Five Cybersecurity Takeaways from the ARIN 48 Keynote and Panel

By Leslie Nobile – Senior Director, Trust and Public Policy

The ARIN 48 Members Meeting was held as a hybrid meeting in November and featured both a keynote address and an Internet governance panel centered around the topic of cybersecurity.

Chris Painter, President of the Global Forum on Cyber Expertise Foundation, delivered the keynote speech entitled “Cybersecurity and the Internet: The Road Less Traveled”, in which he examined the current state of cybersecurity and the Internet, and discussed global efforts being undertaken to tackle this ever-growing threat.

Our panel of experts, representing both the private and public sectors, spoke about “Evolving Cybersecurity: Strategies for the New Normal" in which they described how their organizations are devising strategies to deal with the challenges posed by increasingly sophisticated cybersecurity threats. Panelists included:

• Chris Elverson, Supervisory Special Agent, Federal Bureau of Investigation (FBI) Cyber Division
• Dick Leaning, Director of Trust and Safety, Cloudflare
• Niel Harper, Chief Information Security Officer, United Nations Office for Project Services (UNOPS)
• Doug Montgomery, Manager of Internet Technology Research, US National Institute of Standards and Technology (NIST)

Our ARIN 48 Members Meeting recap blog took a high-level look at both the keynote and panel, but here are five takeaways I thought were particularly interesting.

1. The Colonial Pipeline attack helped raise cybersecurity awareness

With over 30 years of experience, Chris Painter has had a long career in the field of cybersecurity, including serving as the first dedicated cyber diplomat for the United States. Painter noted that he doesn’t think we’ve taken cybersecurity issues as seriously as we need to, though he acknowledges that we are doing better than ever before.

“This is all exacerbated by the pandemic,” Painter stated, noting that the global dependence on the Internet over the past two years has helped a lot of people, particularly in developing countries, realize just how important cybersecurity and cyber issues are. Painter tapped the Colonial Pipeline cyber-attack from earlier in 2021 as an example.

“That attack, I think, raised the attention on this issue in a way that I’ve never seen before,” he said. “Once people understood that a cyber-attack actually affects their everyday lives … that brought it home to the average person in a way that we hadn’t seen before. And that also translated it to a higher political level.”

In fact, after the Colonial Pipeline attack in May, the US President signed an executive order that is aimed at strengthening cybersecurity defenses in the US. The order calls for private sector companies to partner with the federal government on deliverable action.

Painter stressed that some of the cyber-attacks we have seen recently have been incredibly serious and have affected us in a number of ways — espionage, data breaches, ransomware, botnet attacks, etc. But because they haven’t highly disrupted our daily life, government officials and policymakers tend not to give these their sustained senior-level attention.

Ultimately, Painter warns that just because a large-scale disruptive event hasn’t happened yet doesn’t mean we should be lax on cybersecurity or think that what’s been done so far has been enough.

“We’ve had about 80 different wake-up calls over the years,” Painter said. “Every major cyber event has been a wake-up call. And we seem to easily go back to sleep or not have the attention of the public or the policymakers, that political-level attention.”

2. It takes a village to combat cyber crime

Chris Elverson, Supervisory Special Agent with the FBI’s Cyber Division, highlighted some of the FBI’s cyber-crime innovations, but stressed that public-private partnerships are generally the reason for successful cases and operations, saying, “No single entity has the entire visibility necessary to tackle the cyber threats that everyone is dealing with.”

One example Elverson gave is the repository of phishing kits at the National Cyber-Forensics and Training Alliance (NCFTA) that stores intelligence like email headers, names, the URL phishing attempts were hosted at, the names used by the creator, and in some cases, a link where the stolen credentials are being collected. NCFTA partners can submit phishing kits they encounter, and they can search for already-stored kits as well. The collaboration of data helps law enforcement officials not only prosecute criminals, but also notify potential victims of the scam.

“Almost every crime is essentially cyber-enabled at this point just because of the reach that the Internet has,” Elverson noted.

3. Education of Internet procedures is important for law enforcement officials

Dick Leaning, Director of Trust and Safety with Cloudflare, stressed the importance of educational outreach for Internet operations.

“Understanding how the Internet works,” Leaning said, “and how the governments want to introduce policy, regulation, legislation on the Internet… that’s been a challenge.”

A former UK and Europol law enforcement officer himself, Leaning talked about how he and his colleagues work with law enforcement agencies on Internet knowledge, especially since, as he said, the Internet is so dynamic. His organization often receives requests from law enforcement officials to track IP address usage, ask if a website can be taken down, or other requests that are just not always possible to do. Educating and collaborating with law enforcement on how the Internet is moving, how it works, etc., could prevent law enforcement from wasting time on dead end investigation avenues.

“It’s no longer just a realm of specialist cybercrime units investigating crime on the Internet,” Leaning said. “It’s across the whole board. … Every police officer needs to know about the Internet and how it works to conduct any investigation.”

4. Security is a global issue — and not just for data centers

The United Nations Office for Project Services (UNOPS) has a global footprint in multiple countries — 120 to be exact — so making sure all of their IT systems and data assets are secure is quite the challenge. Niel Harper, Chief Information Security Officer at UNOPS noted that they had embarked on a cloud-first strategy a couple of years ago, which allowed them to seamlessly transition their workforce to remote working in the early days of the pandemic. UNOPS helps their clients, who are other UN agencies, governments, and international funders, implement peace and security projects, some of which involve IT infrastructure and applications such as data centers, national digital identification solutions, and government procurement systems.

Harper said that UNOPS has developed and continues to refine an end-to-end process for embedding privacy and security into their system development life cycle (SDLC).

“Developing systems to be secure first [meant] we don’t have to go back and build in security afterwards,” he said. This can be especially important for the inexperienced stakeholders in developing nations, he said. But overall, global security standards are still a work in progress.

During the Q&A, Harper also pointed out that the European Union Agency for Cybersecurity (ENISA) has adopted a cybersecurity certification framework where certain Internet of Things (IoT) devices must be validated from a privacy and security perspective, and said the US is working on a similar initiative.

“[There’s a] kind of market pressure through consumer advocacy groups to better inform consumers to make better choices around which products are secure and privacy-enabling,” Harper said.

Panelist Doug Montgomery, Manager of Internet Technology Research for NIST, also briefly discussed security awareness for consumer-grade IoT devices.

“I think it’s a big challenge in the consumer space,” Montgomery said. “The first step is having some way of characterizing the effective security level of a product.”

Montgomery noted that communities that control acquisition, such as the federal government, have the power to influence vendors to raise and label the security measures of their IoT devices, but it is more difficult to influence what consumers will buy.

5. IPv6 is the future for network security

Montgomery said that NIST is actively involved with the US federal government’s transition to IPv6-only networks, which was announced in November 2020. The strategic intent is for the Federal government to deliver its information services, operate its networks, and access the services of others using only IPv6.

“Getting there now,” Montgomery said, “is significantly easier than it was in 2010.”

He noted that the product base is reasonably mature, and that IPv6 deployment is advancing at a clip where “government agencies who have v6-enabled on public-facing websites are seeing the majority of their traffic come over v6.”

Montgomery said for him, the transition to IPv6 means more innovation and a modern network protocol.

“We see globally unique network addresses as a significant requirement for new security architectures,” Montgomery said, observing that our current world, where half of the users are at home, accessing services in the cloud or within an enterprise environment requires unique addresses to identify end-to-end traffic flows. “We think it’s also an enabler for innovation of new network security technologies.”

On behalf of ARIN, I would like to thank our keynote speaker and panelists for sharing their expertise and insights with us on the state of cybersecurity today.

Recent blogs categorized under: Internet Governance

• The Global Digital Compact: A Top-Down Attempt to Minimize the Role of the Technical Community
• Greater Vigilance and Collaboration Needed in Digital Transformation Initiatives
• ARIN Membership: What’s Changed?
• NewIP, OTT, and ICTs: Highlights from our Work with the ITU