different concepts and it has to be
differentiated, because democratic control talks about
processes, it talks about decision making and democratic
control sometimes can be contradicting with human
rights, because a lot of times, the rule of majority
overrule the rights of the minority or individual, very
basic human rights.
So I think it is very key and important to also
emphasise the principles of human rights.
The other point is about cyber threats. From the
panel, from the discussion I gather that the paradigm of
talking about cyber threats and attacks is more from the
state perspective, to control, to minimise security.
But there is also a lot of threats that is sponsored
by states or even initiated by states to a threat of
user of internet, especially when it comes to very
fundamental rights of the people.
How do we address that kind of cyber threats?
Because for governments, it seems there is a platform
for them to address these issues through complaint about
these issues and to discuss how to have a global
structure to address this issue, but when it comes to
threats that is created by governments, where is the
platform or what is the mechanism to address this issue?
Thank you.
>> Dato Mohamed Sharil Tarmizi: I don’t think anyone is
responding to that one.
Any other comments? Sorry, I have two more.
I’m just trying to take up notes and sum up.
>> : This was in response to the comment made by the speaker
who spoke.
Earlier, this initiative in Brazil —
>> Dato Mohamed Sharil Tarmizi: Where are you from?
Parminder: Parminder from an NGO IT For Change in India.
The Brazil, there is an initiative by government and
civil society to start looking at internet governance,
not from a control and security point of view, but civil
rights point of view and address the same set of issues
and they have come up with a draft and what is
surprising and good is that the same kind of issues do
get addressed even from a rights basis, even the right
to security is a right and they have come up with
a draft which looks at security issues from a rights
point of view and I thought that could be something
which people can take note of.
Thank you.
>> Dato Mohamed Sharil Tarmizi: Thank you. I see a trend
coming up.
>> : Dale Johnson from Hong Kong.
I want to thank you the panellist, I think they
raised some very good points in their presentations from
a diverse range of perspectives.
A couple of points I want to raise is, the topic of
security in itself. It means so many things to so many
different people. We will never solve the problem
whilst we’re taking it in such a broad specifictive. We
have got child on line protection down here, we have
hardware infrastructure protection over here. What
makes it even more complicated is all the volunteer
events versus the standards efforts versus the private
efforts and it’s very, very challenging.
Going back to some of the points the panel itself
made, what are the fundamental principles upon which we
are working here? What are the actual assets that we
are going to protect? Let’s get the facts down on the
problem, because I don’t think we have solved anything
here.
We can come back here in five years’ time and we
will be in the same position and having the same
conversation and not being any more advanced apart from
DNS may be in place.
The other thing is, solving the problems of today,
the pace everything is moving, the problems of today are
probably already gone by the time we get around to
solving them. Why don’t we start thinking about
architecting security into whatever is going to be
coming in the future, which is part of what we’re doing.
The example of running faster than the bear. That’s
a very good example. How can we security an environment
where security is only as strong as the weakest link?
So all these big ISPs, for example, are doing really
well, but all the small ones are doing very poorly, so
the back door infrastructure are coming into the weakest
link is what’s called compromising the efforts of the
good people.
The other aspect is how do we develop all these
principles and everything when we have to take into
consideration developed nations and undeveloped nations,
because olof them are all using this infrastructure more
and more commonly.
I just want to put all those thoughts on the table,
because it is a very big challenge and I think we need
to need to start narrowing down the challenge into
categories of security rather than tackling the concept
of security.
Thank you.
>> Dato Mohamed Sharil Tarmizi: Absolutely. Thank you,
Mr Johnson. I don’t think there’s anyone who is going
to be agreeing with you there. The question is: where
do we start?
Any other comments or reactions?
Then I would just like to come back to Charles’
question and then after that, respond to one or two
observations I have.
I think one of the things that I’ll be honest,
I didn’t see coming, on this panel as we were preparing,
was looking at the issue from a civil liberties or civil
rights standpoint or human rights standpoint.
I think when we were preparing for the panel, a lot
of the questions we were thinking of were physical
infrastructure, physical security, application security,
machine to machine communications and all of that. So
thank you for your inputs. I think that is quite
useful.
You are quite right, the Brazilian delegation
I think in many of their iterations, did start from
that environment.
If we were to look back at the whole plethora of
issues that have come up, we are not going to solve this
issue of security in one day, nor are we going to solve
this issue of security in one meeting, but I think it
has sparked off quite a bit of debate, quite a bit of
discussion.
What the point of the exercise is now that we have
started the engagement, we have to continue to engage in
this bottom up process that I think Markus is talking
about. This is the very first time we are doing it in
Asian Pacific.
But if I could just quickly ask each one, if each
one of the panellists just want to put forward a prior
to issue for consideration, not necessarily for
recommendation, but just for consideration of people in
this room, in terms of what may be a prior to coming
forward in the next couple of years, what would it be,
from this region? Let’s start with Michael.
>> Michael Mudd: Thank you very much. I look at it from the
point of view of another infrastructure that we trust
implicitly or at least we did, the banking system.
There are two areas of security in the banking
system. The individual security and the physical
infrastructure, the bank, their computer systems
themselves.
Then there is the security of the governance system
of the banking system.
We have seen that that has failed in several areas
recently.
So for me, it is quite simply the governance of the
internet which is the most important area to examine and
to make sure that we do have a multi-stakeholder
approach to ensure the security of the governance
system.
>> Thomas Parenty: Even though I would like to think of
myself as a technologist, if I were to pick one area
that we would need to work on in Asia, it would be
education and not so much just in the sense of learning
about this technology or that, but rather more broadly
having discussions about what security actually does
mean.
One thing this panel demonstrated is that there are
as many different perspectives on security as there are
panellists, actually for some of us, we probably have
more than one. Sort of a schizophrenic panel.
But it is something that from the time that I have
spent in Asia and I have been here just seven years, the
level of sophistication with respect to the dialogue on
security, it’s something that there just needs to be
more discussion. In the absence of that discussion, any
technological decisions we make are not going to be
particularly relevant.
Actually, I would say I’m sort of reiterating
Michael’s comments from his primary, from his initial
presentation, is that education.
>> Matthew Chan: We started doing the threat management to
our customer, because everybody have a lot of security
device or application control, everything is there, but
nobody can say it is secure.
In the past, the company is working the local
network infrastructure. Last few years, it is global
networking structure. Now day, it is cloud
infrastructure. That is a different perspective on the
security concept.
Trend Micro is now starting the work with the
customer about the threat management. Whatever this is
application, network security and all different kinds of
platform, we are working on that.
>> Christine Runnegar: I would just like to start with an
observation, that the Asian Pacific region is a very
diverse region with different issues in the internet
space, not just in security. So my one area to mention
at the moment is to continue the multi-stakeholder
dialogue locally, subregionally and regionally, share
your experiences, your knowledge and work together in an
open, transparent and inclusive process to try and solve
these issues.
>> Ram Mohan: To me, that fundamental human rights that our
own institutions could become a threat to the internet
or to ourselves ourselves is an interesting perspective,
something that I have gained simply out of being here.
So thank you for your point of view on that.
My summary here would be to achieve a vision for
a safer internet that is also more accessible,
interoperable and open. If you want to achieve that
vision, then I think we first need to agree on common
values and principles.
Bringing together consensus on common values and
principles on internet security is arguably the most
important challenge and action for this APRIGF and for
that to continue forward into the global IGF.
After all, if we don’t agree on why we are trying to
solve the issue, we cannot expect to bring together all
the different perspectives on security into convergence.
>> Dato Mohamed Sharil Tarmizi: Thank you, Ram.
I think for myself, not so much as the moderator,
but as also a panellist, one of the things that I think
would be of value that we can bring, particularly for
this region, is because of our diversity, because of our
multifaceted and multiracial, cultural environment that
we have here, it’s going to be very, very challenging to
find commonality of views, I would say.
That’s because we have also various levels of
systems, various systems of governance, various types of
governments, various types of administrations in the
region.
But that said, notwithstanding the political
challenges, I would think it is still very, very
important, despite the diversity, for us to continue to
engage in a multi-stakeholder environment such as this,
to try and find that common value, perhaps it’s
interoperability of internet, something that sounds
basic like that, or perhaps it’s the continued — for
us, security could be interoperability or continued
operations of the internet and that may be the one
common thing we can agree on in this region.
Going into other aspects could be too difficult for
some, but I think if we build on the commonalities that
we can find hopefully after these two days or three days
we have here in Hong Kong, that should be a useful
contribution I think into the IGF process.
With that, wearing my hat as the moderator, I would
like to thank all of you for being a very participative
audience. I think it was very good. Hopefully the
discussion doesn’t end here, we will be meeting each
other for coffee, tea and lunch. You can continue with
the panellists.
May I also request and invite that you thank the
panellists in the usual manner.
Ladies and gentlemen, thank you for your time.
Thank you for your participation. Thank you very much.
>> Thomas Parenty: Now it is the lunchtime. Lunch will be
served for all registered participants. Please proceed
to your right-hand side to enjoy your lunch.
Moreover, dinner tickets are to be collected at the
registration table. So if you wish to go but do not
have one, please go to the registration desk to ask for
one, because tickets are given out on first come, first
serve basis.
We will be back at 2 o’clock, so enjoy your lunch.
(Lunch Break)