ICANN Vice President: The Internet we know and want may soon disappear for good

Michael Yakushev, Internet Corporation for Assigned Names and Numbers (ICANN) Vice President of Stakeholder Engagement for Russia, Commonwealth of Independent States (CIS) and Eastern Europe, took the time to answer some of Digital Report’s questions. Mr. Yakushev discusses online government censorship, ICANN’s role in Internet governance and regulation, and some of the challenges the World Wide Web will face in the future.

What is your attitude towards government control of the Internet and the blocking of websites? Does Roskomnadzor (Russian Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications) act in contradiction with the constructive approach by ICANN?

As long as government regulations do not contravene the stability and technical security requirements of the Internet, they fall outside the jurisdiction of ICANN and under state sovereignty. If a country has Internet access, then de-facto ICANN has fulfilled its duties there. However, this raises a crucial question: at what point do government regulations start threatening the stability and security of the Internet? This could occur when a government blocks an entire domain zone. This specific issue opens up a host of potential problems. Specifically, the attempts of some countries to keep the distribution of IP-addresses under their jurisdiction. For example, some players believe that the distribution of IP-addresses should be done at a national level, just like phone numbers. However, there are as many first-level phone codes as there are sovereign states, slightly more than 200. Regarding the Internet, the problem is of an entirely different scope; there are 10 to the 28th degree IP-addresses in IPv6 protocol. Thus, we are not talking about a limited resource which states can distribute. We are talking about quadrillions of addresses. We would face serious conflicts if one registrar occupied an address area that was claimed by several others. Such conflicts would occur if different registrars attempted to claim the same address. Another protective layer is the DNS Sec system, which minimises attempts to reset (or “substitute”) domain names. An organization that regularly fakes or fabricates data about requested domain names will eventually find itself blacklisted. Malicious actors will be disconnected on a technical level if they are considered a source of malevolent activity on the network.

Taking into account that the responsibility for blocking websites lies with Internet providers, could they be blacklisted by ICANN and other organizations responsible for stability and development of the Internet?

ICANN cannot sanction providers and my organization should not be viewed as an absolute power. There is a whole range of organizations that are not very well represented in Eastern Europe but are actively involved in defining Internet standards and monitoring their implementation. These include the Internet Engineering Task Force (IETF), the Internet Society (ISOC), and the Regional Internet Registry (RIPE NCC). The latter is responsible for distribution of IP-addresses in Europe and is located in Amsterdam. By the way, this is a perfect example. Three quarters of the Netherlands has been reclaimed from the sea. Residents constructed dams and created more land. Importantly, the owner of the plot of land closest to the sea is solely responsible for the dam protecting all the territory behind his land. If the sea breaches the dam, the owner of this plot is fully responsible. However, if he becomes the owner of this plot, he takes the full responsibility and the owners of other land plots place their trust in him. If a breach or another unfortunate event were to occur, the other owners would all come to support him. This is an example of mutual trust when everyone’s security depends on the security of one. When the Internet was conceived and developed as we know it today, it was based on this principle of absolute trust. If we were to remove this principle, the Internet as we know it would collapse. That Internet, the one we know and want, may disappear for good. Internet freedom is based on mutual trust. The more actions that undermine this trust, the more mechanisms for punishment and containment we need. But this would be a completely different Internet.

So is the Internet about to collapse?

No, it is too early to say. Everything is very dynamic, even the very idea of what may and may not be censored on the Internet. Twenty-five years ago, one could hardly imagine that a law against gay propaganda would be adopted in Russia. At that time, homosexuality was considered deviant, denounced both in law and public opinion. However, in Europe it is considered a normal sexual behaviour, even though it is forbidden in other states. That is why it is very difficult to have a common international opinion on the dissemination of information about sexual minorities. Thus, the main international issue is not in reaching consensus about what should or should not be censored on the Internet, but in search of the answer for the following question: “What should we do so that the current system remains secure and continues developing?” There is consensus on this matter, and I believe that fears of the collapse of the Internet are groundless. The number of connections is increasing, the number of top-level domains has reached one thousand, and the total number of all domain names is in the hundreds of millions, if not billions. Yes, some excesses exist on the national level but the Internet is flexible and able to solve those problems.

Is it possible to say that cyber security issues are used as a political instrument? Do some states use cyber security as proxy to increase control over online content. This is what Professor Anatoly Streltsov says, by the way?

Anatoly Streltsov is a well-known theorist of information law. At the same time, his position reflects the position of Russian cyber-security officials. From their point of view, information security is based on a triad: personal security, social (business) security, and security in international relations. In this theory, state security is tied with social or business security, while cyber security becomes a tiny part of cybercrimes. Most specialists in the world, especially from Europe and the USA, do not share this point of view, proving through their arguments that what we (Russia. -ed) consider security is not correct. The arguments are complex and this is all one can say about this in brief. Of course, like all of us in Russia, I personally respect Mr. Streltsov immensely. Certainly, security is of high importance, and this is not the communist époque with its opportunities for excesses. However, security is the underlying state of stability, which is based on trust. It is not accidental that I constantly repeat this. That is why the more mutual trust we have, the greater our security. The less trust we have, the less security and the greater need for mechanisms to ensure our security.

That is why Western states practice a utilitarian approach to cyber security; one that relies on a set of measures to provide for the technical security of the Web and minimises the possibility of hacking, data theft, and so on. Russian officials prefer to talk about the categories of information and psychological war, which is not very well received by their Western colleagues. They are in essence speaking different languages. However, technical experts and computer specialists can define cyber security very clearly. It is possible that this may be the reason for many misunderstandings. Say, when we try to “push” for something important to us and foreign opponents provide an opposing point of view, then we think this is political influence. It is extremely important to speak the same language and be able to reach a compromise.

Does ICANN implement programs to improve cyber security in Russia and the Commonwealth of Independent States (CIS)?

Yes, it does. Of course, this is to a lesser extent in Russia. Our activities are focused on states with lower levels of Internet penetration. In Russia, just like with cyber security, this is not an issue. Experienced professionals manage domain zones and registrars. In this sense, there are no problems with domain and overall network security in Russia. As for educational activities in less-developed states, say in East Asia and Africa, we have two departments devoted to this activity. One of them focuses on security matters and the other on educating interested stakeholders, such as law enforcement and registrars. We would gladly implement education campaigns in Belarus if there were a need. However, our Belarusian colleagues operate on a perfectly acceptable professional level. (This interview was conducted by DR’s Belarusian correspondent. -ed)

Does it make sense to work with national populations as a whole? The problem of cyber security is multifaceted and it depends both on the professionalism of law enforcement and the level of knowledge of civil society?

This is absolutely correct and exactly what is necessary. However, the “clients” of ICANN are registers and registrars and not end users. We teach our children how to cross a street, what a traffic light is, and so on. Taking into account that many children now use tablets, we should teach them what and what not to do online. We really need this education and not only for children. It should also target teachers so that they know what to teach and have more information than children who largely know how to skirt Internet controls. Adults must also be taught to use public services and should feel safe both online shopping and online banking. However, protecting citizens is the responsibility of individual governments. Moreover, a low level of cyber literacy is common; there is much work to be done in Europe, just like in Russia and Belarus.

The investments into cyber security are massive. Why do these investments not reach citizens in the form of knowledge?

Yes, in fact the investments go only into certified laboratories. Clemenceau said that war is too important a matter to be left to the military. The military must win on a tactical level while politicians and diplomats win on a strategic level. In other words, we should not leave decisions as to whether or not to go to war with the military. They are not able to make such decisions. In the same manner, the responsibility for decisions in security domain must not reside within offices that have a particularly special or narrow professional approach to the issue. In Russia, for example, some offices are responsible for the protection of private data. Nevertheless, if your personal data were stolen from a cellular phone company, the company would produce thousands certificates stating that all their services and systems are successfully certified and the company is not responsible. That is it. But your data is gone.

What might the solution be? Do we need a new agency to protect private data?

We need an understanding that the rights and interests of a citizen are primary. We have to first think about protecting user needs and only after that about technical certifications.

Will cyber-security threats increase in the future? Does it make sense to take active measures today to prevent these future risks? What security problems will present the largest challenges in the future?

Yes, the probability of new risks increases with time. The main challenge is that a new generation is growing up, a generation that is much more comfortable using computers and connecting to the Internet. They will be more creative than our generation and if we underestimate or misunderstand this, we will face hacker attacks and phishing cases of an order of magnitude greater than today. Imprisoned criminals in Russia already widely participate in SMS phishing attacks from their prison cells, attempting to steal money via their cell phones. Two years ago, Kaspersky Laboratory published information stating that the restrictive online environment had lowered the initial age of criminal activities to 13. For a minute, pretend that the Russian government restricted Anna Karenina in the country. (Anna Karenina contains a suicide, the description of which is illegal in Russia. -ed) A child trying to find this book on the Internet while circumventing government restrictions would sooner or later come across a proposal to make some money via criminal activities. He or she starts down this path and then we see a sharp increase in cybercrime. We may lose a whole generation while the criminal world becomes younger and more inventive. This is the law of large numbers in action.