Cybersecurity requires good policy not just good technology: The case of routing

It seems not a day goes by without another routing incident occurring. Whether a resource hijack, a route leak, or an entire network outage, the Internet’s routing system is like any other complex system involving multiple actors each making decisions reflecting their own processes, incentives and costs. In theory, adopting a technology like Resource Public Key Infrastructure (RPKI) [1] would offer operators one way to help secure their networks, and possibly reduce the occurrence of some incidents. But implementation in the real world poses problems that could undermine its effectiveness. By combining research in computer and social science, we are beginning to understand that data governance is the key to improving routing security.

1. Explaining variation across RIRs

Route Origin Authorizations (ROAs) data, which cryptographically links an authorized operator’s Autonomous System Number (ASN) with address prefix(es) they are authorized to originate as a route, is a fundamental piece of the RPKI. ROA data collected by RIPE (shown below) indicate vast differences between regions when looking at the number of prefixes found in ROAs. While the number of prefixes in ROAs remains tiny compared to the overall numbers of allocated, assigned or announced prefixes, the RIPE NCC region stands out with far more prefixes in ROAs.

Source: http://certification-stats.ripe.net/?type=roa-v4

What accounts for this difference? Continue reading

The Cybersecurity Executive Orders: A Tale of Two Trumps

One of President Trump’s planned Executive Orders was on Cybersecurity. Two weeks ago, a draft was circulating – but it was never signed and released.

Last week, a new draft was leaked. While we can’t verify its validity, the leaker is a well-connected Beltway consultant with ties to the Heritage Foundation; he claims he has received the draft text from 3 different sources.

We did a side-by-side comparison of the two drafts. There is a huge difference. It’s like night and day, Dr. Jekyll and Mr. Hyde, or maybe Steve Bannon and Paul Ryan. The first draft managed to be both aggressively nationalistic and short on useful substance.

The second draft is calmer, more focused and better-informed; it reads like it was vetted and amended by an interagency task force that included the Commerce Department, NIST, the State Department and the tech industry and not just the Administration, the military and DHS.

Continue reading