By Christine Runnegar, Director, Public Policy, The Internet Society
In Paris this week, OECD stakeholders are conferring on a set of new guidelines regarding security that could prove to be as globally influential as the 1980 OECD Privacy Guidelines.
At the core of this work, there is a common appreciation that the success of the global digital economy is highly dependent on an open globally-accessible decentralized Internet.
In such a highly interconnected environment that is, effectively, a globally shared resource that no one owns, security risk management necessarily becomes a shared endeavor. This is an endeavor that needs broad participation and an approach that considers the overall security and resilience of the Internet and its actors, not just one’s own security risks.
It is not without challenges because mitigating external risks will not usually directly benefit the entity and indirect benefits (e.g. greater overall security) are sometimes hard to see. Take, for example, a scenario from the Internet routing area – ingress filtering[1]: networks which implement ingress filtering help protect other networks from spoofing attacks. However, they do not receive any direct protection themselves unless those other networks also do the same. Nonetheless, everyone participating on the Internet receives the indirect benefit of a more secure Internet.
A voluntary shared commitment is a useful way to motivate a collaborative approach to security, as a recently launched initiative, coordinated by my colleague, Andrei Robachevsky, has demonstrated.
At the core of this initiative is a document called the Mutually Agreed Norms for Routing Security (MANRS at www.manrs.org), which defines a set of principles and best current practices for a coordinated approach to improve the Internet routing system. Already, several network operators – CERNET, Claranet, Comcast, KPN, Level 3, NTT, RUNNet, SpaceNet and SURFnet – have made a public commitment to make the global routing system more secure and resilient by implementing one or more of the MANRS recommendations, i.e.:
- prevent propagation of incorrect routing information
- prevent traffic with spoofed source IP address
- facilitate global operational communication and coordination between the network operators
- facilitate validation of routing information on a global scale.[2]
Their basic mantra is “we do at least this and expect you to do the same”.
This is a concrete “real world” example of a voluntary collaborative approach to raise the overall level of security and resilience of the Internet.
As the OECD’s work on the revised 2002 OECD Security Guidelines draws to a close, we look to the next steps, and how the principles will be applied across the OECD community and beyond.
[1] https://en.wikipedia.org/wiki/Ingress_filtering
[2] More details can be found on www.manrs.org
_________________________________
Christine Runnegar is Director, Public Policy at the Internet Society, based in Geneva, Switzerland. Her current areas of interest include online privacy, security and identity. Christine contributes to the OECD’s work on privacy through the Internet Technical Advisory Committee (ITAC) and APEC’s work on the Cross Border Privacy Rules (CBPR) System through the APEC ECSG Data Privacy Sub-Group (DPS). She also participates in the Internet Architecture Board (IAB) Privacy Program, co-chairs the W3C Privacy Interest Group (PING), and works closely with other Internet technical experts on privacy and provenance. Christine also led the pilot Internet Society Copyright Working Group and the development of the Internet Society’s paper entitled Perspectives on Policy Responses to Online Copyright Infringement – An Evolving Policy Landscape.