[Bp_cybersec_2016] Proposal for the cybersecurity BPF goal and topic

Tue Jun 21 08:52:22 EDT 2016

Hi,

I’m sorry, but I disagree, strongly, with much if any at all user focus to our work.

at this point in time, all the attacks I see are of a technical nature, the capacity for an end-user to protect themselves is almost negligible these days.

spam, phish and malware distribution is based on vulnerabilities in software such as wordpress, or other commercial site compromises. the vast majority of unwanted communication comes no longer from hacked home computers but dedicated servers (compromised as well) at hosting companies, or by way of hijacked IP space. there is nothing an end user can do to mitigate that.

passwords? They don’t matter when firms who hold them continually get hacked, their user databases stolen and exploited (admittedly the one bit of advice I give to end users is to use discrete passwords for every site they engage with)

the big win is when we get organizations and enterprises, governments and commercial entities to step up to industry standards, such as BP38 to avoid DNS amplification attacks, or force compromised entities to report breaches.

As someone whose organization, cauce, is the oldest end-user advocacy group on the Internet, I believe I’m in a unique position to say end-user education, which we did for decades is a feel-good for government, but ultimately almost entirely useless (yes, we’ve turned 180 degrees in our position on this).

The real win to protect end-users is to regulate*, fully implement existing best practices, and create law to force those caretakers of our data to protect our privacy and treat PII in a respectful manner, and punish those who abuse it.

There will doubtlessly be examples of ‘yes but, if an end-user does this it will fix things’ and they may be right But again, if we want massive wins, using what M3AAWG/London Action Plan/CAUCE has outlined repeatedly in our omnibus best practice documents, the current state of affairs would not be so dismal.

* Industry self-regulation has been an utter failure (look at marketers self-regulating in Brazil and the U.S., and many other places for examples of that))

respectfully,

Neil Schwartzman
Executive Director
Coalition Against Unsolicited Commercial Email
http://cauce.org
Tel : (303) 800-6345
Twitter : @cauce

> On Jun 21, 2016, at 5:29 AM, Marilyn Cade <marilynscade at hotmail.com> wrote:
> 
> I am both supportive, and perhaps, wanting a bit more. 
> 
> It is important to deal with the problems. It is also important to prevent problems .
> Thus, I think that this group should consider a two pronged approach:
> 
> Remediation and Prevention/early intervention:
> 
> Users are the most vulnerable, and the most under informed and thus sometimes add to, create, or are the source of vulnerabilities.  Malicious attacks are receiving focused intervention. BUT, users, whether they are SMEs, or individual users, could benefit from more attention.
> 
> This could be a sub theme in the Cooperation between stakeholders, where both governmental agencies, or commercial suppliers highlight the kind of user support/education/interventions that they provide, that might be leveraged across SG or considered by developing countries for relevance.
> 
> Example:  program to teach children about the importance of strong passwords, and how they can coach their parents
> Example:  program by the mobile providers and handset providers to simply 'keeping your data safe online'
> Example: Community outreach programs supported by governmental agencies at the sub national level to reach SMEs and NGOs
> 
> 
> 
> From: ilishebo at gmail.com
> Date: Tue, 21 Jun 2016 08:31:16 +0200
> To: maarten at first.org
> Subject: Re: [Bp_cybersec_2016] Proposal for the cybersecurity BPF goal and	topic
> CC: bp_cybersec_2016 at intgovforum.org
> 
> Maarten,
> 
> Well elaborated and I hope we go for this suggested route...
> 
> 
> Michael L. Ilishebo,
> Kitwe, Zambia
> 
> Mobile Contacts:
> +260965361255
> +260977361255
> +260955361255
> 
> Social Media Handles
> Twitter: @ilishebo
> Skype: michael.ilishebo
> 
> 
> 
> 
> "walk a mile,for a while,with a smile"
> 
> On Tue, Jun 21, 2016 at 3:04 AM, Maarten Van Horenbeeck <maarten at first.org <mailto:maarten at first.org>> wrote:
> Hi everyone,
> 
> Earlier this week, at the FIRST conference in Seoul, some of us had a discussion around opportunities for focus in this BPF. We wanted to propose a way forward of getting this BPF to contribute most to the wider multi-stakeholder community.
> 
> Reviewing the outcomes of the spam and CSIRT Best Practices Forums over the last two years, we believe the cybersecurity BPF would most benefit from addressing cooperation between stakeholder groups as a topic.
> 
> One of the lessons we learned during our work on the BPF on “Computer Security Incident Response Teams” was that it attracted a fairly narrow audience, mostly engineers working on technical issues. While CSIRT teams in most cases find agreement within their community, there were significant communication issues when engaging with other stakeholder groups, in particular policy makers, civil society, but also law enforcement and even industry. 
> 
> During the BPF, we managed to gain consensus on what makes the community more effective at communicating.
> 
> We believe that the community would benefit from having a multi-stakeholder discussion, including each of the major IGF stakeholder groups, on how to engage and communicate with each other on cyber security issues. This would support the Internet Governance Principles laid out at the NETmundial Statement, that recognize that "Effectiveness in addressing risks and threats to security and stability of the Internet depends on strong cooperation among different stakeholders".
> 
> More concretely, this process would consist of:
> Defining the typical roles and responsibilities of each of the stakeholder groups in making the internet a secure and safe place for people to socialize and conduct business;
> Identifying the typical communication mechanisms between stakeholder groups to discuss cybersecurity related concerns;
> Collecting a set of successful case studies on existing communication between stakeholder groups that has helped improve cybersecurity.
> 
> In order to be effective, we will need to recruit an appropriate number of representatives from each stakeholder group that have an interest in participating. During the CSIRT BPF, we had significant success reaching out 1:1 to stakeholders, and inviting them to participate in our meeting in Brazil. We’d propose a similar step to gain acceptance.
> 
> Today, the word “cybersecurity” is often loaded with context, and many organizations associate it with government decision making, or commercial security solutions. Within the IGF, we have an opportunity to redefine cybersecurity as a common goal between all stakeholders, and getting to a good definition of what cooperation should look like.
> 
> The final product paper could, just as the BPF on CSIRT did, help to inform each of the constituencies on the roles of other stakeholders, and identify appropriate methods of communicating and discussing difficult security issues.
> 
> We're happy to discuss this proposal further during the next call.
> 
> Best regards,
> 
> Andrew Cormack, Jisc
> Adli Wahid, FIRST
> Cristine Hoepers, CERT.br/NIC.br
> Peter Cassidy, Anti-Phishing Working Group (APWG)
> Maarten Van Horenbeeck, FIRST
> Serge Droz, FIRST
> 
> _______________________________________________
> Bp_cybersec_2016 mailing list
> Bp_cybersec_2016 at intgovforum.org <mailto:Bp_cybersec_2016 at intgovforum.org>
> http://intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org <http://intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org>
> 
> 
> 
> _______________________________________________ Bp_cybersec_2016 mailing list Bp_cybersec_2016 at intgovforum.org http://intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org
> _______________________________________________
> Bp_cybersec_2016 mailing list
> Bp_cybersec_2016 at intgovforum.org <mailto:Bp_cybersec_2016 at intgovforum.org>
> http://intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org <http://intgovforum.org/mailman/listinfo/bp_cybersec_2016_intgovforum.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://intgovforum.org/pipermail/bp_cybersec_2016_intgovforum.org/attachments/20160621/9bb069a3/attachment.htm>