Security, stability and resiliency of the global Internet infrastructure

 

In this paper we examine the issues of security, stability and resiliency of the global Internet infrastructure. At that the scope of this research is limited only to the issues that are included in the ICANN mandate. Therefore, first of all we will examine «security», «stability» and «resiliency» as they are defined by the ICANN***:

Security — the capacity to protect and prevent misuse of Internet unique identifiers.
Stability — the capacity to ensure that the system operates as expected, and that users of the unique identifiers have confidence that the system operates as expected.
Resiliency — the capacity of the unique identifier system to effectively withstand/tolerate/survive malicious attacks and other disruptive events without disruption or cessation of service

The abovementioned concepts are fundamental, but their definitions need rectification to meet their present meaning, and to be harmonized with the existing international and national regulations and standards, which use these concepts. The main reasons behind the need to rectify these concepts are:

1. The ambiguity of their interpretation. In many articles «stability» and «resiliency» are considered as parts of the overall concept of «security» and, therefore, are explicitly or implicitly included in this general definition. Moreover, the concepts of «stability» and «resilience» are often correlated with the concept of «reliability», and interpretation of «security» by the notion of «misuse» allows for a very broad interpretation.

2. Issues of a linguistic nature. When translating from/into English, additional connotations are often lost or created. The basic concept of «security» in Russian (and more important in this case — in the Russian documents) primarily means «the condition of security», whereas the cliché of the English translation of «security» implies, apart from that, a set of means that ensure this condition of security. Attempts to use in translation the English word «safety» will not be very successful as well, because it carries a connotation of an «inner sense of security», which, generally speaking, has no equivalent in Russian [2]. Failure to understand these nuances often leads to long (and useless!) disputes during discussions of specific issues in international venues.

3. Scope of concepts’ application. In part of the functions of ICANN (perhaps even more accurately — of IANA), the abovementioned definitions are limited by the notions of security (stability and resiliency), namely with regard to DNS and the distribution system of unique identifiers, numbers and settings. At the same time, the critical infrastructure of the global Internet also includes a) backbone data networks infrastructure (optical, satellite, etc.) and b) service platforms, which provide the users with basic services. These also need a definition of corresponding concepts of «security» and «stability», but these issues are not addressed in this article.

4. Conditions for concepts’ application. In addition to the abovementioned comments regarding the definition of these concepts, one must take into account the conditions under which these concepts keep their meaning. Internet infrastructure retains its working capacity under the «normal» working conditions of the network. Meanwhile, a number of studies (see e.g. the materials of Tallinn NATO Cooperative Cyber Defence Centre of Excellence [10], [11]) consider both «normal » and «extreme» conditions of its functioning, and this also requires appropriate rectification to clarify the meaning of these fundamental concepts.

5. Compliance with international and national regulations. There is a number of international (ISO), national (NIST, GOST, etc.) and departmental safety and reliability standards, which pertain not only to information systems [8], and which include formalized terminology associated with this subject. In addition to headline terms «stability» and «resiliency», similar concepts of «dependability», «reliability», «durability», «maintainability», etc. are used. A separate set of standards governs risk management (see GOST R 51897-2002 «Risk management. Terms and definitions»; ISO / IEC 73: 2002 «Risk management. Glossary. Guidance on the use of standards»). The terminology which is formalized in these standards also has major overlap with the concepts enshrined in the ICANN bylaws1.

Taxonomy of security, stability and resiliency

All of the above applies only to individual elements of the global information system of the Internet. The concepts of «security», «stability» and «resilience» in unique identifier systems, service platforms and backbone networks infrastructure are all included in the general concept of «information (cyber) security». Taxonomy of «information security», «cybersecurity», «security of information», «security of information and communication technologies», etc. is a topic of discussion on the agenda of many international conferences, both academic and political (see e.g. [9]). Due to various reasons (including, of course, political) consensus on this issue is a long way down the road. Here we’ll mention the consensus definition of «cybersecurity», formulated in the course of a joint project of the Institute of Information Security Issues (IISI) of Moscow State University and the EastWest Institute (EWI) [2]:

Cybersecurity is a property of cyber space that is an ability to resist intentional and unintentional threats and respond and recover.

It is useful to note that the same IISI-EWI joint project [2] touches upon the correlation between derived «cyber» and «information» concepts.

The primary source for interpretation of security concepts in the Russian Federation is the Law «On security» № 2446-I. [4] Security — a condition of protectability of the vital interests of individuals, society and the State from internal and external threats.

The definitions of all the other types of security (politico-military, economic, environmental etc.), including the concept of information security are based on this general definition and clarify it for specific spheres of social relations. By the way of illustration we consider the definition of information security as it is formulated in a number of international documents, signed by the Russian Federation (see, e.g. [5]):
Information security — security of individual, society, state and their interests from threats, destructive and other negative impacts in information space.

It is necessary to take note of two methodically important aspects related to the latter definitions:
• The scope of the concept «security» is articulated only (a) in relation to the specific interests of users and (b) with regard to the specific threats to these interests.
• The concept of «security» is tied in with the interests of the subjects — users of an information system. Such linkage at the level of basic definitions leads to certain methodological problems when assessing the security of complex (let alone global) systems. The problem is that different users of the system can have mutually exclusive, conflicting interests (without reference to the analyzed information system). Therefore, when assessing the security of their interests with reference to the analyzed system there will be contradictions which are not related to the functions/services provided by the system.

It is essential to break the threats down into two classes: (1) threats emanating from accidental circumstances, unintentional errors, system overload, natural disasters, hardware failures, accidents, etc., and (2) threats which are deliberately planned, developed and implemented by some users of the system against the other users.

It is the latter class of threat that determines the fundamental difference between the concepts of «security» and «reliability». When it comes to security, it is assumed that there is a subject that generates threats. When considering reliability, the presence of such a subject is either not expected or is considered implicitly, i.e. the sources of threats are natural causes (such as overloading, failures, aging of materials, etc.), natural phenomena (hurricanes, floods, and so on) or unintentional errors (primarily design flaws or software coding errors). At that, as a rule, there is a tendency to depart from reviewing scenarios and narrow the discussion down just to identification of (abstract, not linked to their source) vulnerabilities. In this approach, there is a certain percentage of deceit and/or manifestation of a methodological error. More specifically, we provide a definition of the concept of «vulnerability» [3]:

Vulnerability — a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.

Thus, that very subject — the source of the threat — is included in the definition [3]:
Threat source — the intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability.

In our opinion, when assessing the security of the system with regard to deliberate threats it is methodologically more accurate to use the procedure well-known in the Theory of Computer Science and Mathematical Cryptology (see, e.g., [6]).

1. Description of the System itself, i.e. listing of functions and services provided by the System. It is declared what qualities, properties of functions/services the System must ensure and what security measures/ mechanisms does it implement.
2. Identification of the Participants: a) The system user who is a target of the attack (the Victim user); b) The system user, who attacks (the Attacker).
3. Formulation of Attack objectives (threats), which the Attacker seeks to achieve (exactly which interests of the Victim user he seeks to damage). In this interpretation the Attack objective is an impairment of any function or service quality of the System used by the Victim user.
4. It is determined what Resources are available to the Attacker to accomplish the Attack objectives — which elements of the system he has access to, and given that, what he can do, etc.

It is important to emphasize that the only thing under study here is the quality of the security mechanisms and measures implemented by the System. Motives for the attack (political, economic, religious, etc.) are not considered. There is no emotional (political) assessment like the Victim user — is «good», and the Attacker — is «bad»: generally speaking, in the analysis the Bad Guy can be considered a Victim user, whose interests (e.g., anonymity) are being damaged by the Attackers — the Good guys, such as law enforcement agencies.

The four abovementioned items are the initial data for assessing the degree/level of security of the System. The analysis considers all possible (hypothetically imaginable) methods of actualization of the actual Attack by the Attacker. If it turns out that in order to achieve the Objectives by any imaginable way of actualization of the attack the Attacker requires resources (financial, time, organizational) which exceed reasonable parameters, the System is declared safe against the actual Attack. To assess the safety of the System as a whole it is necessary to conduct such an analysis for all the pairs (Victim user — Attacker) and all the Attacks. Notice here, that when assessing the safety of the system as a whole, generally speaking, each user of the system must be regarded as a potential Victim, and as a potential Attacker!

Proposals for the rectification of security, stability and resiliency concepts in accordance with the ICANN mandate

The use of the abovementioned formal approach for assessment of the global Internet infrastructure security, in our view, would largely put an end to an international debate and with the good will (interest) of all political actors steer these discussions toward a meaningful activity.

Let’s elaborate, what would be the consequences if we apply the given methodology to assessment of security of the global infrastructure for unique identifiers, numbers and Internet settings distribution, in accordance with the multi-level model of the Internet infrastructure.

1. The distribution system (the Global Infrastructure) of unique identifiers, numbers and Internet settings is primarily an information system. And there can be multiple information systems, since in accordance with the multi-level representation of the infrastructure, on the application-level this refers to the domain name system, and for the network and transport layers — to autonomous systems’ numbers, IP-addresses and port numbers. And like any information system, it, generally speaking, implements/provides an opportunity to realize the full feature set required for processing, distribution, storage, retrieval and provision of information.

• In this case «information» is understood to be the data about unique identifiers, numbers and Internet settings, as well as all service (auxiliary) information necessary to perform the functions listed above. In the definition of «security» given in the ICANN bylaws, the term «misuse» should be attributed to each of these functions.

• Elements of the system include ICANN (IANA), the structure of 13 root servers and their mirrors, including a set of functions performed by VeriSign, five Regional Internet Registries, National and Local Internet Registries (NIR, LIR), service providers, etc. Description of the system elements includes:

◊ a role in processing of a particular type of information (domain names, autonomous system numbers, IP-addresses and port numbers);
◊ a description of technical means of realizing the functions of the system (hardware, firmware, software);
◊ a set of technical and organizational standards, regulations and procedures;
◊ notes of the jurisdiction under which elements of the system are functioning.

2. Users — everyone who is a stakeholder, just as it is understood in the current discussions:
• subjects of international law: states, coalitions and alliances of states, nonstate autonomies, etc.;
• business (national, transnational, etc.), including the business associated with the Internet infrastructure;
• actors of civil society: political parties, Churches, Religions and their sects (possibly with extremist objectives), institutionalized social movements, informal unions and associations of scientists and engineers, etc.;
• informal virtual groups of Internet users with common interests («Anonymous», online games players, participants of forums, and so forth.);
• formal and informal associations of developers and engineers who are shaping the Internet (ISOS, IETF, etc.);
• citizens and individuals (among them inevitably are citizens with criminal intents).

3. Security threats to information system in the «classic» understanding include the threats against the «triad» of properties:
• Confidentiality;
• Integrity;
• Availability.

In our case, it may seem that the first of the threats — to confidentiality — is not relevant, at least in regard to unique identifiers, numbers and Internet settings (because it is difficult to imagine thereason why anyone would need to «classify» IP-address or the host name). However, the service information used in these systems can
contain commercial secrets or personal data. Therefore, in this case it is necessary to ensure all the properties — confidentiality, integrity and availability.

Account must be taken of that, firstly, these threats must be correlated with the levels of the Internet infrastructure model and while at the application level we are talking about the security of the domain and of all domain name servers (DNS), at the network and transport level the frontmost objective is to ensure routing in LANs and at the level of interaction of autonomous systems.

And secondly, in this context, it is necessary to consider another aspect. Most elements of the infrastructure in question are commercial organizations, and their main objective is to gain profit. Therefore, one must keep in mind the threats to availability and integrity posed by the «withdrawal» from the system (termination or limitation of activity) of its individual parts due to a variety of external (bankruptcy, the court’s decision, sanctions, revolutions, etc.) and internal (low profitability, change of the scope of activity, political or moral motivation, etc.) factors.

4. Resources available to the Attacker (and it can be any of the stakeholders!) to fulfill the objectives (i.e. to compromise the integrity and/or availability of unique identifiers, numbers and parameters assigned to or used by the Victim) are to a great degree determined by who the Attacker is. In particular, the central\key elements of the system (providers, registrars, controllers, etc.) have the greatest capacity and attacks by them will have the most severe consequences.

And therein, apparently, lies the most «controversial» and «delicate» moment. For example, it is now obvious that it will be impossible to ignore and silence the stakeholders’ distrust of hardware and software that ensures the implementation of the key functions of the system. The same applies to the cryptographic frameworks implemented by VeriSign.

Generally speaking, each of the stakeholders forms his own security threat model, according to his priorities. Nation-states and business structures, as a rule, do it explicitly, in the form of a regulatory document (public or classified); common users «are aware of» what may be dangerous for them, while many of them don’t even think this subject over and «follow the lead». It is obvious, that the threat models of different stakeholders will mostly contradict each other. Apparently, the most pragmatic approach to resolve these contradictions and misunderstandings, is to use the methodology described above and develop through negotiation a set of missing «checks and balances» for the interests of the users. For example, it is possible to «balance» distrust of certain technical elements of the system with the adoption of a legal instrument, which will oblige to provide a guarantee of safety of these elements, etc.

*** To illustrate this we provide several definitions of NIST [3]:
Security — A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach.

Resilience — The ability to quickly adapt and recover from any known or unknown changes to the environment through holistic implementation of risk management, contingency, and continuity planning.

The ability to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.

Bibliography

[1] ICANN’s FY 14 Security, Stability and Resiliency Framework; https://www.icann.org/public-comments/ssr-fy14-2013-03-06-en
[2] Critical Terminology Foundations 2. Russia-U.S. Bilateral on Cybersecurity policy report 2/2014; James B.Godwin III, Andrey Kulpin, Karl Frederick Rauscher and Valery Yaschenko (Chief Editors); https://dl.dropboxusercontent.com/u/164629289/terminology2.pdf
[3] NISTIR 7298 Revision 2 Glossary of Key Information Security Terms; Richard Kissel, Editor; Computer Security Division Information Technology Laboratory; May 2013; http://dx.doi.org/106028/NIST.IR.7298r2
[4] Закон Российской Федерации «О безопасности» № 2446-I (с изменениями от 25 декабря 1992 г., 24 декабря 1993 г., 25 июля 2002 г., 7 марта 2005 г., 25 июля 2006 г., 2 марта 2007 г.); http://www.scrf.gov.ru/documents/20.html
[5] Соглашение между правительствами государств — членов Шанхайской организации сотрудничества о сотрудничестве в области обеспечения международной информационной безопасности; 16 июня 2009 г.
[6] http://www.cryptography.ru
[7] Internet Governance and the Domain Name System: Issues for Congress; Lennard G. Kruger Specialist in Science and Technology Policy November 26, 2014, Congressional Research Service, 7-5700, www.crs.gov R42351
[8] Струков А.В.; Анализ международных и российских стандартов в области надежности, риска и безопасности; http://szma.com/standarts_analysis.pdf
[9] Пятый международный форум «Партнерство государства, бизнеса и гражданского общества при обеспечении информационной безопасности и противодействия терроризму», 25–28 апреля 2011 г., Гармиш-Партенкирхен, Германия
[10] The Tallinn Manual on the International Law Applicable to Cyber Warfare, http://www.cambridge.org/ca/academic/subjects/law/humanitarianlaw/tallinn-manual-international-law-applicable-cyber-warfare
[11] NATO Cooperative Cyber Defense Centre of Excellence free e-book entitled «Peacetime Regime for State Activities in Cyberspace», including a chapter on Space Law and Unauthorized Cyber Activities. https://ccdcoe.org/multimedia/peacetime-regime-state-activities-cyberspace.html

A.A.Salnikov, P.L.Pilyugin
Moscow State University
Institute of Information Security Issues